Hi All,
We had the discussion regarding the POC for this feature among the team
(Thanuja, Malithi) and please find the call details :
1. Checked the session id (commonAuth id ) is stored against the SAML
session index in the map.
2. Checked the SSO tracer whether it has the session id (commonAuth id)
Which is stored against the SAML session index. But couldn't find the exact
session id which is stored against to the SAML session index.
3. Show the demo and went through the code which I have implemented for
this POC and identify the following :
- Check the servlet request cookie information and couldn't find any
cookie for commonAuth id and then try to add session id as cookie in the
requestWrapper, but requestWrapper doesn't have method to addCookie. Hence
try to add the cookie in requestWrapper as follows but it doesn't
work as expected.
Cookie sessionCookie = new
Cookie(FrameworkConstants.COMMONAUTH_COOKIE, (String) sessionDataKey);
requestWrapper.setParameter(FrameworkConstants.COMMONAUTH_COOKIE,
String.valueOf(sessionCookie));
- In the Framework side, cookie value is hashed and set in the context
[2]. So even-though we add the session id as cookie in requestWrapper it
hashes the already hashed (double hash) that value. Hence its not working
with proposed approach.
4. Actions need to be done :
- For the POC, directly remove the framework session by using the
following method and try out the flow.
FrameworkUtils.removeSessionContextFromCache(context.getSessionIdentifier());
- Once the POC is done, Need to discuss the complexities of this feature
(Framework side) and need to do the design review before start the proper
implementation for this feature.
Please add If I missed anything.
Thanks,
Kanapriya
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [email protected]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc.
lean . enterprise . middleware
On Sun, Jan 21, 2018 at 2:25 AM, Johann Nallathamby <[email protected]> wrote:
> Hi Malithi/Thanuja/Kanapriya,
>
> Instead of registering a new servlet endpoint, can't we use the /identity
> endpoint and write just a inbound authenticator to do this task?
>
> And also this new endpoint will only support SAML2 IdP right? Then for a
> OIDC IdP we need to introduce another endpoint? Then for each outbound
> protocol we support we need to introduce a new inbound endpoint? That
> doesn't seem scalable to me. Instead can't we handle everything through the
> /identity endpoint and have different inbound authenticators to support the
> different IdP protocols? May be we can have the common logic handled by an
> abstract authenticator and extend it for the protocol specific
> implementations.
>
> Did you find any problems in doing it the above way? That will be more
> extensible to be used by other protocols also.
>
> In addition, this approach should work for front channel and back channel
> logout requests sent by the IdP, because we are only relying on the
> sessionIndex value in the logout request. Is your understanding the same?
>
> Regards,
> Johann.
>
> On Fri, Jan 19, 2018 at 2:18 PM, Kanapriya Kuleswararajan <
> [email protected]> wrote:
>
>> Hi Dimuthu,
>>
>>
>>
>>> In the above case, in the session map what do you have? What we should
>>> be storing is the Session Id even though the log says ContextId. Should the
>>> log be modified?
>>>
>>> 1750291c-611b-4305-9fbc-40ba183d5878 -->
>>> *9b8245d49407465772c9d25fef729bef3d00f07902b1c9d74d7795074557351d *
>>>
>>> Is it?
>>>
>>> Yes, the log need to be modified, but in the map we have session index
>> (SAML) vs session id [1].
>>
>> 1750291c-611b-4305-9fbc-40ba183d5878 -->
>> *9b8245d49407465772c9d25fef729bef3d00f07902b1c9d74d7795074557351d*
>>
>> [1] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c
>> omponents/org.wso2.carbon.identity.application.authenticator
>> .samlsso/src/main/java/org/wso2/carbon/identity/application/
>> authenticator/samlsso/SAMLAuthenticationDataPublisher.java#L83
>>
>>
>> thanks,
>>> Dimuthu
>>>
>>> On Fri, Jan 19, 2018 at 2:04 PM, Kanapriya Kuleswararajan <
>>> [email protected]> wrote:
>>>
>>>> Hi Malithi,
>>>>
>>>> I have set the session as cookie in wrappped servlet request [1]. Now,
>>>> it resolves the above mentioned error when I initiated a logout request
>>>> from FIDP (avis.com). But with that also I couldn't logout the SP and
>>>> I observed the following debug log in the console.
