Spring SAML - Global logout not working after hitting URL '/saml/logout' -
accoriding spring saml extension document :
local logout terminates local session , doesn't affect neither session @ idp, nor sessions @ other sps user logged in using single sign-on. local logout can initialized @ scheme://server:port/contextpath/saml/logout?local=true.
for global logout, have hit scheme://server:port/contextpath/saml/logout url, me, logs out local session, doesn't logout idp.
this [websecurityconfig] (https://github.com/vdenotaris/spring-boot-security-saml-sample/blob/master/src/main/java/com/vdenotaris/spring/boot/security/saml/web/config/websecurityconfig.java) , i'm using create saml sp. question is, doing wrong here? or problem because of idp i'm using (can't mention idp it's 1 of firm's saml sso). or have define global logout handler here? if yes, how?
global logout in case of single sign on (sso) needs support both service providers (sp) identity providers (idp). doing enabling global logout endpoint sp side ensures sp generate global logout request & idp (depending on saml profiles/bindings using), how idp handles depends on idp well.
in sso session @ idp, session @ sp , cookies @ user-agent set on login. facilitate single global logout there comes gap between user expectations , technical limitations. suggest read slo issues here: https://wiki.shibboleth.net/confluence/display/concept/sloissues
shibboleth idpv3 has provided partial support single logout using both front-channeling (user-agent involved in sending logout sps & idp) back-channeling (user-agent sends logout request current sp & idp, idp in turn sends logout request logged-in sps). can read how shibboleth idp v3.2.0 handles logout here: https://wiki.shibboleth.net/confluence/display/idp30/logoutconfiguration
Comments
Post a Comment