Hi All, Following is a brief explanation as to how we went about implementing single logout in App Manager. Please feel free to share your thoughts.
According to the current implementation in App Manager, When a user tries to access a Gateway URL, the request will be intercepted by a Synapse API Handler. This handler will check if a certain Cache key is present in the request Header. If it is the first time the URL is being invoked, there won't be a Cache Key present in the request, hence the user is redirected to the logIn page of the Identity Provider (which is, WSO2 Identity Server, in this case). Once the user is authenticated, the IDP will send a SAML response back to the gateway, which will in turn be cached in the App Manager for future reference. Once all of this is done, the gateway will draft a JWT token with claims recovered from the IDP Saml Response, and the same, along with the cache key pertaining to the stored SAML response, will get sent back to the Webapp as a Cookie. In the single logout scenario, once a request is made to the LogOut URL, the handler will identify the request as a logout call and a redirect will be made to the IDP with a "Single LogOut" request. Note that, App Manager does not maintain a "Session" for the user, all of this is delegated to the IDP to take care of. The only reference of the user withheld on App Manager, is the cached SAML Response stored against cache key sent back the browser. Once the IDP encounters a Single Logout Request, it will clear the session maintained for the user, against the session index. Once this is done, the APP Manager will also wipe from its cache, the original SAML response held against the cache key rendering the User, unauthenticated. Eventually, the user will be redirected to the IDP LogIn page. Note that even though the IDP would send out individual logout requests to each service provider, App Manager would not need to handle said requests as it has already cleared its cache, of the SAML response, and all subsequent gateway calls would result in getting redirected to the IDP for authentication as APP Manager does not have in it a notion of user session (it is delegated to the IDP). We have implemented above and it works, but this approach does not let us address "*selective*" logout scenario like the following. Imagine there are 4 apps, A, B, C, D. One may configure single logout for A and B, service providers and leave C and D, as they are. When logout is invoked on A, B would also be logged out as they are both SIngle Logout enabled. However, C and D will stay logged in as they are not Single logout enabled. However, if one had a requirement to group A & B under a group and C & D under another, so that when logout is invoked on one App of a group, all the applications in said group would be logged out, and applications external to the group wont get affected, irrespective of whether they are single logout enabled. This selective group wise logout enabling, is this possible? or is this not a valid requirement? Thanks and Regards, Ruwan Yatawara Software Engineer, WSO2 Inc. lean . enterprise . middleware email : [email protected] mobile : +94 77 9110413 blog : http://thoughts.ruwan-ace.com/ www: :http://wso2.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
