Hi Roman,
On Thu, Nov 16, 2017 at 5:56 PM, Roman CHRENKO <roman_chre...@tempest.sk>
wrote:
> Hello.
>
> We are using WSO2 Identity Server 5.3.0.
>
> I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service
> Provider (Shibboleth, symbolic name "SP1").
>
> Then I configured second trust between WSO2 acting as a service provider
> ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service).
>
> I followed instructions at https://docs.wso2.com/display/
> IS530/Configuring+Shibboleth+IdP+as+a+Trusted+Identity+Provider.
>
> SP1 protects some resources, access to them is granted only when users are
> authenticated to IDP2. Everything is based on SAML protocol.
>
> Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2.
>
> IDP1 initiated logout works fine too (user is sending GET to
> https://idp1.mydomain.com/samlsso?slo=true&spEntityID=
> https://sp1.mydomain.com/shibboleth ).
>
> But IDP2 initiated logout fails with message (in a browser): "Attention:
> Something went wrong during the authentication process. Please try signing
> in again."
>
> It generates record to the WSO2 log: "{...DefaultRequestCoordinator}
> Context does not exist. Probably due to invalidated cache".
>
> During the IDP2 initiated logout correct LogoutRequest is sent from IDP2
> to WSO2 (to https://amsrv.mydomain.com:9443/commonauth).
>
> (Our WSO2 is only one of many Service Providers which trust IDP2. IDP2 is
> central identity provider for government institutions.
>
> IDP2 supports SSO, so logout can be initiated from many independent
> applications (Service providers). But from out point of view it is
> initiated from IDP2.)
>
> Does WSO2 support such scenario (IDP2 initiated logout)?
>
No. This is not supported.
> If not, when will it be supported?
>
Created JIRA [1] to track this feature.
> If yes, where is it documented?
>
>
>
> Best regards,
>
> Roman
>
>
>
> _______________________________________________
> Architecture mailing list
> architect...@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
As a workaround can you try sending modified IdP initiated logout request
to the /samlsso endpoint from the IDP2?
- In this case, WSO2 IS(IDP1) will send a logout request to IDP2 and IDP2
need to handle it and send back a successful response.
- In the SP1 configuration of WSO2 IS(IDP1), you need to configure a
landing URL in IDP2 as a "Return to URL" after the single logout.
Ex:
https://idp1.mydomain.com/samlsso?slo=true&spEntityID=https://sp1.mydomain.com/shibboleth&returnTo=https://idp2/logout-success
(IDP2 can't send an SP initiated logout request since the session index
will not be available at /samlsso endpoint (inbound) side)
[1] - https://wso2.org/jira/browse/IDENTITY-6929
Thanks,
Thanuja
--
*Thanuja Lakmal*
Associate Technical Lead
WSO2 Inc. http://wso2.com/
*lean.enterprise.middleware*
Mobile: +94715979891
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
