Hi Julius If you terminate the http session you are logged out of the web application. If you access the web application again, the container notices this is an unauthenticated request and triggers a redirect to the IDP.
If your browser still has got a valid session with the IDP it will just create a new token for the web application without challenging the user to authenticate as you expect from SSO. WS-Federation defines the single log out use case which means that you log out in the IDP and he will log out all existing sessions with *all* web applications. The session between the IDP and the browser is terminated as well. Next time you access a web application, the IDP will challenge you again. If an application requires to re-authenticate a browser user or requires a "fresh" token, an application can express this requirement by adding the wfresh parameter as part of the signin request. See section 13.2.2 in [1]. >>> wfresh This OPTIONAL parameter indicates the freshness requirements. If specified, this indicates the desired maximum age of authentication specified in minutes. An IP/STS SHOULD NOT issue a token with a longer lifetime. If specified as “0” it indicates a request for the IP/STS to re-prompt the user for authentication before issuing the token. Note that this serves roughly the same purpose as the Freshness element in the WS-Trust SOAP RST messages. >>> Fediz doesn't support this parameter yet. It requires an enhancement for the fediz plugin as well as the fediz idp. Feel free to raise a JIRA request thus this requirement can be tracked. Thanks Oli [1] http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Julius Francis [[email protected]] Sent: 11 September 2012 09:40 To: [email protected] Subject: Logout from Fediz from single web application. Hi All, We are using Fediz in our web application . Would like to know what we need to do to logout from web application . If we call HttpSession.invalidate() , fediz takes controls and redirects to IDP where the session is still active . Also I do understand the session is created at tomcal level , how to we invalidate from application . Please share if someone has already done. What we want is that when user clicks on logout link , he should be redirected to login page . How to tell IDP to redirect to login page ?(which means how to kill already existing session). Thanks and Regards, __________________________________________ Julius Francis ******************* PLEASE NOTE ******************* This message, along with any attachments, may be confidential or legally privileged. It is intended only for the named person(s), who is/are the only authorized recipients. If this message has reached you in error, kindly destroy it without review and notify the sender immediately. Thank you for your help.
