Reputation: 152
Integrating WSO2 Identity server with Liferay - Single Log Out issues
I'm trying to integrate WSO2 IS with Liferay as service provider, but I haven't been successful so far. Some modifications were made to the code, as per three JIRA issues raised and patches contributed by Benjamin Schmeling on WSO2 oxygen tank: https://wso2.org/jira/browse/IDENTITY-2856
The SAML settings on WSO2 IS are as follows:
Assertion Consumer URL: liferayserver:8080/c/portal/saml/acs
NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Use fully Qualified username on NameID
Enable Response Signing
Enable Assertion Signing
Enable Single logout
-> ConsumerURL: liferayserver:8080/c/portal/saml/slo_redirect
Enable attribute profile
Yet Liferay returns the following exception:
Liferay returns the following exception:
[code]23:00:50,071 ERROR [http-thread-pool-8080(4)][BaseSamlStrutsAction:45] com.liferay.saml.UnsupportedBindingException
com.liferay.saml.UnsupportedBindingException
at com.liferay.saml.profile.SingleLogoutProfileImpl.processSingleLogout(SingleLogoutProfileImpl.java:216)
at com.liferay.saml.profile.SingleLogoutProfileUtil.processSingleLogout(SingleLogoutProfileUtil.java:54)
at com.liferay.saml.hook.action.SingleLogoutAction.doExecute(SingleLogoutAction.java:39)
at com.liferay.saml.hook.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:42)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39)
I also tried changing the single log-out endpoint to liferayserver:8080/c/portal/saml/slo to no avail. In both cases the session is closed on the Identity Server (WSO2), but not on the service provider (Liferay).
Any ideas of what the issue might be?
Upvotes: 0
Views: 741
Answers (1)
Reputation: 152
It turns out there are two additional modifications that are needed in order to make the Single log-out work. I'll leave these here in case they help someone else until these patches are integrated into their respective products. Special thanks to Benjamin Schmeling.
For SAML-based SLO you should use the /c/portal/saml/slo_redirect endpoint, however, Liferay is not able to handle post requests (at least in the newest version of the SAML portlet). You have to adapt the Liferay SAML portlet as follows:
In SingleLogoutProfileImpl.processSingleLogout(HttpServletRequest request, HttpServletesponse response) add a new else if branch:
else if(requestPath.endsWith("/slo_redirect") && method.equalsIgnoreCase(HttpMethods.POST)){ samlBinding = getSamlBinding( SAMLConstants.SAML2_POST_BINDING_URI); }Furthermore, in SingleLogoutProfileImpl.sendSpLogoutRequest(HttpServletRequest request, HttpServletResponse response) after logoutRequest.setVersion add the SessionIndex required by Wso2 by calling: addSessionIndex(logoutRequest, samlSpSession.getSessionIndex());
Upvotes: 1
Related Questions
- WSO2 Identity Server: How to handle SAML2 SSO Logout request
- WSO2 Identity server - keep getting "internal error - server connection terminated"
- WSO2 IS Single Logout partially working
- WSO2 and Spring SAML single logout issue
- wso2is 5.4.1 + liferay 6.2ga6
- Single Sign On with WSO2 Identity server 5.1
- WSO2 single sign on with Identity Server
- WSO2 Identity Server 5.0 - Can't perform single logout
- wso2 is single logout partially working contd
- SAML SSO Logout fails in WSO2 Identity Server 5