WSO2 SAML SSO/SLO for API Manager and Identity Server

0
votes

Environment:
Windows Server 2008 R2
wso2is-5.3.0
wso2am-2.1.0

URLs/Ports:
-hostname:9443/carbon-
-hostname:9443/publisher-
-hostname:9443/store
-hostname:9444/carbon (Identity Server)

Problem:
I've configured SAML SSO for all components listed above using IS as the Identity Provider, as specified here: https://docs.wso2.com/display/AM210/Configuring+Identity+Server+as+IDP+for+SSO

Single sign-on works perfectly. I hit any of the above URLs, I'm redirected to the IS, I authenticate and I'm logged into all of the URLs without re-authentication. The problem comes from Single log-out. If I log out of the store or publisher first, it appears the session is invalidated and I'm logged out across all components (ie if I refresh the browser I'm prompted to re-authenticate). However I see the following errors on the IS log. 

TID: [-1] [] [2017-09-20 10:13:41,047]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 1 after waiting for 60000 milli seconds to https://hostname:9443/acs 
TID: [-1] [] [2017-09-20 10:13:41,062]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 1 after waiting for 60000 milli seconds to https://hostname:9444/acs 
TID: [-1] [] [2017-09-20 10:14:41,060]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 2 after waiting for 60000 milli seconds to https://hostname:9443/acs 
TID: [-1] [] [2017-09-20 10:14:41,076]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 2 after waiting for 60000 milli seconds to https://hostname:9444/acs 
TID: [-1] [] [2017-09-20 10:15:41,073]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 3 after waiting for 60000 milli seconds to https://hostname:9443/acs 
TID: [-1] [] [2017-09-20 10:15:41,089]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 3 after waiting for 60000 milli seconds to https://hostname:9444/acs 
TID: [-1] [] [2017-09-20 10:16:41,086]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 4 after waiting for 60000 milli seconds to https://hostname:9443/acs 
TID: [-1] [] [2017-09-20 10:16:41,118]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 4 after waiting for 60000 milli seconds to https://hostname:9444/acs 
TID: [-1] [] [2017-09-20 10:17:41,100]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 5 after waiting for 60000 milli seconds to https://hostname:9443/acs 
TID: [-1] [] [2017-09-20 10:17:41,100] ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Single logout failed after retrying 5 times with time interval 60000 in milli seconds. 
TID: [-1] [] [2017-09-20 10:17:41,146]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 5 after waiting for 60000 milli seconds to https://hostname:9444/acs 
TID: [-1] [] [2017-09-20 10:17:41,146] ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Single logout failed after retrying 5 times with time interval 60000 in milli seconds. 
TID: [-1] [] [2017-09-20 10:18:41,128]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 1 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag 
TID: [-1] [] [2017-09-20 10:19:41,188]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 2 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag 
TID: [-1] [] [2017-09-20 10:20:41,202]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 3 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag 
TID: [-1] [] [2017-09-20 10:21:41,215]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 4 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag 
TID: [-1] [] [2017-09-20 10:22:41,228]  INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Sending single log out request again with retry count 5 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag 
TID: [-1] [] [2017-09-20 10:22:41,228] ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} -  Single logout failed after retrying 5 times with time interval 60000 in milli seconds.

When I turn up SSO logging, I see that before the retries occur above, each Service Provider is cleared from the shared session, and the session is removed from the cache. So why are the additional SLO requests being sent to each provider?

TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} -  Removed SLO supported service provider from session info data  with name IS_CONSOLE 
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} -  Removed SLO supported service provider from session info data  with name API_STORE 
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} -  Removed SLO supported service provider from session info data  with name carbonServer 
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} -  Removed SLO supported service provider from session info data  with name API_PUBLISHER 
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} -  Clearing the session data from cache with session index 55a88216-1b09-425e-b616-2f881bc6a717 and issuer API_PUBLISHER 
TID: [-1234] [] [2017-09-21 08:48:32,686] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} -  SSO tokenId Cookie is removed
1
wso2single-sign-onwso2iswso2-amwso2carbon

1 Answers

2
votes

It is known "feature" of the WSO2IS (and other products). At least it was that way using WSO2IS 5.2.0.

The WSO2IS use proper SAML SSO to log in. Nice job. To logout, the WSO2IS invalidates the user session, sends an off-channel (backend) SLO request to each service provder and waits for HTTP 200 response.

However - the service providers implemented by WSO2 (IS or AM) simply don't listen for logout request based on the SAML session id (without frontend client session cookie). So until you are really logged out, it's all you need and you may happily ignore the backend attemps to log out.

What you may try is to use logout with multiple SP (on different hosts), there you may have session which is not invalidated.