>>>>
>>>> [2018-01-19 13:27:12,126] ERROR {org.wso2.carbon.identity.appl
>>>> ication.authenticator.samlsso.SAML2FederatedLogoutRequestHandler} -
>>>> Recieved sessionIndex **************1750291c-611b-43
>>>> 05-9fbc-40ba183d5878
>>>> [2018-01-19 13:27:12,127] ERROR {org.wso2.carbon.identity.appl
>>>> ication.authenticator.samlsso.SAML2FederatedLogoutRequestHandler} -
>>>> *Recieved
>>>> ContextId **************
>>>> 9b8245d49407465772c9d25fef729bef3d00f07902b1c9d74d7795074557351d*
>>>> [2018-01-19 13:27:12,127] DEBUG {org.wso2.carbon.identity.appl
>>>> ication.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
>>>> - Initializing the flow
>>>> [2018-01-19 13:27:12,127] DEBUG {org.wso2.carbon.identity.appl
>>>> ication.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
>>>> - Framework contextId: c694dedf-6893-4960-addb-9e5b5e1e6cad
>>>> [2018-01-19 13:27:12,127] DEBUG {org.wso2.carbon.identity.appl
>>>> ication.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
>>>> - Starting a logout flow
>>>> [2018-01-19 13:27:12,128] DEBUG {org.wso2.carbon.identity.appl
>>>> ication.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
>>>> - Outbound Query String: sessionDataKey=c694dedf-6893-4
>>>> 960-addb-9e5b5e1e6cad&relyingParty=travelocity.com&type=samlsso&sp=
>>>> travelocity.com&isSaaSApp=false
>>>> [2018-01-19 13:27:12,130] DEBUG {org.wso2.carbon.identity.appl
>>>> ication.authentication.framework.handler.request.impl.DefaultLogoutRequestHandler}
>>>> - Sending response back to: http://localhost:8080/traveloc
>>>> ity.com/home.jsp...
>>>> commonAuthLoggedOut : true
>>>> sessionDataKey: null
>>>>
>>>>
>>>> @ Dimuthu : I have checked IS cookie in the browser, but It's not the
>>>> same as the cookie what I store in the map against the sessionIndex. Please
>>>> find the screen shot below :
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> [1] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c
>>>> omponents/org.wso2.carbon.identity.application.authenticator
>>>> .samlsso/src/main/java/org/wso2/carbon/identity/application/
>>>> authenticator/samlsso/SAML2FederatedLogoutRequestHandler.java#L137
>>>>
>>>> Am I missing anything ? How can I proceed with this further?
>>>>
>>>> Thanks,
>>>> Kanapriya
>>>>
>>>>
>>>> Kanapriya Kuleswararajan
>>>> Software Engineer
>>>> Mobile : - 0774894438 <077%20489%204438>
>>>> Mail : - [email protected]
>>>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
>>>> WSO2, Inc.
>>>> lean . enterprise . middleware
>>>>
>>>>
>>>> On Fri, Jan 19, 2018 at 8:27 AM, Dimuthu Leelarathne <[email protected]
>>>> > wrote:
>>>>
>>>>> Hi Kanapriya,
>>>>>
>>>>> Also, pls check whether the IS cookie in the browser is the same as
>>>>> the cookie you store in the map against the sessionIndex have the same
>>>>> value.
>>>>>
>>>>> thanks,
>>>>> Dimuthu
>>>>>
>>>>>
>>>>> On Fri, Jan 19, 2018 at 7:15 AM, Malithi Edirisinghe <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> You have to set the session as a cookie in the wrappped servlet
>>>>>> request. Otherwise framework will not pick the session with respect to
>>>>>> this
>>>>>> flow.
