Hi Roman, On Thu, Nov 16, 2017 at 5:56 PM, Roman CHRENKO <roman_chre...@tempest.sk> wrote:
> Hello. > > We are using WSO2 Identity Server 5.3.0. > > I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service > Provider (Shibboleth, symbolic name "SP1"). > > Then I configured second trust between WSO2 acting as a service provider > ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service). > > I followed instructions at https://docs.wso2.com/display/ > IS530/Configuring+Shibboleth+IdP+as+a+Trusted+Identity+Provider. > > SP1 protects some resources, access to them is granted only when users are > authenticated to IDP2. Everything is based on SAML protocol. > > Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2. > > IDP1 initiated logout works fine too (user is sending GET to > https://idp1.mydomain.com/samlsso?slo=true&spEntityID= > https://sp1.mydomain.com/shibboleth ). > > But IDP2 initiated logout fails with message (in a browser): "Attention: > Something went wrong during the authentication process. Please try signing > in again." > > It generates record to the WSO2 log: "{...DefaultRequestCoordinator} > Context does not exist. Probably due to invalidated cache". > > During the IDP2 initiated logout correct LogoutRequest is sent from IDP2 > to WSO2 (to https://amsrv.mydomain.com:9443/commonauth). > > (Our WSO2 is only one of many Service Providers which trust IDP2. IDP2 is > central identity provider for government institutions. > > IDP2 supports SSO, so logout can be initiated from many independent > applications (Service providers). But from out point of view it is > initiated from IDP2.) > > Does WSO2 support such scenario (IDP2 initiated logout)? > No. This is not supported. > If not, when will it be supported? > Created JIRA [1] to track this feature. > If yes, where is it documented? > > > > Best regards, > > Roman > > > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > As a workaround can you try sending modified IdP initiated logout request to the /samlsso endpoint from the IDP2? - In this case, WSO2 IS(IDP1) will send a logout request to IDP2 and IDP2 need to handle it and send back a successful response. - In the SP1 configuration of WSO2 IS(IDP1), you need to configure a landing URL in IDP2 as a "Return to URL" after the single logout. Ex: https://idp1.mydomain.com/samlsso?slo=true&spEntityID=https://sp1.mydomain.com/shibboleth&returnTo=https://idp2/logout-success (IDP2 can't send an SP initiated logout request since the session index will not be available at /samlsso endpoint (inbound) side) [1] - https://wso2.org/jira/browse/IDENTITY-6929 Thanks, Thanuja -- *Thanuja Lakmal* Associate Technical Lead WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture