Is there the conditional single logout in WSO2 Identity Server? - wso2-identity-server

Currently we are using WSO2 IS 5.1. In a single logout process, is it possible that can only the session that has requested, has been logout but other shared session still has remained?
I want to ask better, how we can display in my web application an option list from other SP issuers that their SP sessions has made during SSO login, and then we make to choose which the session that want to log out and can send logout request for selected SP and also want that only selected session has been log outed. exists any suggestion or example?
thanks a lot

First you need to know the flow of single logout in WSO2 Identity Server.
In one Service Provider(SP) send the logout request to Identity Provider(IDP). Then IDP determine the session participant. If session participant exist then send the logout request IDP to SP. After SP issue a logout response to the IDP. After that IDP send the logout response to original logout request. Now all session participant terminated.
You can found more details here.
It seems by default IS can't achieve your requirement.

Related

How can I remove session for specific user for specific ServiceProvider in WSO2 IS?

There is any webservice providing by WSO2 Identity server, to remove a session for specific user to specific ServiceProvider?
I am using SAMLSSO for many web application and they all are integrating with WSO2 server.
Now let's say scenario is,User is login with 2 application at the same time. I want to logout it from one application.
There is one service provided by logout and it's providing single logout and session will be remove for all application. There is webservice provided by IS or way to achieve logout for one specific application ?
What you are asking is to have the capability of removing a specific participant from the session created in the Identity Server side. I don't see a straight forward way (OOTB) of achieving this.
Closest you can achieve is as below.
Make your application perform a forceAuth. ForceAuth will request for user credentials despite having the cookies in the browser. (This will prevent the user from experiencing the SSO comfort. Still you can authenticate against the IS)
Prevent the application from sending an SLO request to WSO2. Rather, terminate the self(application) session upon logout.
When your application really wants to perform an SLO (logout all the applications, not just yours), your application can send an SLO request to the Identity Server.
Performing a force authentication :
SAML - Send forceAuth=true as a query paramter in your login request. Or else change the SAML AuthenricationRequest payload body to indicate a force authentication as in the spec(Line 2042).
OIDC - Send prompt=login as an additional query parameter in the /authorization request.
You can do this by calling the REST API and SOAP API provided by WSO2 IS. This will remove the session at WSO2 IS but I'm not sure if it will also trigger the SLO to other service providers or not.
Reference:
https://is.docs.wso2.com/en/latest/develop/calling-admin-services/
https://is.docs.wso2.com/en/latest/develop/session-mgt-rest-api/
Trigger a SOAP request getUserProfile from the UserProfileMgtService.wsdl. The default user profile will be 'default' or you can put the customized profile name you used. This will return the details. Grab the user id from this.
Trigger a GET to the API: /{user-id}/sessions with the user-id from step 1 to get the list of all active sessions this user currently have. Go through the list of sessions and find the session ID of the Service Provider you need to clear.
Trigger a DELETE request to API: /{user-id}/sessions/{session-id} with the user id from step 1 & session id from step 2

WSO2IS-5.7.0 OIDC SSO logout without id_token_hint

I am working with OIDC and WSo2IS-5.7.0. I Want to implement rp initiated global logout (I want to terminate the session from RP and as well as OP or WSO2 in my case.) When user clicks on logout button, I am redirecting the user to this URL :
https://myserver:9443/oidc/logout?id_token_hint=<idtoken>&post_logout_redirect_uri=https://myotherserver.com/myapp/index
It is working fine and user is redirected to login page of wso2. My client consider it not secure and want to do the same without being send id_token to front end. Is it possible with wso2is-5.7.0?
If yes, how?
If no, isn't it insecure that we send id token to FE? anyone can use it to make API call?
It is not possible. In WSO2 implementation we use the id_token_hint to extract the client_id from the id_token (sent as the id_token_hint). This is necessary to retrieve the service provider information for which the id_token was issued to.
Otherwise we don't have a way to validate whether the value sent in post_logout_redirect_uri is a registered callback for the service provider.
So if we omit the id_token_hint, we cannot validate the post_logout_redirect_uri sent which will open up another security hole allowing redirection to untrusted uris.

SAML Replay Detection

We have a Java based web application which uses SAML 2.0 for SSO. As part of the SSO we have also implemented Single Logout. Can anyone please share info on how to fix the below issue
User logs into IDP(app1)
User clicks on the link to the SP(app2)
User logs out of IDP. A logout request is received by SP and the session is invalidated
User refreshes the browser that has SP(app2) open and the the original IDP request is resubmitted. The SP processes this request as if it came from the IDP. With this the user is still able to navigate/use app2 even though he has logged out of the IDP.
I think the best solution is to go back to IDP and check if the session(based on SAML SessionIndex is valid) but not sure on how we can do it. Note the browser refresh only works within the window specified NotBefore and NotOnOrAfter. If the user tries to refresh out of this window we have logic that rejects the request/response.
The SP should also check for SAML assertion replay.
Every SAML assertion includes a unique ID.
Your SP should keep track of these until they expire (ie until NotOnOrAfter). When you receive a SAML assertion, if the ID has already been seen by your SP, the SAML assertion should be rejected.

wso2 - Does wso2 identity server support IDP initiated logout from federated IDP?

We are using WSO2 Identity Server 5.3.0. I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service provider (symbolic name "SP1"). Then I configured second trust between WSO2 acting as a service provider ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service). SP1 protects some resources, access to them is granted only when users are authenticated to IDP2. Everything is based on SAML protocol.
Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2.
IDP1 initiated logout works fine too.
But IDP2 initiated logout fails with message (in a browser): "Attention: Something went wrong during the authentication process. Please try signing in again." It generates the record to the WSO2 log: "{...DefaultRequestCoordinator} Context does not exist. Probably due to invalidated cache".
During the IDP2 initiated logout correct LogoutRequest is sent to WSO2 (https://amsrv.mydomain.org:9443/commonauth).
Does WSO2 support such scenario (IDP2 initiated logout)?
SLO is working based session ID. You cannot invalidate a session that is not recognized by the IDP.
Your log seens to indicate that the context [pointed by the session id provided in the SLO request] does not exist so cannot be terminated.
Please deactivate Ciphering on the flow, put a Wireshark and look at it. WSO2IS is providing a screen in user dahsboard to see which session are open and with which ids.
I suspect that IdP2 is sending the session ID of the session between Client and IdP2... not the session ID of session between Client and IdP1.
Jeff

How to invalidate Identiy provider's(WSO2 IS 5.0.0) session with service providers session

Environment - WSO2 IS 5.0.0, sample app
I could invalidate sample application session. but I need to destroy user session in IDP along with sample application session.
Is this a out of the box feature in wso2 ?
If not, how can I do it using IS 5.0.0 or is this supported in IS 5.1.0 ?
Please find answers for your questions.As I remember, you have to install service pack2 to send IDP initiated logout request.
WSO2 IS(5.0, 5.1) does not provide this facility as an out of the box with SP initiated sso.
You can use IDP initiated sso.The flow is explaining in the below.
i). you have to send an IDP initiated logout request to identity provider.
Request should be look like this - https://localhost:9443/samlsso?slo=true
ii). when IS receive a logout request, IS send logout request to other service providers those are configured with IS.
iii). Then invalidate other service providers sessions and service provider send a logout response to IDP(IS).
iv). After receive logout response from service providers, IS destroy its user session for particular user and send a logout response to service provider which requested the logout request.
v). service provider invalidate its own session.