Hi all,
I am working on supporting SAML 2.0 asynchronous (front-channel) binding for single logout in WSO2 Identity Server. SAML2 specifies two bindings for single logout profile as follows. - Asynchronous Bindings (Front-Channel) - Synchronous Bindings (Back-Channel) Currently, IS supports only back-channel single logout with SOAP binding. Asynchronous Binding (Front-Channel): Here the session participant uses an asynchronous binding such as: - HTTP Redirect binding - HTTP POST Binding - Artifact binding to send a request to the identity provider through the user agent. Since Artifact binding is already implemented in WSO2 IS, I will be working on the implementation of HTTP Redirect binding and HTTP POST binding to support SLO. [image: SAML front-channel SLO.png] Above figure illustrates the basic template in achieving SP initiated SAML front-channel single logout. 1. <LogoutRequest> issued by Session Participant to Identity Provider The session participant initiates a single logout and terminates a principal's session(s) by sending a <LogoutRequest> message through the user agent to the identity provider from whom it received the corresponding authentication assertion. 2. Identity Provider determines Session Participants The identity provider uses the contents of the <LogoutRequest> message to determine the session(s) being terminated. If there are no other session participants, the profile proceeds with step 5. Otherwise, steps 3 and 4 are repeated for each session participant identified. 3. <LogoutRequest> issued by Identity Provider to Session Participant/Authority The identity provider issues a <LogoutRequest> message through the user agent to a session participant or session authority related to one or more of the session(s) being terminated. 4. Session Participant/Authority issues <LogoutResponse> to Identity Provider The session participant or session authority terminates the principal's session(s) as directed by the request (if possible) and returns a <LogoutResponse> to the identity provider through the user agent. 5. Identity Provider issues <LogoutResponse> to Session Participant The identity provider issues a <LogoutResponse> message to the original requesting session participant through the user agent. In step 1,3,4 and 5 either the HTTP Redirect, HTTP POST, or HTTP Artifact binding can be used to transfer the message to the identity provider through the user agent. In an IdP initiated SAML front-channel single logout, the identity provider (acting as session authority) initiates this profile at step 2 and issue a <LogoutRequest> to all session participants, also skipping step 5. Reference: [1] https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf Regards, -- *Sachini Wettasinghe* Software Engineer | WSO2 Email: [email protected] Mobile: +94774411285 Web: https://wso2.com <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
