What's happening here is we maintain the logged in IdPs against an SP, and when an SP calls the /samlsso endpoint *without a SAMLRequest* in hope of getting logged out, there's no way IS can identify who the SP is (because identification is done by using the 'issuer' value inside the SAMLRequest) thus it cannot find the federated IdPs to whom the logout requests should be sent.
On Wed, Jul 16, 2014 at 3:39 PM, Hasintha Indrajee <[email protected]> wrote: > Hi, > > I have configured SAML2 authentication for an application with two > Identity Server instances (IS instance 1 and IS instance 2). > IS Instance 1 will act as the IDP for the application and IS instance 2 > will act as the federated IDP for the application. > > Once the user logs in from federated authentication to the application and > logs out, a valid SAML request is* not sent* to the IDP from the > application. Therefore the federated IDP does not terminate it's session. > If the user again tries to log in to the application using federated SAML > authentication, the login attempt will be successful without re-entering > credentials. > > Is there a way to avoid this ? The requirement is to terminate both > sessions on two IS instances once the user logs out. > -- Dulanja Liyanage WSO2 Inc. M: +94776764717
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