>>>>>>
>>>>>> On Fri, Jan 19, 2018 at 12:22 AM, Kanapriya Kuleswararajan <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> Hi Malithi,
>>>>>>>
>>>>>>> Thanks for the suggestion, I wrapped the relevant parameters which
>>>>>>> is mentioned in the following endpoint [1] as per the off-line
>>>>>>> discussion
>>>>>>> and directly invoke the Java API [2] instead of forward the wrapper
>>>>>>> object
>>>>>>> to the common auth endpoint. Now I got an different error [3].
>>>>>>>
>>>>>>> [1]
>>>>>>> */commonauth?commonAuthLogout=true&type={type}&commonAuthCallerPath={some-url}&relyingParty={sp-name}*
>>>>>>>
>>>>>>> [2] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c
>>>>>>> omponents/org.wso2.carbon.identity.application.authenticator
>>>>>>> .samlsso/src/main/java/org/wso2/carbon/identity/application/
>>>>>>> authenticator/samlsso/SAML2FederatedLogoutRequestHandler.java#L131
>>>>>>>
>>>>>>> [3]
>>>>>>>
>>>>>>> [2018-01-19 00:10:36,771] DEBUG {org.wso2.carbon.identity.appl
>>>>>>> ication.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
>>>>>>> - retrieving authentication request from cache..
>>>>>>> [2018-01-19 00:10:36,772] ERROR {org.wso2.carbon.identity.appl
>>>>>>> ication.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
>>>>>>> - Exception in Authentication Framework
>>>>>>> org.wso2.carbon.identity.application.authentication.framewor
>>>>>>> k.exception.FrameworkException: Invalid authentication request.
>>>>>>> Session data key : 23b80283629e8b46fff6978874f46c
>>>>>>> f34664c78abd168d9d47dff7031dffde7e
>>>>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>>>>> k.handler.request.impl.DefaultRequestCoordinator.handle(Defa
>>>>>>> ultRequestCoordinator.java:111)
>>>>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>>>>> k.CommonAuthenticationHandler.doPost(CommonAuthenticationHan
>>>>>>> dler.java:46)
>>>>>>> at org.wso2.carbon.identity.application.authentication.framewor
>>>>>>> k.CommonAuthenticationHandler.doGet(CommonAuthenticationHand
>>>>>>> ler.java:37)
>>>>>>> at org.wso2.carbon.identity.application.authenticator.samlsso.S
>>>>>>> AML2FederatedLogoutRequestHandler.initiateLogRequest(SAML2Fe
>>>>>>> deratedLogoutRequestHandler.java:139)
>>>>>>> at org.wso2.carbon.identity.application.authenticator.samlsso.S
>>>>>>> AML2FederatedLogoutRequestHandler.doPost(SAML2FederatedLogou
>>>>>>> tRequestHandler.java:82)
>>>>>>>
>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>>>>>>> at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.se
>>>>>>> rvice(ContextPathServletAdaptor.java:37)
>>>>>>> at org.eclipse.equinox.http.servlet.internal.ServletRegistratio
>>>>>>> n.service(ServletRegistration.java:61)
>>>>>>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.proce
>>>>>>> ssAlias(ProxyServlet.java:128)
>>>>>>> at org.eclipse.equinox.http.servlet.internal.ProxyServlet.servi
>>>>>>> ce(ProxyServlet.java:60)
>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
>>>>>>> at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service
>>>>>>> (DelegationServlet.java:68)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>>> lter(ApplicationFilterChain.java:303)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>>> licationFilterChain.java:208)
>>>>>>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilte
>>>>>>> r.java:52)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>>> lter(ApplicationFilterChain.java:241)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>>> licationFilterChain.java:208)
>>>>>>> at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter
>>>>>>> .java:72)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>>> lter(ApplicationFilterChain.java:241)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>>> licationFilterChain.java:208)
>>>>>>> at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilte
>>>>>>> r(CharacterSetFilter.java:65)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>>> lter(ApplicationFilterChain.java:241)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>>> licationFilterChain.java:208)
>>>>>>> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilte
