Hi,
On Mon, Jan 15, 2018 at 1:32 PM, Dimuthu Leelarathne <[email protected]>
wrote:
> Hi All,
>
> Please consider the below scenario.
>
>
>
>
>
> When the Federated IdP sends the logout request we have to logout the user
> from the WSO2IS. The proposed POC is as follows.
>
> - 1 & 4 are OAuth flows
> - 2 & 3 are SAML flows
>
> Participants of the discussion: Malithi, Thanuja and Dimuthu
>
> For the POC we will do the following.
>
> a) - At number 4 in the diagram, i.e. at the conclusion flow, we implement
> a listener that would record the SAML session Index vs. session Id in an
> appropriate data structure (for the POC it is a map). This handler will be
> in the out-boud SAML component.
>
We need to implement AuthenticationDataPublisher inside the
saml-sso outbound authenticator to handle this. Code references can be
found in [1], [2] and [3].
>
> b) - At number 5 in the diagram, i.e. when the logout request is received,
> we wrap the request and response and send over to our common-auth
> servelet. Here before invoking the common-auth servelet, we will retrieve
> session Id from the map (using the SAML Session Index) and set it in the
> wrapper object.
>
Request which forwards to the commonauth endpoint will have a format
similar to following,
*/commonauth?commonAuthLogout=true&type={type}&commonAuthCallerPath={some-url}&relyingParty={sp-name}*
NOTE: Need to verify whether relyingParty parameter is required or not.
After logout from the framework, the saml-sso outbound component will
verify the response and will build a valid SAML2 logout response and send
back to the federated IdP.
Sample wrapper implementation can be found in [1] and [2].
>
> @Thanuja and Malithi: Please add anything that I have missed. And also
> appreciate code snippets for above (a) and (b).
>
> After the POC implementation, we will have another review.
>
> thank you,
> Dimuthu
>
> --
> Dimuthu Leelarathne
> Director, Solutions Architecture
>
> WSO2, Inc. (http://wso2.com)
> email: [email protected]
> Mobile: +94773661935 <+94%2077%20366%201935>
> Blog: http://muthulee.blogspot.com
>
> Lean . Enterprise . Middleware
>
[1] - https://github.com/wso2/carbon-identity-framework/
blob/5.11.x/components/authentication-framework/org.wso2.carbon.identity.
application.authentication.framework/src/main/java/org/wso2/carbon/identity/
application/authentication/framework/util/FrameworkUtils.java#L1258
<https://github.com/wso2/carbon-identity-framework/blob/5.11.x/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkUtils.java#L1258>[2]
-
https://github.com/wso2/carbon-identity-framework/blob/5.11.x/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/AuthenticationDataPublisher.java
[3] -
https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.captcha/src/main/java/org/wso2/carbon/identity/captcha/validator/FailLoginAttemptValidator.java
[4] -
https://github.com/wso2/carbon-identity-framework/blob/5.11.x/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/model/CommonAuthRequestWrapper.java
[5] -
https://github.com/wso2/carbon-identity-framework/blob/5.11.x/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/model/CommonAuthResponseWrapper.java
Thanks,
Thanuja
--
*Thanuja Lakmal*
Associate Technical Lead
WSO2 Inc. http://wso2.com/
*lean.enterprise.middleware*
Mobile: +94715979891
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
