Hi Johann On Fri, Nov 24, 2017 at 10:39 AM, Johann Nallathamby <[email protected]> wrote:
> Hi Sugirjan, > > First of all have you confirmed that without having this new mapping we > can't do forced single logout? > Yes. We can't do the force single logout. Because we can't get the session particpants from session context and common auth id for sending logout requests. Only user session is terminated. > > If so then what you are suggesting is fine as the first phase. > > However as the next phase I would like to see that the session > participants are centralized in the authentication framework in one place > only, instead of having these kind of mappings in every inbound component. > These mappings are coming from very old code, which hasn't undergone any > changes for a very long time. It was OK to have them when we had just one > or two inbound protocols and no authentication framework. But now since we > have a authentication framework, 4 inbound protocols by default, and we can > have more inbound protocols by extending, it is not a very good design > anymore. > > Regards, > Johann. > > > On Fri, Nov 24, 2017 at 10:07 AM, Sugirjan Ragunaathan <[email protected]> > wrote: > >> Hi, >> >> In the current implementation, we can get session participants from the >> inbound authenticators' side by using session identifiers(SAMLSSOTokenID, >> OPBSTokenId). But there is no way to handle the session participants from >> the Identity framework side. Since this problem, when a user admin does a >> force logout using Identity Server dashboard, Single Logout cannot be done. >> >> In order to handle that we have to have a mapping between Common Auth Id >> and authentication protocol specific session identifiers(SAMLSSOTokenID, >> OPBSTokenID). >> >> >> If we have a mapping like this: when a force logout is done by user admin >> then inbound authenticators able to handle logout for their own session >> participants. So when the log out happens, an event will be initiated >> and sent to all inbound logout listeners in inbound authentication >> components. In that event, CommonAuthId will be sent as a property. So log >> out listeners will get the event and handle it. Listeners can get own >> session identifier from the CommonAuthId and send logout request to all the >> participants. >> >> >> >> I created a JIRA[1] for this $subject. I would like to have your >> feedback and suggestions in this regard. >> >> [1] https://wso2.org/jira/browse/IDENTITY-6949 >> >> Thank you. >> >> Regards. >> *R. Sugirjan* >> Software Engineering - Intern | WSO2 >> >> Email: [email protected] >> Mobile: +94768489892 <+94%2076%20848%209892> >> <http://wso2.com/signature> >> > > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Senior Lead Solutions Engineer > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > -- *R. Sugirjan* Software Engineering - Intern | WSO2 Email: [email protected] Mobile: +94768489892 <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
