Ruwan, use a sequence diagram to explain what has already been implemented. This is too lengthy to read.. ;-)
On Mon, Apr 21, 2014 at 11:08 PM, Ruwan Yatawara <[email protected]> wrote: > Hi All, > > Following is a brief explanation as to how we went about implementing > single logout in App Manager. Please feel free to share your thoughts. > > According to the current implementation in App Manager, When a user tries > to access a Gateway URL, the request will be intercepted by a Synapse API > Handler. This handler will check if a certain Cache key is present in the > request Header. If it is the first time the URL is being invoked, there > won't be a Cache Key present in the request, hence the user is redirected > to the logIn page of the Identity Provider (which is, WSO2 Identity Server, > in this case). Once the user is authenticated, the IDP will send a SAML > response back to the gateway, which will in turn be cached in the App > Manager for future reference. Once all of this is done, the gateway will > draft a JWT token with claims recovered from the IDP Saml Response, and the > same, along with the cache key pertaining to the stored SAML response, will > get sent back to the Webapp as a Cookie. > > In the single logout scenario, once a request is made to the LogOut URL, > the handler will identify the request as a logout call and a redirect will > be made to the IDP with a "Single LogOut" request. Note that, App Manager > does not maintain a "Session" for the user, all of this is delegated to the > IDP to take care of. The only reference of the user withheld on App > Manager, is the cached SAML Response stored against cache key sent back the > browser. Once the IDP encounters a Single Logout Request, it will clear the > session maintained for the user, against the session index. Once this is > done, the APP Manager will also wipe from its cache, the original SAML > response held against the cache key rendering the User, unauthenticated. > Eventually, the user will be redirected to the IDP LogIn page. > > Note that even though the IDP would send out individual logout requests to > each service provider, App Manager would not need to handle said requests > as it has already cleared its cache, of the SAML response, and > all subsequent gateway calls would result in getting redirected to the IDP > for authentication as APP Manager does not have in it a notion of user > session (it is delegated to the IDP). > > We have implemented above and it works, but this approach does not let us > address "*selective*" logout scenario like the following. > > Imagine there are 4 apps, A, B, C, D. One may configure single logout for > A and B, service providers and leave C and D, as they are. When logout is > invoked on A, B would also be logged out as they are both SIngle Logout > enabled. However, C and D will stay logged in as they are not Single logout > enabled. However, if one had a requirement to group A & B under a group and > C & D under another, so that when logout is invoked on one App of a group, > all the applications in said group would be logged out, and applications > external to the group wont get affected, irrespective of whether they are > single logout enabled. This selective group wise logout enabling, is this > possible? or is this not a valid requirement? > > Thanks and Regards, > > Ruwan Yatawara > > Software Engineer, > WSO2 Inc. > lean . enterprise . middleware > > email : [email protected] > mobile : +94 77 9110413 > blog : http://thoughts.ruwan-ace.com/ > www: :http://wso2.com > > -- /sumedha m: +94 773017743 b : bit.ly/sumedha
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
