On Fri, Nov 24, 2017 at 3:59 PM, Sugirjan Ragunaathan <[email protected]> wrote:
> Hi Johann > > On Fri, Nov 24, 2017 at 10:39 AM, Johann Nallathamby <[email protected]> > wrote: > >> Hi Sugirjan, >> >> First of all have you confirmed that without having this new mapping we >> can't do forced single logout? >> > > Yes. We can't do the force single logout. Because we can't get the > session particpants from session context and common auth id for sending > logout requests. Only user session is terminated. > > >> >> If so then what you are suggesting is fine as the first phase. >> >> However as the next phase I would like to see that the session >> participants are centralized in the authentication framework in one place >> only, instead of having these kind of mappings in every inbound component. >> These mappings are coming from very old code, which hasn't undergone any >> changes for a very long time. It was OK to have them when we had just one >> or two inbound protocols and no authentication framework. But now since we >> have a authentication framework, 4 inbound protocols by default, and we can >> have more inbound protocols by extending, it is not a very good design >> anymore. >> > Agreed with what Johann has suggested. Also, it would be great if we can introduce cross-protocol Circle of Trust with that effort. Then different sessions can be shared among different sets of SPs. I assume Circle of Trust is planned for C5? > >> Regards, >> Johann. >> >> >> On Fri, Nov 24, 2017 at 10:07 AM, Sugirjan Ragunaathan <[email protected] >> > wrote: >> >>> Hi, >>> >>> In the current implementation, we can get session participants from the >>> inbound authenticators' side by using session identifiers(SAMLSSOTokenID, >>> OPBSTokenId). But there is no way to handle the session participants from >>> the Identity framework side. Since this problem, when a user admin does a >>> force logout using Identity Server dashboard, Single Logout cannot be done. >>> >>> In order to handle that we have to have a mapping between Common Auth >>> Id and authentication protocol specific session identifiers(SAMLSSOTokenID, >>> OPBSTokenID). >>> >>> >>> If we have a mapping like this: when a force logout is done by user >>> admin then inbound authenticators able to handle logout for their own >>> session participants. So when the log out happens, an event will be >>> initiated and sent to all inbound logout listeners in inbound >>> authentication components. In that event, CommonAuthId will be sent as a >>> property. So log out listeners will get the event and handle it. Listeners >>> can get own session identifier from the CommonAuthId and send logout >>> request to all the participants. >>> >>> >>> >>> I created a JIRA[1] for this $subject. I would like to have your >>> feedback and suggestions in this regard. >>> >>> [1] https://wso2.org/jira/browse/IDENTITY-6949 >>> >>> Thank you. >>> >>> Regards. >>> *R. Sugirjan* >>> Software Engineering - Intern | WSO2 >>> >>> Email: [email protected] >>> Mobile: +94768489892 <+94%2076%20848%209892> >>> <http://wso2.com/signature> >>> >> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Senior Lead Solutions Engineer >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > > > -- > *R. Sugirjan* > Software Engineering - Intern | WSO2 > > Email: [email protected] > Mobile: +94768489892 <076%20848%209892> > <http://wso2.com/signature> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