>>>>>>> r(HttpHeaderSecurityFilter.java:124)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>>>>>>> lter(ApplicationFilterChain.java:241)
>>>>>>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>>>>>>> licationFilterChain.java:208)
>>>>>>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>>>>>>> dWrapperValve.java:219)
>>>>>>> at org.apache.catalina.core.StandardContextValve.invoke(Standar
>>>>>>> dContextValve.java:110)
>>>>>>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A
>>>>>>> uthenticatorBase.java:506)
>>>>>>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>>>>>>> stValve.java:169)
>>>>>>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>>>>>>> rtValve.java:103)
>>>>>>> at org.wso2.carbon.identity.context.rewrite.valve.TenantContext
>>>>>>> RewriteValve.invoke(TenantContextRewriteValve.java:80)
>>>>>>> at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invo
>>>>>>> ke(AuthorizationValve.java:91)
>>>>>>> at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invo
>>>>>>> ke(AuthenticationValve.java:60)
>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInv
>>>>>>> ocation(CompositeValve.java:99)
>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke
>>>>>>> (CarbonTomcatValve.java:47)
>>>>>>> at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(Tena
>>>>>>> ntLazyLoaderValve.java:57)
>>>>>>> at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invok
>>>>>>> eValves(TomcatValveContainer.java:47)
>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(Comp
>>>>>>> ositeValve.java:62)
>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetection
>>>>>>> Valve.invoke(CarbonStuckThreadDetectionValve.java:159)
>>>>>>> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa
>>>>>>> lve.java:962)
>>>>>>> at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.
>>>>>>> invoke(CarbonContextCreatorValve.java:57)
>>>>>>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>>>>>>> EngineValve.java:116)
>>>>>>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>>>>>>> apter.java:445)
>>>>>>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs
>>>>>>> tractHttp11Processor.java:1115)
>>>>>>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler
>>>>>>> .process(AbstractProtocol.java:637)
>>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>>>>>>> (NioEndpoint.java:1775)
>>>>>>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(N
>>>>>>> ioEndpoint.java:1734)
>>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>>>> Executor.java:1142)
>>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>>>> lExecutor.java:617)
>>>>>>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r
>>>>>>> un(TaskThread.java:61)
>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>
>>>>>>> Appreciate your input on this.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Kanapriya
>>>>>>>
>>>>>>> Kanapriya Kuleswararajan
>>>>>>> Software Engineer
>>>>>>> Mobile : - 0774894438 <077%20489%204438>
>>>>>>> Mail : - [email protected]
>>>>>>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
>>>>>>> WSO2, Inc.
>>>>>>> lean . enterprise . middleware
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Jan 18, 2018 at 10:31 PM, Malithi Edirisinghe <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hi Kanapriya,
>>>>>>>>
>>>>>>>> So seems you have dispatched back to the servlet transport. With
>>>>>>>> this you won't be able to respond back to the federated IdP as the
>>>>>>>> response
>>>>>>>> is committed. Instead, follow the approach at [1]. There you wrap
>>>>>>>> request
>>>>>>>> and response and directly invoke the Java API, which will return the
>>>>>>>> request and response handled by the servlet endpoint. Then you can
>>>>>>>> verify
>>>>>>>> and respond back to the federated IdP.
>>>>>>>>
>>>>>>>> [1] https://github.com/wso2-extensions/identity-inbound-auth
>>>>>>>> -saml/blob/5.3.x/components/org.wso2.carbon.identity.sso.sam
>>>>>>>> l/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SA
>>>>>>>> MLSSOProviderServlet.java#L1219
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Malithi.
