Hello. I communicated with Thanuja Lakmal about this problem (20.11.2017). The request is recorded in https://wso2.org/jira/browse/IDENTITY-6929. After his/her respose I decided to make my own customization of WSO2 IS source code (verasion 5.3.0).
I made main changes to org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.handle() method (=URL "/samlsso") and methods which are called from this method. SAMLSSOProviderServlet is in org.wso2.carbon.identity.sso.saml-5.3.0.jar, but I had to modify also some classes in org.wso2.carbon.identity.application.authentication.framework-5.7.5.jar. Detailed changes: - org.wso2.carbon.identity.sso.saml.processors.IdPInitLogoutRequestProcessor o I created new method public SAMLSSOReqValidationResponseDTO processFedIdpLogoutRequest(LogoutRequest logoutRequest, String sessionId, QueryParamDTO[] queryParamDTOs, String serverURL). This method validates logout request from FedIDP, builds LogoutResponse() and builds LogoutRequests for all subordinate ServiceProviders . My LogoutResponse and all LogoutRequests are added to return value of type SAMLSSOReqValidationResponseDTO. o The method processFedIdpLogoutRequest() is called from org.wso2.carbon.identity.sso.saml.SAMLSSOService.validateFedIdpInitSSORequest() which is my new method. - org.wso2.carbon.identity.sso.saml.SAMLSSOService o I created validateFedIdpInitSSORequest(), which is my own extension of existing SAMLSSOService.validateIdPInitSSORequest(). Instead of idPInitLogoutRequestProcessor.process() it calls idPInitLogoutRequestProcessor.processFedIdpLogoutRequest(). o The method validateFedIdpInitSSORequest() is called from SAMLSSOProviderServlet.handleFedIdpInitSLO(), which is my new method. - org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet o I created method handleFedIdpInitSLO(), which is my own implementation of handleIdPInitSSO() and which handles LogoutRequest coming from Fed IDP. It calls SAMLSSOService.validateFedIdpInitSSORequest() and then returns the process flow to the framework (this.sendToFrameworkForLogout()). o It is called from handle() method but only in the case that request is of type LogoutRequest and it comes from Fed IDP. I had to make a lot of other changes to the source code but I shortened it in this email. For example sending of LogoutRequests to subordinate SPs and handling responses. They should be sent to SPs not by backchannel (default in version WSO2 IS 5.3.0), but through user's browser. Some SPs (like BigIP F5) doesn't support backchannel call and needs user's session cookie. Best regards, Roman From: Architecture [mailto:architecture-boun...@wso2.org] On Behalf Of Darshana Gunawardana Sent: Monday, August 19, 2019 12:52 PM To: architecture <architecture@wso2.org>; Ruwan Abeykoon <ruw...@wso2.com> Subject: Re: [Architecture] [IAM] - Implementing SAML2 Federated IdP Initiated Logout Hi all, What should be our plan to writing federated authenticators? If it's to move to the new inbound authenticator framework, then +1 to Johann's suggestion. Thanks, On Sat, Aug 17, 2019 at 1:38 AM Johann Nallathamby <joh...@wso2.com<mailto:joh...@wso2.com>> wrote: Just a suggestion to think about: As we are introducing a completely new aspect to IS which is to handle logout requests from federated IdP, isn't it much more cleaner in the code level to have this as a completely new endpoint instead of mixing it up with the existing /commonauth endpoint? I am not saying it is wrong to do it with /commonauth endpoint. But separating this aspect will improve code structure I believe. Architecturally the /identity endpoint could also be used here without even introducing a new endpoint. We can write a new inbound authenticator to process the logout requests and build the logout responses. Though the name may not suit, semantically the idea is the same. The inbound authenticator framework has some good features around HTTP request/response processing. Something to just think about. Regards, Johann. On Tue, Aug 13, 2019 at 5:10 PM Isanka Rajapaksha <isa...@wso2.com<mailto:isa...@wso2.com>> wrote: Hi All, I’m currently working on the “SAML Federated IdP Initiated Logout” feature. In the Identity server implementation, we have the support for SAML2 SP initiated logout for federated IdPs and with this feature, we will have the capability to handle federated IdP initiated logout requests as well. Scenario: Consider the following diagram (Figure-01) where WSO2 identity server, SP1, and SP2 are service providers of federated IdP. Also, SP3, SP4, and SP5 are service providers of wso2 identity server. When a user tries to logout from the SP1, SP1 will send a logout request to the federated IdP. Federated IdP will determine the session participants using the session index available in the logout request. As Identity server is a session participant, Identity Server will receive a logout request from the federated IdP. Now Identity Server needs to handle this request, terminate the session and response back with a valid logout response. Communication between Identity Server and federated IdP can happen in different bindings(Ex: POST, Redirect, SOAP), so Identity Server should able to handle them regardless of the binding. [Blank Diagram (11).png] Figure-01 Objective: The objective of this feature is to provide the capability to handle federated IdP initiated logout requests. Furthermore, if service providers of the Identity Server have enabled the IdP initiated logout feature, Identity Server should be able to propagate the session termination to the connected SPs. Solution: In the proposed solution logout requests from the federated IdP will be received by the “/common-auth” endpoint. Then authentication framework will iterate through authenticators to identify the outbound authenticator which can handle the logout request. Then the relevant authenticator will validate the logout request and if the request is valid, it will initiate a logout flow in the authentication framework. In this case, the framework session identifier needs to be identified from the SessionIndex element in the received logout request. Now, the authentication framework will terminate the user session and if required it will send the logout requests for the connected service providers as well. Then it will pass the framework response to the authenticator and authenticator will build the logout response and will send back it to the federated IdP. [Blank Diagram (9).png] Figure-02 We would like to have your feedback and suggestions in this regard. Thanks & regards, Isanka -- Isanka Rajapaksha | Software Engineer Intern | WSO2 Inc (m) +94 702515205 | (e) isa...@wso2.com<mailto:isa...@wso2.com> <http://wso2.com/signature> <http://wso2.com/signature> -- <http://wso2.com/signature> Johann Dilantha Nallathamby | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com<http://wso2.com/signature> [Signature.jpg]<http://wso2.com/signature> _______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture<http://wso2.com/signature> <http://wso2.com/signature> -- <http://wso2.com/signature> Regards,<http://wso2.com/signature> Darshana Gunawardana<http://wso2.com/signature> Technical Lead<http://wso2.com/signature> WSO2 Inc.; http://wso2.com E-mail: darsh...@wso2.com Mobile: +94718566859 Lean . Enterprise . Middleware<http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture