How to send LogoutResponse from SP to IDP? The SP receives logoutRequest from IDP. I construct the Logout response and redirect it to IDP. But still the wso2 IS 5.0 sp1 console shows that
Failed single logout response from .....status code Moved Temporarily
Referring the following
WSO2 IS Single Logout partially working
it says to return the response instead of redirect. How should this be done?
WSO2IS uses the back channel to send the logout request to other parties. You can just send a HTTP 200 OK as the logout response. You do not need to create proper logout response and send it.. Just want 200 OK.. You can find the code that send these logout request from here. Then you can under stand following code which will check the returning status code
SAMLSSOUtil.isHttpSuccessStatusCode(statusCode)
Related
Currently we are using WSO2 IS 5.1. In a single logout process, is it possible that can only the session that has requested, has been logout but other shared session still has remained?
I want to ask better, how we can display in my web application an option list from other SP issuers that their SP sessions has made during SSO login, and then we make to choose which the session that want to log out and can send logout request for selected SP and also want that only selected session has been log outed. exists any suggestion or example?
thanks a lot
First you need to know the flow of single logout in WSO2 Identity Server.
In one Service Provider(SP) send the logout request to Identity Provider(IDP). Then IDP determine the session participant. If session participant exist then send the logout request IDP to SP. After SP issue a logout response to the IDP. After that IDP send the logout response to original logout request. Now all session participant terminated.
You can found more details here.
It seems by default IS can't achieve your requirement.
I have created an custom authentication endpoint, like https://www.custom-auth.localpc, which is being redirect to by WSO2 when i try to login which is working.
However, when I submit the loging with a sessionkey which has expired already, WSO2 replies with a 302 that redirects to http://localhost:9443/https://www.custom-auth.localpc?loginStatus=true.
How can I set a new redirect when this time-out happens? Or send back to the custom authentication endpoint, with an error preferably.
I have created an custom authentication endpoint, like https://www.custom-auth.localpc, which is being redirect to by WSO2 when i try to login.
However, when I click in OK and send the POST back to http://localhost:9443/commonauth, WSO2 replies with a 302 that redirects to http://localhost:9443/https://www.custom-auth.localpc?loginStatus=true.
When I checked the console log, I found the following error:
ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Exception in Authentication Framework
org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: No authenticator can handle the request in step : 1
The service provider that requests the login is correctly configured because it works with WSO2 default authentication endpoint.
Any thought on this?
So, the issue was quite simplier that I thought. The redirects from wso2 were more of a misdirection.
So, when submitting the data, the field username and password must be lowercase.
Any issue found with the post data, it redirects with a 302 to the carbon login page.
I think this may happen because of the canHandle() method. you can refer other custom authenticators which are using external endpoint and try these are how handle the request.
We are trying to implement SAML logout from a Service Provider/Relying Party to an IdP (in this case, AD FS 3.0). Our logout is not invalidating the session in AD FS. We have narrowed down that the ADFS auth cookies are not being sent in the HTTPS request for some reason, though we have no idea why. This is using HTTPS redirects for the SAML flow.
We have tried to get the request headers the same as the subsequent logon requests which successfully send the cookies, but to no avail.
I have a Fiddler trace that captured multiple logout attempts (and the automatic logins in between). This is in an isolated lab network with dummy data.
Fiddler trace
Any ideas what we could try to get those cookies sent to the AD FS server on the logout request?
The answer, as found by a colleague, was that the redirect request was an XHR request since it started in JavaScript and was not a ‘normal’ browser redirect. Cookies are only allowed to be included on cross-domain XHR requests if the destination server allows the requester access. So, the fix involved terminating the chain of redirects on the XHR request and doing a normal browser redirect. This allowed the browser to send cookies along with the redirect request to the new site.
Scenario: I have 2 SP viz A and B configured in WSO2 IS 5.0 sp1. I have configured Custom Logout URL in B. This logout URL points to the logout for A.
Now when I logout from A, there is no LogoutRequest which is sent from IDP to B.
On the contrary, when I don't configure custom logout URL in B, there is a proper LogoutRequest which is sent to B when I logout from A.
Am I missing out anything over here?
Thanks in advance.
Cijoy, I checked the scenario you mentioned in WSO2 IS 5.0 SP1 using the travelocity and avis sample apps. The flow seems to be working as expected. Instead of pointing B's logout URL to A could you try making a copy of the B's logout page and point to that. Then when you logout from A the server should send a logout request to B's new logout URL.
I have configured Custom Logout URL in B. This logout URL points to
the logout for A.
Why doing that? The A will receive the logout request twice then. B should expose its logout URL itself. If you do not configure the logout URL, the ACS URL is used to send the logout request.
IMHO: The logout process in the current version assumes the systems / servers are accessible to each other and can communicate between themselves. That's a very strong assumption. Usually (in other identity servers) the SAML single-logout goes though user browser and I assume / expect it will be changed in WSO2 IS as well in future. Some updates are already implemented, but not yet generally available.