>>>>>>>>
>>>>>>>> On Thu, Jan 18, 2018 at 7:29 PM, Kanapriya Kuleswararajan <
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> Please find the error log below :
>>>>>>>>>
>>>>>>>>> ERROR {org.apache.catalina.core.ApplicationDispatcher} -
>>>>>>>>> Servlet.service() for servlet bridgeservlet threw exception
>>>>>>>>> java.lang.StringIndexOutOfBoundsException: String index out of
>>>>>>>>> range: -1
>>>>>>>>> at java.lang.String.substring(String.java:1967)
>>>>>>>>> at org.eclipse.equinox.http.servl
>>>>>>>>> et.internal.ProxyServlet.service(ProxyServlet.java:70)
>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>> .service(HttpServlet.java:731)
>>>>>>>>> at org.wso2.carbon.tomcat.ext.ser
>>>>>>>>> vlet.DelegationServlet.service(DelegationServlet.java:68)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFilter(ApplicationFilterChain.ja
>>>>>>>>> va:303)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>> rver.WsFilter.doFilter(WsFilter.java:52)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFilter(ApplicationFilterChain.ja
>>>>>>>>> va:241)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationDispatcher.invoke(ApplicationDispatcher.java:743)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationDispatcher.processRequest(ApplicationDispatcher.java:485)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationDispatcher.doForward(ApplicationDispatcher.java:410)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationDispatcher.forward(ApplicationDispatcher.java:337)
>>>>>>>>> at org.eclipse.equinox.http.servl
>>>>>>>>> et.internal.RequestDispatcherAdaptor.forward(RequestDispatch
>>>>>>>>> erAdaptor.java:30)
>>>>>>>>> at org.eclipse.equinox.http.helpe
>>>>>>>>> r.ContextPathServletAdaptor$RequestDispatcherAdaptor.forward
>>>>>>>>> (ContextPathServletAdaptor.java:362)
>>>>>>>>> at org.wso2.carbon.identity.appli
>>>>>>>>> cation.authenticator.samlsso.SAML2FederatedLogoutRequestHand
>>>>>>>>> ler.initiateLogRequest(SAML2FederatedLogoutRequestHandler.ja
>>>>>>>>> va:136)
>>>>>>>>> at org.wso2.carbon.identity.appli
>>>>>>>>> cation.authenticator.samlsso.SAML2FederatedLogoutRequestHand
>>>>>>>>> ler.doPost(SAML2FederatedLogoutRequestHandler.java:79)
>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>> .service(HttpServlet.java:650)
>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>> .service(HttpServlet.java:731)
>>>>>>>>> at org.eclipse.equinox.http.helpe
>>>>>>>>> r.ContextPathServletAdaptor.service(ContextPathServletAdapto
>>>>>>>>> r.java:37)
>>>>>>>>> at org.eclipse.equinox.http.servl
>>>>>>>>> et.internal.ServletRegistration.service(ServletRegistration.
