On Wed, Dec 17, 2014 at 1:46 AM, Dulanja Liyanage <dula...@wso2.com> wrote: > > Hi Darshana, > > Please find my comments inline. > > On Tue, Dec 16, 2014 at 6:24 PM, Darshana Gunawardana <darsh...@wso2.com> > wrote: >> >> Hi folks, >> >> Do we support $subject in Identity Server? AFAIK, we can generate a >> (proprietary) logout request by calling commonauth as follows, >> >> >> https://localhost:9443/commonauth?commonAuthLogout=true&type=samlsso&sessionDataKey=7fa50562-2d0f-4234-8e39-8a7271b9b273&commonAuthCallerPath=http://localhost:9764/travelocity.com/index.jsp >> >> >> But this is not a Single logout, right? AFAIK, this just remove the IdP >> session and return back to the url specified in commonAuthCallerPath. >> Please correct me if i am wrong. >> > > You are correct. > >> >> If we consider some use case, >> >> Lets say we have 4 service providers in the system. Two of them are use >> SAML and other two using OIDC as their authentication protocol. Ideally if >> i logout from one of my SAML app, it should logged me out from other saml >> app as well as two OIDC apps. >> >> So, in simple words, in the future can we support for SLO among all >> service providers which communicate through a protocol which have single >> logout capability. >> > > This is complicated. Because, SLO could be handled only by the protocol > endpoints (servlets), not by a common point like Authentication Framework. > And each protocol might have a set of SLO related rules/procedures which > are known and handled only by that protocol, thus cannot be handled by the > authentication framework. E.g. Issuance and maintenance of SessionIndex in > SAML SLO. > > So taking the example you have mentioned, we are talking about initiating > a SLO request from the OAuth2/OpenIDConnect servlet upon a SAML logout > request. >
Yes.. The thing is, Identity Server 5.0.0 do support SSO across every authentication protocol it supports. So if we think of user story its ok someone to expect IdP need to handle SLO as the same way it handle SSO. (Please note that I'm not familiar with the OIDC Session Management spec, > so I'm assuming SLO is in it and IS will have it in near future) > > We might have to further brainstorm on this. > +1 > >> PS : seen following jira[1] which also related. >> >> [1] https://wso2.org/jira/browse/IDENTITY-2643 >> >> Thanks, >> Darshana >> -- >> Regards, >> >> >> *Darshana Gunawardana*Software Engineer >> WSO2 Inc.; http://wso2.com >> >> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >> > > > -- > Dulanja Liyanage > WSO2 Inc. > M: +94776764717 > -- Regards, *Darshana Gunawardana*Software Engineer WSO2 Inc.; http://wso2.com *E-mail: darsh...@wso2.com <darsh...@wso2.com>* *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
