It is in fact an inbound connector. So +1 to use the inbound framework and write a InboundProcessor to process this request. This way we can have an abstract FederatedIdPInitiatedLogoutProcessor (you may come up with a different name) that will handle the logout specific logic in authentication framework and extend it to multiple protocol specific processors which will handle protocol specific logout logic.
Whether it should come inside identity-inbound-auth-saml or identity-outbound-auth-samlsso, I think will have to go with what the majority feels, because this use case is a hybrid between both, and the current naming convention of repos didn't take this into consideration when originally naming it. It can be argued both ways, 1. Since this is an inbound request to IS, it should go under identity-inbound-auth-saml 2. Since this is a dealing with the session between IS and federated IdP, and all the IdentityProvider module dependencies are in identity-outbound-auth-samlsso, and since authentication between SP - IS and IS - IDP should be decoupled, it should go under identity-outbound-auth-samlsso. Both the above seem to have equal amount of convincing power to me :). Technically I would prefer going with 2 above, accepting the fact that "outbound" part in the naming is not the best, because we didn't consider such use case in the begining and hoping one day we will rename the repo to be more accurate :). Regards, Johann. On Tue, Feb 6, 2018 at 11:47 PM, Hasintha Indrajee <[email protected]> wrote: > According to the analysis, it seems like logout requests from SPs and > logout requests from IDPs look similar. @Kanapriya, were you able to skim > through specs and see whether there are differences ?. > > Also on the other hand when we have a look towards our new framework, this > looks more like an inbound connector because the request is initiated from > a third party caller. Hence it's more inbound as per our framework. WDYT ?. > Also if we are to follow this approach we need to avoid going through > loops. > > On Tue, Feb 6, 2018 at 5:09 PM, Kanapriya Kuleswararajan < > [email protected]> wrote: > >> Hi All, >> >> For the POC [1], I have registered a new servlet in >> identity-outbound-auth-samlsso authenticator and try out the FIDP initiated >> logout flow by removing the session id which is associated with the earlier >> login. >> >> Now I have tried to move the POC [1] code to support with the new >> identity framework. >> >> Here, we have a concern that whether we need to move the code to the >> *identity-inbound-auth-saml* or *identity-outbound-auth-samlsso*. >> >> IMO, we need to handle the logout request which is initiated by FIDP >> inside identity-inbound-auth-saml. Please find the reasons for that : >> >> - Generally, whenever the request comes to IS from External system, >> it will be handle by the Inbound flow (identity-inbound-auth-saml). >> - I have configured IS with two service providers (Travelocity, Avis) >> and try out the logout flow. >> - Where I'm able to see the SAML Logout Request which is exactly same >> as SAML Logout Request which is initiated by FIDP. >> - Since both SAML Logout Request are same, we can move code to >> identity-inbound-auth-saml. >> >> Appreciate your thoughts on this. >> >> [1] Federated IdP Initiated Logout >> >> Thanks, >> Kanapriya >> >> Kanapriya Kuleswararajan >> Software Engineer >> Mobile : - 0774894438 <077%20489%204438> >> Mail : - [email protected] >> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/ >> WSO2, Inc. >> lean . enterprise . middleware >> >> > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > -- *Johann Dilantha Nallathamby* Senior Lead Solutions Engineer WSO2, Inc. lean.enterprise.middleware Mobile: *+94 77 7776950* LinkedIn: *http://www.linkedin.com/in/johann-nallathamby <http://www.linkedin.com/in/johann-nallathamby>* Medium: *https://medium.com/@johann_nallathamby <https://medium.com/@johann_nallathamby>* Twitter: *@dj_nallaa*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