>>>>>>>>> java:61)
>>>>>>>>> at org.eclipse.equinox.http.servl
>>>>>>>>> et.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>>>>>>>>> at org.eclipse.equinox.http.servl
>>>>>>>>> et.internal.ProxyServlet.service(ProxyServlet.java:60)
>>>>>>>>> at javax.servlet.http.HttpServlet
>>>>>>>>> .service(HttpServlet.java:731)
>>>>>>>>> at org.wso2.carbon.tomcat.ext.ser
>>>>>>>>> vlet.DelegationServlet.service(DelegationServlet.java:68)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFilter(ApplicationFilterChain.ja
>>>>>>>>> va:303)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>>>>>>> at org.apache.tomcat.websocket.se
>>>>>>>>> rver.WsFilter.doFilter(WsFilter.java:52)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFilter(ApplicationFilterChain.ja
>>>>>>>>> va:241)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>>>>>>> at org.owasp.csrfguard.CsrfGuardF
>>>>>>>>> ilter.doFilter(CsrfGuardFilter.java:72)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFilter(ApplicationFilterChain.ja
>>>>>>>>> va:241)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>>>>>>> at org.wso2.carbon.tomcat.ext.fil
>>>>>>>>> ter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFilter(ApplicationFilterChain.ja
>>>>>>>>> va:241)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>>>>>>> at org.apache.catalina.filters.Ht
>>>>>>>>> tpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.internalDoFilter(ApplicationFilterChain.ja
>>>>>>>>> va:241)
>>>>>>>>> at org.apache.catalina.core.Appli
>>>>>>>>> cationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>> ardWrapperValve.invoke(StandardWrapperValve.java:219)
>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>> ardContextValve.invoke(StandardContextValve.java:110)
>>>>>>>>> at org.apache.catalina.authentica
>>>>>>>>> tor.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>> ardHostValve.invoke(StandardHostValve.java:169)
>>>>>>>>> at org.apache.catalina.valves.Err
>>>>>>>>> orReportValve.invoke(ErrorReportValve.java:103)
>>>>>>>>> at org.wso2.carbon.identity.conte
>>>>>>>>> xt.rewrite.valve.TenantContextRewriteValve.invoke(TenantCont
>>>>>>>>> extRewriteValve.java:80)
>>>>>>>>> at org.wso2.carbon.identity.authz
>>>>>>>>> .valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
>>>>>>>>> at org.wso2.carbon.identity.auth.
>>>>>>>>> valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
>>>>>>>>> at org.wso2.carbon.tomcat.ext.val
>>>>>>>>> ves.CompositeValve.continueInvocation(CompositeValve.java:99)
>>>>>>>>> at org.wso2.carbon.tomcat.ext.val
>>>>>>>>> ves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
>>>>>>>>> at org.wso2.carbon.webapp.mgt.Ten
>>>>>>>>> antLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
>>>>>>>>> at org.wso2.carbon.tomcat.ext.val
>>>>>>>>> ves.TomcatValveContainer.invokeValves(TomcatValveContainer.j
>>>>>>>>> ava:47)
>>>>>>>>> at org.wso2.carbon.tomcat.ext.val
>>>>>>>>> ves.CompositeValve.invoke(CompositeValve.java:62)
>>>>>>>>> at org.wso2.carbon.tomcat.ext.val
>>>>>>>>> ves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThread
>>>>>>>>> DetectionValve.java:159)
>>>>>>>>> at org.apache.catalina.valves.Acc
>>>>>>>>> essLogValve.invoke(AccessLogValve.java:962)
>>>>>>>>> at org.wso2.carbon.tomcat.ext.val
>>>>>>>>> ves.CarbonContextCreatorValve.invoke(CarbonContextCreatorVal
>>>>>>>>> ve.java:57)
>>>>>>>>> at org.apache.catalina.core.Stand
>>>>>>>>> ardEngineValve.invoke(StandardEngineValve.java:116)
>>>>>>>>> at org.apache.catalina.connector.
>>>>>>>>> CoyoteAdapter.service(CoyoteAdapter.java:445)
>>>>>>>>> at org.apache.coyote.http11.Abstr
>>>>>>>>> actHttp11Processor.process(AbstractHttp11Processor.java:1115)
>>>>>>>>> at org.apache.coyote.AbstractProt
>>>>>>>>> ocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
>>>>>>>>> at org.apache.tomcat.util.net.Nio
>>>>>>>>> Endpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
>>>>>>>>> at org.apache.tomcat.util.net.Nio
>>>>>>>>> Endpoint$SocketProcessor.run(NioEndpoint.java:1734)
>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>>>>> at java.util.concurrent.ThreadPoo
>>>>>>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>>>>> at org.apache.tomcat.util.threads
>>>>>>>>> .TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Kanapriya
>>>>>>>>>
>>>>>>>>> Kanapriya Kuleswararajan
>>>>>>>>> Software Engineer
>>>>>>>>> Mobile : - 0774894438 <077%20489%204438>
>>>>>>>>> Mail : - [email protected]
>>>>>>>>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
>>>>>>>>> WSO2, Inc.
