This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Single logout can be incorporated when signing up applications to WSO2 App Manager. The login, logout and sessions are handled in App Manager as follows. 

When a user tries to access an App Manager gateway URL of a successfully subscribed application via the browser, a GET request is made to the gateway, which will be intercepted by a Synapse API Handler. This handler will check if a certain Cache key is present in the request header. If it is the first time the URL is being invoked, there won't be a cache key present in the request. Hence the user is redirected to the login page of the Identity Provider (which is, WSO2 Identity Server, in this case) for authentication, Once the user is authenticated, the IDP will send a SAML response back to the gateway, which will in turn be cached in the App Manager for future reference (The cache key for this response is the one that gets sent back to the browser, as a Cookie). Once the above sequence of events have been concluded, the gateway will draft a JWT token with claims recovered from the IDP Saml Response, and the same along with the initial cache key will get sent back to the Webapp, which will now have all the values needed for its authentication. 

In the logout scenario, once a request is made to the LogOut URL, the handler will identify the request as a logout call and a redirect will be made to the IDP with a "Single LogOut" along with the Session Index and other utility parameters. One thing to note here is that, App Manager does not maintain a "Session" for the user, all of this is delegated to the IDP to take care of. The only reference of the user withheld on App Manager, is the cached SAML Response stored against cache key sent back the browser. Once the IDP encounters a Single Logout Request, it will clear the session maintained for the user, against the session index. Once this is done, the APP Manager will also wipe from its cache, the original cache response held against the cache key rendering the User, unauthenticated. Eventually, the user will be redirected to the IDP LogIn page.

All the configurations that need to be done in App Manager will be discussed under Section 1, whereas all the webapp configurations will be listed under section 2.

Section 1 : Configuring App Manager

Configuring Single LogOut is rather simple. All it takes is the specifying of the "LogOut URL" of your application and everything is taken care of by the APP Manager. One thing to note here, however is that when developing your third party web application, you should be mindful as to not include hard coded absolute URLs, in which case the gateway would be bypassed and your webapp will get invoked directly.

 

When persisting the LogOut URL, WSO2 App Manager converts the same in to Gateway URL, this is done so by tallying it against the "WebApp" URL. Hence the Logout URL always need to start with Webapp URL. Please refer below convention

Webapp URL : http://locahost:8080/MyWebapp

LogOut URL : http://locahost:8080/MyWebapp/?action=logout

App Manager does not require any sort of special parameters to be present in the logout request, lest for the above mentioned convention.

Section 2 :  Configuring the Webapp

As explained in Section 1, the configured log out URL should be relative, and should not contain absolute references. A sample Log Out link configuration on a JSP, would be as follows.

<li><a href=<% out.println(".?action=logout"); %>>Logout</a></li>
  • No labels