Configuring SAML Federated Identity Provider Initiated Logout in WSO2 Identity Server

WSO2 Identity Server provides the capability to handle SAML single logout requests from federated identity providers. After the SAML single logout request is received by the federated identity provider, WSO2 IS processes the request, terminates the session, and then responds to the federated identity provider. This blog allows you to have hands-on experience on SAML federated identity provider initiated logout flow.

SAML Federated Identity Provider Initiated Logout Flow

Above diagram illustrates the SAML federated identity provider initiated logout flow between WSO2 Identity Server, which acts as the primary identity provider and the Federated Identity Provider. Pickup Dispatch application is a service provider of the WSO2 Identity Server. Pickup Manager application and WSO2 Identity Server are service providers of the Federated IdP. The Federated IdP acts as the federated authenticator of the Pickup Dispatch application.

Initially the user will login to both Pickup Dispatch and Pickup Manager applications. When the user attempts to log out from the pickup manager, this app sends a logout request to the Federated IdP. Then the Federated IdP determines the session participants using the session index available in the logout request and send single logout requests to them. Since WSO2 IS is a session participant, it receives a single logout request from the Federated IdP. WSO2 IS handles this request, terminates the session and responds with a valid logout response. Then the user will be logged out from the pickup dispatch application.

Here, we use another WSO2 Identity server as the Federated Identity Provider. WSO2 Identity server and Federated Identity Server will be referred to as PrimaryIS(WSO2 IS server which is running on port 9443) and SecondaryIS(WSO2 IS server which is running on port 9444). In this blog, We’ll be using two sample applications, Pickup-Dispatch and Pickup-Manager to demonstrate the SAML federated identity provider initiated logout flow between these two servers.

The following sections guide you through configuring SAML federated identity provider initiated logout flow and trying it out with the sample applications.

1. Configuring PrimaryIS as a Service Provider in the SecondaryIS
2. Configuring SecondaryIS as an Identity Provider in the PrimaryIS
3. Configuring sample applications

Prerequisites

1. Download and install the latest WSO2 Identity Server.

1. Configuring PrimaryIS as a Service Provider in the SecondaryIS

1. Run the WSO2 Identity Server on port 9444 (SecondaryIS).
2. Once the server startup, Login to the management console ( https://localhost:9444/carbon/) with admin credentials (username: admin, password: admin).
3. Navigate to Main>Identity>Service Providers and click Add.
4. In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section.
5. Now set the configuration as follows:

Issuer : SP Entity ID of PrimaryISPrimaryIS

Assertion Consumer URL : https://localhost:9443/commonauth

SLO Request URL : https://localhost:9443/identity/saml/slo

NOTE: Providing the SLO Request URL is a must. WSO2 IS receives the SAML single logout requests from this URL. For now, only front channel bindings are supported with this feature. For the logout method, select one of the front channel bindings.

6. Leave the rest of the default configurations as it is and click Register.

7. Download the IDP Metadata of the created service provider. We will use this in the next step.

2. Configuring SecondaryIS as an Identity Provider in the PrimaryIS

1. Run the WSO2 Identity Server on port 9443 (Primary IS).
2. Once the server startup, Login to the management console ( https://localhost:9443/carbon/) with admin credentials (username: admin, password: admin).
3. Navigate to Main>Identity>Identity Providers and click Add.
4. In the Federated Authenticators section, click Configure under the SAML2 Web SSO Configuration section.
5. Fill in the details in the Basic Information section. Give a suitable name for the Identity Provider.
6. Expand the SAML2 Web SSO Configuration section under Federated Authenticators section.

• Enable SAML2 Web SSO and provide Service Provider Entity ID as per previous configuration (PrimaryIS)
• Add the downloaded IDP Metadata file in previous step into Metadata File Configuration and Register.
• Now set the remaining configuration as follows :

NOTE: Select Specifies if logout request from the identity provider is accepted under the Single Logout profile to accept single logout requests from the identity provider. Once this is enabled, WSO2 Identity Server accepts and handles the logout requests. This configuration is a must to try this scenario.

7. After providing the values for the required fields, click Register.

3. Configuring sample applications.

Configuring Pickup Dispatch application in the Primary IS

1. Follow the steps in deploying the saml2-web-app-pickup-dispatch webapp to download, deploy and register pickup-dispatch sample.
2. Once you have added the pickup-dispatch application, go to the Service Provider Configuration and expand Local & Outbound Authentication Configuration.
3. Expand SAML2 Web SSO Configuration and click on Configure. Enable Federated Authentication and select SecondaryIS as the authenticator.

Configuring Pickup Manager application in the Secondary IS

1. Follow the steps in deploying the saml2-web-app-pickup-manager webapp to download, deploy and register pickup-manager sample.

Configuration Process

TRY IT OUT !!

We have completed all the configurations in the PrimaryIS and SecondaryIS. Now we can try out the SAML federated identity provider initiated logout flow.

1. Create a user in the SecondaryIS(Federated Identity Provider).
2. Access the following URL on a browser window: http://localhost.com:8080/saml2-web-app-pickup-manager.com to log into the pickup-manager application.
3. Log in using the credentials of the user created in the Federated Identity Provider. You will be redirected to the Pickup Manager application home page.
4. Now access the following URL to access the Pickup Dispatch application http://localhost.com:8080/saml2-web-app-pickup-dispatch.com
5. Once you click login, you will be automatically logged in and redirected to the Pickup Manager application home page.
6. Log out of the Pickup Manager application. You will be redirected back to the login page of the application.
7. Now attempt to access the Pickup Dispatch application. You will be automatically logged out of this application as well.

This means that you have successfully tried out the SAML federated identity provider initiated logout flow.