>>>>>>>>> lean . enterprise . middleware
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Jan 18, 2018 at 7:27 PM, Kanapriya Kuleswararajan <
>>>>>>>>> [email protected]> wrote:
>>>>>>>>>
>>>>>>>>>> Hi All,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> b) - At number 5 in the diagram, i.e. when the logout request
>>>>>>>>>>>> is received, we wrap the request and response and send over to our
>>>>>>>>>>>> common-auth servelet. Here before invoking the common-auth
>>>>>>>>>>>> servelet, we
>>>>>>>>>>>> will retrieve session Id from the map (using the SAML Session
>>>>>>>>>>>> Index) and
>>>>>>>>>>>> set it in the wrapper object.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Request which forwards to the commonauth endpoint will have a
>>>>>>>>>>> format similar to following,
>>>>>>>>>>>
>>>>>>>>>>> */commonauth?commonAuthLogout=true&type={type}&commonAuthCallerPath={some-url}&relyingParty={sp-name}*
>>>>>>>>>>> NOTE: Need to verify whether relyingParty parameter is required
>>>>>>>>>>> or not.
>>>>>>>>>>>
>>>>>>>>>>> After logout from the framework, the saml-sso outbound
>>>>>>>>>>> component will verify the response and will build a valid SAML2
>>>>>>>>>>> logout
>>>>>>>>>>> response and send back to the federated IdP.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have created a Servlet endpoint [1] to access SAML logout
>>>>>>>>>> request from FIDP and register this Servlet as service [2]. Here, I
>>>>>>>>>> get the
>>>>>>>>>> session id using the session index and set it inside wrapper object
>>>>>>>>>> and
>>>>>>>>>> forward that to the commonauth endpoint. When I sent a logout
>>>>>>>>>> request from
>>>>>>>>>> FIDP, FIDP is logged out but SP is is not getting logged out even we
>>>>>>>>>> sent
>>>>>>>>>> the sessionID to invalidate the session and observe the error [1] at
>>>>>>>>>> the
>>>>>>>>>> back end.
>>>>>>>>>>
>>>>>>>>>> Is there anything I need to do more than this?
>>>>>>>>>>
>>>>>>>>>> [1] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c
>>>>>>>>>> omponents/org.wso2.carbon.identity.application.authenticator
>>>>>>>>>> .samlsso/src/main/java/org/wso2/carbon/identity/application/
>>>>>>>>>> authenticator/samlsso/SAML2FederatedLogoutRequestHandler.java
>>>>>>>>>>
>>>>>>>>>> [2] https://github.com/Kanapriya/saml-sso-outbound/blob/master/c
>>>>>>>>>> omponents/org.wso2.carbon.identity.application.authenticator
>>>>>>>>>> .samlsso/src/main/java/org/wso2/carbon/identity/application/
>>>>>>>>>> authenticator/samlsso/internal/SAMLSSOAuthenticatorServiceCo
>>>>>>>>>> mponent.java#L74
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Kanapriya
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> @Thanuja and Malithi: Please add anything that I have missed.
>>>>>>>>>>>> And also appreciate code snippets for above (a) and (b).
>>>>>>>>>>>>
>>>>>>>>>>>> After the POC implementation, we will have another review.
