Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Single logout can be incorporated when signing up applications to WSO2 App Manager. The login, logout and sessions are handled in App Manager as follows.

Handling the login scenario

Logging in to App Manager is handled according to the following sequence of events. 

  1. When a user tries to access an App Manager gateway URL of a successfully subscribed application via the browser, a GET request is made to the gateway, which will be intercepted by a Synapse API Handler.

...

  1.  
  2. Synapse API Handler handler checks if a certain

...

  1. cache key is present in the request header. If it is the first time the URL is being invoked, there won't be a cache key present in the request. Hence the user is redirected to the login page of the

...

  1. identity provider (which is

...

  1. WSO2 Identity Server

...

  1. in this case) for authentication

...

  1. Once the user is authenticated, the

...

  1. Identity Provider (IDP) sends a SAML response back to the gateway, which will in turn be cached in the App Manager for future reference. (The cache key for this response is

...

  1. sent back to the browser

...

  1. as a Cookie).

...

  1.  
  2. The gateway drafts a JWT token with claims recovered from the IDP

...

  1. SAML response, which will be sent back to the web app along with the initial cache key

...

  1. . The web app will now have all the values needed for

...

  1. authentication.

...

...

Handling the logout scenario

...

Logging out of App Manager is handled according to the following sequence of events.

  1. Once a request is made to the

...

  1. logout URL, the handler

...

  1. identifies the request as a logout call and a redirect

...

  1. is made to the IDP with a

...

  1. single logout, along with the

...

  1. session index and other utility parameters.

...

  1.  

    Info

    App Manager does not maintain a

...

  1. session for the user

...

  1. . It is delegated to the IDP to take care of. The only reference of the user withheld on App Manager, is the cached SAML

...

  1. response stored against the cache key, which is sent back to the browser. 

  2. Once the IDP encounters a

...

  1. single logout request, it will clear the session maintained for the user, against the session index. 
  2. Once this is done, the APP Manager will also wipe from its cache, the original cache response held against the cache key rendering the

...

  1. user as unauthenticated.

...

  1.  
  2. The user will be redirected to the IDP LogIn page.

Single logout configurations

Single logout can be incorporated when signing up to applications in WSO2 App Manager. 

Configuring App Manager

All the configurations that need to be done in App Manager will be discussed under Section 1, whereas all the webapp configurations will be listed under section 2.

Section 1 : Configuring App Manager

Configuring Single LogOut is rather simple. Manager  for single logout are described below.

All it takes is the specifying of the "LogOut URL" of your application and everything is taken care of by the APP Manager. One thing to note here, however is that when developing your third party web application, you should be mindful as to not include hard coded absolute URLs, in which case the gateway would be bypassed and your webapp will get invoked directly.

...

App Manager does not require any sort of special parameters to be present in the logout request, lest for the above mentioned convention.

...

Configuring the web app

All the web app configurations required for single logout are listed below.

As explained in Section 1, the configured log out URL should be relative, and should not contain absolute references. A sample Log Out link configuration on a JSP, would be as follows.

...