Page Comparison

The login, logout and sessions are handled in App Manager as follows.

Handling the login scenario

Logging in to App Manager is handled according to the following sequence of events. 

1. When a user tries to access an App Manager gateway URL of a successfully subscribed application via the browser, a GET request is made to the gateway, which will be intercepted by a Synapse API Handler. 
2. Synapse API Handler handler checks if a certain cache key is present in the request header. If it is the first time the URL is being invoked, there won't be a cache key present in the request. Hence the user is redirected to the login page of the identity provider (which is WSO2 Identity Server in this case) for authentication. 
3. Once the user is authenticated, the Identity Provider (IDP) sends a SAML response back to the gateway, which will in turn be cached in the App Manager for future reference. (The cache key for this response is sent back to the browser as a Cookie). 
4. The gateway drafts a JWT token with claims recovered from the IDP SAML response, which will be sent back to the web app along with the initial cache key. The web app will now have all the values needed for authentication.

Handling the logout scenario

Logging out of App Manager is handled according to the following sequence of events.

1. Once a request is made to the logout URL, the handler identifies the request as a logout call and a redirect is made to the IDP with a single logout, along with the session index and other utility parameters. 

   Info
   App Manager does not maintain a session for the user. It is delegated to the IDP to take care of. The only reference of the user withheld on App Manager, is the cached SAML response stored against the cache key, which is sent back to the browser.

2. Once the IDP encounters a single logout request, it will clear the session maintained for the user, against the session index. 
3. Once this is done, the APP Manager will also wipe from its cache, the original cache response held against the cache key rendering the user as unauthenticated. 
4. The user will be redirected to the IDP LogIn page.

Single logout configurations

Single logout can be incorporated when signing up to applications in WSO2 App Manager. 

Configuring App Manager

To configure App Manager for single logout, you only need to specify the LogOut URL of your application as depicted below.

Image Removed

When persisting the logout URL, WSO2 App Manager converts it to gateway URL by tallying it against the web app URL. Hence, the logout URL always need to start with web app URL as shown in the below convention.

...

You can configure single logout in WSO2 App Manager to automatically sign out from all logged in apps, when you sign out from one.

Configuring WSO2 App Manager

To configure WSO2 App Manager for single logout, select Enable Single Logout in the Step 2 - Policies section of creating a Web app, and specify the logout URL of your app as shown below.

Image Added

WSO2 App Manager internally converts the Web app URL to a gateway URL. When persisting the logout URL, the logout acton is appended to the gateway URL by tallying it against the Web app URL. Therefore,  you need to enter the complete logout URL (including the Web app URL).

For example, if your Web app URL is http://locahost:8080/MyWebapp

...

, the enter the logout URL as follows: http://locahost:8080/MyWebapp/?action=logout.

Configuring the web app

...

Configuring the Web app

As a best practice, Web apps should not contain any hard-coded resource paths when proxying through WSO2 App Manager. Similarly, if the resource path configured for the logout action of your Web application is absolute, WSO2 App Manager by-passes the gateway and invokes the direct URL, and the action sequence for single logout is not triggered.

Therefore, the logout link configuration in a JSP page of the Web app should contain a relative reference  as follows.

<li><a href=<% out.println(".?action=logout"); %>>Logout</a></li>