CODEWITHSUNDEEP
spring-securitysaml-2.0spring-samlwso2-identity-server
Jim Kennedy
Jim Kennedy

Reputation: 822

WSO2 and Spring SAML single logout issue

The issue I'm having has been discussed several times on this site, however most posts are quite old. Here is something similar to what I'm experiencing. I'm using WSO2 IS 5.2 as my IdP and I have 2 java based web applications hosted on difference servers that participate in SSO. Each webapp (SP) has implemented the Spring-SAML extension. Single Sign-On works perfectly but Single Logout only partially works. Here is the test case:

  1. Access secure resource on webapp1
  2. Login page from Idp (WSO2) is presented and user logs in
  3. Secure resource from webapp1 is presented
  4. Access secure resource on webapp2
  5. SAML request is sent to Idp, Idp responds and user is authenticated
  6. Secure resource from webapp2 is presented, end SSO
  7. Initiate single log out from webapp2
  8. Webapp2 send saml request (through browser) to Idp and saml response is returned
  9. User is logged off locally on webapp2 and Idp session is terminated
  10. The IdP directly sends logout request to webapp1 (back-channel type)
  11. Logout request fails to webapp1 (log indicate SamlStatusException: No user is logged in)

So the end result is that I still have a local session on webapp1. If I change the order and initiate SLO from webapp1, then webapp1 will be logged out and webapp2's local session will continue to exist. The WSO2 server is able to determine the 2nd session participant during SLO, however the HTTP request sent from the Idp to the 2nd session participant does not have a Spring security context. This would be a stateless HTTP request so there wouldn't be a logged in user. This is why I believe it is failing.

I found this discussion. Its about 2 years old. Is there anything new on this issue? Maybe a configuration step missed by me on WSO2 or in the Spring-saml config.

Here is a relevant piece of my SP metadata:

<md:SingleLogoutService Location="https://tpap10-wwwdev04.arbfile.org:443/webapp/saml/SingleLogout" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="https://tpap10-wwwdev04.arbfile.org:443/webapp/saml/SingleLogout" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:AssertionConsumerService Location="https://tpap10-wwwdev04.arbfile.org:443/webapp/saml/SSO" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"/>
<md:AssertionConsumerService Location="https://tpap10-wwwdev04.arbfile.org:443/webapp/saml/SSO" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" index="1"/>

Some relevant Spring-Saml config on the SP:

  <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
  <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="entityId" value="urn:webapp1:mycity"/>
    <property name="entityBaseURL" value="https://wwwdev04.domain.org:443/webapp" />
    <property name="extendedMetadata">
      <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
        <!-- <property name="signMetadata" value="false"/> -->
        <property name="idpDiscoveryEnabled" value="false"/>
      </bean>
    </property>
  </bean>
</constructor-arg>
</bean>

Upvotes: 1

Views: 1083

Answers (1)

Vladim&#237;r Sch&#228;fer
Vladim&#237;r Sch&#228;fer

Reputation: 15533

WSO2 was not implementing the SAML 2.0 specification correctly. The specification requires that Single Logout with HTTP-* bindings is done using front-end channel (= through user's browser) - which makes the HTTP session available and allows Spring SAML to terminate it correctly. I believe that this issue was never fixed in WSO2.

Spring SAML uses HttpSession for storage of user's state by default. This is also the reason why Spring SAML doesn't support Single Logout with SOAP binding out of the box. It would be possible to implement an application-wide storage of Spring Security sessions which could be invalidated independently from the HttpSession (and therefore work-around the WSO2's limitation), but this is not configured by default (and I have never tried it).

Upvotes: 3

Related Questions