Scenario: I have 2 SP viz A and B configured in WSO2 IS 5.0 sp1. I have configured Custom Logout URL in B. This logout URL points to the logout for A.
Now when I logout from A, there is no LogoutRequest which is sent from IDP to B.
On the contrary, when I don't configure custom logout URL in B, there is a proper LogoutRequest which is sent to B when I logout from A.
Am I missing out anything over here?
Thanks in advance.
Cijoy, I checked the scenario you mentioned in WSO2 IS 5.0 SP1 using the travelocity and avis sample apps. The flow seems to be working as expected. Instead of pointing B's logout URL to A could you try making a copy of the B's logout page and point to that. Then when you logout from A the server should send a logout request to B's new logout URL.
I have configured Custom Logout URL in B. This logout URL points to
the logout for A.
Why doing that? The A will receive the logout request twice then. B should expose its logout URL itself. If you do not configure the logout URL, the ACS URL is used to send the logout request.
IMHO: The logout process in the current version assumes the systems / servers are accessible to each other and can communicate between themselves. That's a very strong assumption. Usually (in other identity servers) the SAML single-logout goes though user browser and I assume / expect it will be changed in WSO2 IS as well in future. Some updates are already implemented, but not yet generally available.
Related
I am using WSO2-IS 5.3.0. I have configured many service provider and SAML SSO is working as expected. But when it comes to Logout, One functionality is working fine. It means it redirects me to a common logout page after an invaliding session.
Here, I have one case, I have one service provider for it, I need to perform single logout but it should redirect to my custom login page. Though IS providing the option to configure return URL(SLO Response URL) you can see in the below screenshot. I have done that but still its redirects to the common logout page.
Do I need any other configuration too?
You are performing an IdP initiated SLO as per the given request URL. In that case, you can use the returnTo parameter in that request to redirect the response.
So set the SLO response URL to return to URL of the Enable IdP initiated SLO config. Sample request would be as follow.
https://localhost:9443/samlsso?slo=true&spEntityID=travelocity.com&returnTo=https://localhost:8080/avs.com/slo
But, you might have to define the SP specific parameters in the request.
Reference : http://daytodayjava.blogspot.com/2015/08/saml2-idp-initiated-single-logout-with.html
I can't find source for package org.wso2.carbon.identity.sso.saml.
In github repository wso2-attic/carbon-identity there are these classes, but there is note, that repository is no longer used for development and I find there 2 links:
https://github.com/wso2/identity-framework
https://github.com/wso2-extensions?utf8=%E2%9C%93&query=identity
But I didn't find there any classes from package org.wso2.carbon.identity.sso.saml.
I have some problems with SSO SLO from 2 applications:
I login to 2 applications: a and b.
Logout from one application works properly, but when I try to logout from second application, I get error
[4] [IS]ERROR {org.wso2.carbon.identity.sso.saml.processors.SPInitLogoutRequestProcessor} - ssoTokenId cookie not found in the logout request
and html:
SAML 2.0 based Single Sign-On
Error when processing the authentication request!
Please try login again.
SAML Logout response has link
https://test2-sso2.auth.test.vu.lt:9443/authenticationendpoint/samlsso_notification.do?status=Error+when+processing+the+authentication+request%21&statusMsg=Please+try+login+again.
and SAML response parameter:
<saml2p:LogoutResponse Destination="https://test2-wso2.auth.test.vu.lt:9443/samlsso"
ID="_9cb47e1d90276bcc53d4b110d3573b82"
InResponseTo="fgehcpnbagimhhcacbaanopameodckepmopaoaek"
IssueInstant="2017-08-31T11:09:43.403Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>test2-wso2</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
<saml2p:StatusMessage>Session was already Expired</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:LogoutResponse>
So, I have 2 questions:
where I can find classes from package org.wso2.carbon.identity.sso.saml;
maybe somebody could help me with my problem with SSO SLO?
We are working with WSO2 IS v.5.3.0. One of these applications was travelocity.com and another is our application with architecture similar to travelocity.com. We are working in multi-tenant architecture. Both applications (Service Providers) are configured in the same tenant
I'm assuming you are looking for SPInitLogoutRequestProcessor. You can find it at [1]. For IS 5.3.0, the SAML component related development happens in the 5.3.x branch.
For your query on SLO; when you have the 2 applications configured for single logout and you logout from one application, the Identity Server is invalidating the user's authenticated session and sends back-channel SAML logout request to the other session participants (App 2 in this case). So the 2nd application should invalidate it's user session upon receiving the logout request from IS.
The error you are seeing should be due to IS not being able to find a valid authenticated session (as the session is already removed) for the logout request. [2] has a detailed explanation on how the single logout happens in IS.
One other approach you can take is to check whether there's an existing authenticated session in the IDP side before sending the logout request. You can use a passive SAML request to check the status of the session and if the session is already there then send the logout request.
Currently we are using WSO2 IS 5.1. In a single logout process, is it possible that can only the session that has requested, has been logout but other shared session still has remained?
I want to ask better, how we can display in my web application an option list from other SP issuers that their SP sessions has made during SSO login, and then we make to choose which the session that want to log out and can send logout request for selected SP and also want that only selected session has been log outed. exists any suggestion or example?
thanks a lot
First you need to know the flow of single logout in WSO2 Identity Server.
In one Service Provider(SP) send the logout request to Identity Provider(IDP). Then IDP determine the session participant. If session participant exist then send the logout request IDP to SP. After SP issue a logout response to the IDP. After that IDP send the logout response to original logout request. Now all session participant terminated.
You can found more details here.
It seems by default IS can't achieve your requirement.
How to send LogoutResponse from SP to IDP? The SP receives logoutRequest from IDP. I construct the Logout response and redirect it to IDP. But still the wso2 IS 5.0 sp1 console shows that
Failed single logout response from .....status code Moved Temporarily
Referring the following
WSO2 IS Single Logout partially working
it says to return the response instead of redirect. How should this be done?
WSO2IS uses the back channel to send the logout request to other parties. You can just send a HTTP 200 OK as the logout response. You do not need to create proper logout response and send it.. Just want 200 OK.. You can find the code that send these logout request from here. Then you can under stand following code which will check the returning status code
SAMLSSOUtil.isHttpSuccessStatusCode(statusCode)
I'm using ember-simple-auth for my Ember app, but I don't have an API endpoint to authenticate users, rather it does a page redirect to the form and signs a user in, then redirects back to my app. (I don't own the authentication)
After authentication, it gets redirected back to me, so I know on the server side when a user has been successfully authenticated. How do I manually authenticate the users' session when they are redirected back to my app?
Currently I did a hack to write two cookies: ember_simple_auth:access_token and ember_simple_auth:authenticator.
I think setting up the session store manually is an ok solution in this scenario as that will trigger the session to be restored after the redirect (which is on startup of the Ember application). I'd maybe configure a custom authenticator that redirects to the external login page in the authenticate method. That way you have that redirect centralized and it will also be triggered automatically whenever Ember Simple Auth automatically enforces session authentication (e.g. from the AuthenticatedRouteMixin).