>>>>>>>>>>>>
>>>>>>>>>>>> thank you,
>>>>>>>>>>>> Dimuthu
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Dimuthu Leelarathne
>>>>>>>>>>>> Director, Solutions Architecture
>>>>>>>>>>>>
>>>>>>>>>>>> WSO2, Inc. (http://wso2.com)
>>>>>>>>>>>> email: [email protected]
>>>>>>>>>>>> Mobile: +94773661935 <+94%2077%20366%201935>
>>>>>>>>>>>> Blog: http://muthulee.blogspot.com
>>>>>>>>>>>>
>>>>>>>>>>>> Lean . Enterprise . Middleware
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [1] - https://github.com/wso2/carbon-identity-framework/blob/5.1
>>>>>>>>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden
>>>>>>>>>>> tity.application.authentication.framework/src/main/java/org/
>>>>>>>>>>> wso2/carbon/identity/application/authentication/framework/ut
>>>>>>>>>>> il/FrameworkUtils.java#L1258
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <https://github.com/wso2/carbon-identity-framework/blob/5.11.x/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/util/FrameworkUtils.java#L1258>[2]
>>>>>>>>>>> - https://github.com/wso2/carbon-identity-framework/blob/5.1
>>>>>>>>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden
>>>>>>>>>>> tity.application.authentication.framework/src/main/java/org/
>>>>>>>>>>> wso2/carbon/identity/application/authentication/framework/Au
>>>>>>>>>>> thenticationDataPublisher.java
>>>>>>>>>>>
>>>>>>>>>>> [3] - https://github.com/wso2-extensions/identity-governance/blo
>>>>>>>>>>> b/master/components/org.wso2.carbon.identity.captcha/src/mai
>>>>>>>>>>> n/java/org/wso2/carbon/identity/captcha/validator/FailLoginA
>>>>>>>>>>> ttemptValidator.java
>>>>>>>>>>>
>>>>>>>>>>> [4] - https://github.com/wso2/carbon-identity-framework/blob/5.1
>>>>>>>>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden
>>>>>>>>>>> tity.application.authentication.framework/src/main/java/org/
>>>>>>>>>>> wso2/carbon/identity/application/authentication/framework/mo
>>>>>>>>>>> del/CommonAuthRequestWrapper.java
>>>>>>>>>>>
>>>>>>>>>>> [5] - https://github.com/wso2/carbon-identity-framework/blob/5.1
>>>>>>>>>>> 1.x/components/authentication-framework/org.wso2.carbon.iden
>>>>>>>>>>> tity.application.authentication.framework/src/main/java/org/
>>>>>>>>>>> wso2/carbon/identity/application/authentication/framework/mo
>>>>>>>>>>> del/CommonAuthResponseWrapper.java
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Thanuja
>>>>>>>>>>> --
>>>>>>>>>>> *Thanuja Lakmal*
>>>>>>>>>>> Associate Technical Lead
>>>>>>>>>>> WSO2 Inc. http://wso2.com/
>>>>>>>>>>> *lean.enterprise.middleware*
>>>>>>>>>>> Mobile: +94715979891
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> *Malithi Edirisinghe*
>>>>>>>> Associate Technical Lead
>>>>>>>> WSO2 Inc.
>>>>>>>>
>>>>>>>> Mobile : +94 (0) 718176807
>>>>>>>> [email protected]
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Malithi Edirisinghe*
>>>>>> Associate Technical Lead
>>>>>> WSO2 Inc.
>>>>>>
>>>>>> Mobile : +94 (0) 718176807
>>>>>> [email protected]
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Dimuthu Leelarathne
>>>>> Director, Solutions Architecture
>>>>>
>>>>> WSO2, Inc. (http://wso2.com)
>>>>> email: [email protected]
>>>>> Mobile: +94773661935 <+94%2077%20366%201935>
>>>>> Blog: http://muthulee.blogspot.com
>>>>>
>>>>> Lean . Enterprise . Middleware
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Dimuthu Leelarathne
>>> Director, Solutions Architecture
>>>
>>> WSO2, Inc. (http://wso2.com)
>>> email: [email protected]
>>> Mobile: +94773661935 <+94%2077%20366%201935>
>>> Blog: http://muthulee.blogspot.com
>>>
>>> Lean . Enterprise . Middleware
>>>
>>
>>
>
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile: *+94 77 7776950*
> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
> <http://www.linkedin.com/in/johann-nallathamby>*
> Medium: *https://medium.com/@johann_nallathamby
> <https://medium.com/@johann_nallathamby>*
> Twitter: *@dj_nallaa*
>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
