This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

The login, logout and sessions are handled in App Manager as follows.

Handling the login scenario

Logging in to App Manager is handled according to the following sequence of events. 

  1. When a user tries to access an App Manager gateway URL of a successfully subscribed application via the browser, a GET request is made to the gateway, which will be intercepted by a Synapse API Handler. 
  2. Synapse API Handler handler checks if a certain cache key is present in the request header. If it is the first time the URL is being invoked, there won't be a cache key present in the request. Hence the user is redirected to the login page of the identity provider (which is WSO2 Identity Server in this case) for authentication. 
  3. Once the user is authenticated, the Identity Provider (IDP) sends a SAML response back to the gateway, which will in turn be cached in the App Manager for future reference. (The cache key for this response is sent back to the browser as a Cookie). 
  4. The gateway drafts a JWT token with claims recovered from the IDP SAML response, which will be sent back to the web app along with the initial cache key. The web app will now have all the values needed for authentication.

Handling the logout scenario

Logging out of App Manager is handled according to the following sequence of events.

  1. Once a request is made to the logout URL, the handler identifies the request as a logout call and a redirect is made to the IDP with a single logout, along with the session index and other utility parameters. 

    App Manager does not maintain a session for the user. It is delegated to the IDP to take care of. The only reference of the user withheld on App Manager, is the cached SAML response stored against the cache key, which is sent back to the browser. 

  2. Once the IDP encounters a single logout request, it will clear the session maintained for the user, against the session index. 
  3. Once this is done, the APP Manager will also wipe from its cache, the original cache response held against the cache key rendering the user as unauthenticated. 
  4. The user will be redirected to the IDP LogIn page.

Single logout configurations

Single logout can be incorporated when signing up to applications in WSO2 App Manager. 

Configuring App Manager

To configure App Manager for single logout, you only need to specify the LogOut URL of your application as depicted below.

However, when developing third party web applications, do not include hard coded absolute URLs, in which case, the gateway would be bypassed and your web app will get directly invoked.

When persisting the logout URL, WSO2 App Manager converts it to gateway URL by tallying it against the web app URL. Hence, the logout URL always need to start with web app URL as shown in the below convention.

  • Web app URL : http://locahost:8080/MyWebapp
  • Logout URL : http://locahost:8080/MyWebapp/?action=logout

App Manager does not require any sort of special parameters to be present in the logout request, for the above convention.

Configuring the web app

The configured logout URL of the web app should be relative, and should not contain absolute references. A sample logout link configuration on a JSP page, is as follows.

<li><a href=<% out.println(".?action=logout"); %>>Logout</a></li>

 

 

  • No labels