wso2 - Does wso2 identity server support IDP initiated logout from federated IDP?

Question

We are using WSO2 Identity Server 5.3.0. I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service provider (symbolic name "SP1"). Then I configured second trust between WSO2 acting as a service provider ("SP2") and federated IDP (symbolic name "IDP2", some public/gov service). SP1 protects some resources, access to them is granted only when users are authenticated to IDP2. Everything is based on SAML protocol. Login works fine - login requests are redirected from WSO2(=IDP1) to IDP2. IDP1 initiated logout works fine too. But IDP2 initiated logout fails with message (in a browser): "Attention: Something went wrong during the authentication process. Please try signing in again." It generates the record to the WSO2 log: "{...DefaultRequestCoordinator} Context does not exist. Probably due to invalidated cache". During the IDP2 initiated logout correct LogoutRequest is sent to WSO2 (https://amsrv.mydomain.org:9443/commonauth). Does WSO2 support such scenario (IDP2 initiated logout)?

Answer 1

SLO is working based session ID. You cannot invalidate a session that is not recognized by the IDP.

Your log seens to indicate that the context [pointed by the session id provided in the SLO request] does not exist so cannot be terminated.

Please deactivate Ciphering on the flow, put a Wireshark and look at it. WSO2IS is providing a screen in user dahsboard to see which session are open and with which ids.

I suspect that IdP2 is sending the session ID of the session between Client and IdP2... not the session ID of session between Client and IdP1.

Jeff