Hello.
We are using WSO2 Identity Server 5.3.0.
I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service
Provider (Shibboleth, symbolic name "SP1").
Then I configured second trust between WSO2 acting as a service provider
("SP2") and federated IDP (symbolic name "IDP2", some public/gov service).
I followed instructions at
https://docs.wso2.com/display/IS530/Configuring+Shibboleth+IdP+as+a+Trusted+Identity+Provider.
SP1 protects some resources, access to them is granted only when users are
authenticated to IDP2. Everything is based on SAML protocol.
Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2.
IDP1 initiated logout works fine too (user is sending GET to
https://idp1.mydomain.com/samlsso?slo=true&spEntityID=https://sp1.mydomain.com/shibboleth
).
But IDP2 initiated logout fails with message (in a browser): "Attention:
Something went wrong during the authentication process. Please try signing in
again."
It generates record to the WSO2 log: "{...DefaultRequestCoordinator} Context
does not exist. Probably due to invalidated cache".
During the IDP2 initiated logout correct LogoutRequest is sent from IDP2 to
WSO2 (to https://amsrv.mydomain.com:9443/commonauth).
(Our WSO2 is only one of many Service Providers which trust IDP2. IDP2 is
central identity provider for government institutions.
IDP2 supports SSO, so logout can be initiated from many independent
applications (Service providers). But from out point of view it is initiated
from IDP2.)
Does WSO2 support such scenario (IDP2 initiated logout)?
If not, when will it be supported?
If yes, where is it documented?
Best regards,
Roman
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
