WSO2 IS Single Logout partially working

Question

I am testing SAML SSO using WSO2 Identity Server 5.0.0 with two PHP application instances as service providers (using onelogin phpsaml). I managed to make the single sign on to work but now I'm facing a problem with single logout.

1. When I trigger a logout request from the PHPApp1, WSO2 IDP responds with a logout response and it seems to works fine;
2. WSO2 IDP triggers a logout request to the saml session particants, in this case to the PHPApp2;
3. The PHPApp2 handles the logout request and redirect to the WSO2 IDP logout url with the LogoutResponse;
4. And now the issue: WSO2 does not seems to handle the logout response from PHPApp2 and prints in logs the following message:

WARN {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Failed single logout response from http://php-app2.dev/saml/sls with status code Moved Temporarily {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender}

After that WSO2 keeps trying sending logout requests to the PHPApp2 and ends up with the following message:

ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Single logout failed after retrying 5 times with time interval 60000 in milli seconds. {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender}

I tried to enable debug logs in WSO2 to obtain more detailed information about the issue but I am not able to get any helpful information.

Is there any way to get more detailed information about this issue?

Any help is welcomed.

Answer 1

Make sure you are using a database type session store.

SimpleSAMLphp can then kill the session without the browser context when it receives the LogoutRequest from the remote server directly rather than through a browser redirect.

Answer 2

WSO2 IS works with strong assumptions that servers could see and talk to each other. This way it tries to be polite and sends the logout requests on back channel (server-to-server without user involvement). As the response the SP should send back a valid logout response. The WSO2 IS currently checks only the HTTP status code (200).

SimpleSAMLphp works with user browsers (and assuming the requests are coming from the user) and after receiving the logout request it tries to redirect the user back to IDP with the SAML Response using Redirect-binding. It's issuing HTTP 302 response.

Try to configure the SimpleSAMLphp to use POST binding for logout (in saml20-idp-remote.php). Still - SimpleSAMLphp it may try to redirect the user before returning the form with logout response and WSO2 IS will not follow the redirects.

Gabriel

Answer 3

Michael, In the SAML Single Logout implementation, when the PHPApp1 initiates the logout, it redirects the user to WSO2 IDP. Then WSO2 IDP validates the LogoutRequest message, after successful validation, WSO2 IDP figure-out the existing session participants (in this case WSO2 IDP will detect PHPApp2). So after session participants are figured, the WSO2 IDP will send Logout Requests to those in stateless way (no browser involvement) and the session participants (PHPApp2) should validate the Logout Requests from the WSO2 IDP and should send the Logout Response back (no browser involvement, no redirections) to the WSO2 IDP. After WSO2 IDP receives all the LogoutResponses back from the all session participants, WSO2 IDP contract it's Logout Response to the initiator which is PHPApp1, this will be sent as a browser redirection (HTTP Form submission).

Answer 4

Well, the problem is due to the fact that onelogin/php-saml implementation handles the IDP Logout request by redirecting the response to the IDP.

I change the code to returns the response instead and it is working now. Considering that I am new to the SAML standards, I am not sure if it is the correct way to solve that.