SAML2 Federated IdP Initiated SLO for Tenanted Scenario in WSO2 Identity Server
If you are new to SAML identity federation and SLO(single logout) concepts, this blog will take you through a step-by-step guide to try out a similar scenario.
Anyhow, did you lose track halfway trying to read the title?
Let me break it down into smaller pieces for easy interpretation.
Single logout: Allows you to logout all apps in the current browser session when one application performs a logout. There are two flavors of SAML Single Logout Protocol namely, SP-initiated SLO or IdP-initiated SLO.
IdP initiated single logout: IdP initiated SLO causes the IdP to initiate logout requests to all logged in Service Providers and inform them that the session is ending.
SAML2 Federated IdP initiated single logout: SLO requests are initiated by an external IdP and it terminates the active sessions of applications across multiple domains or organizations which its federated to, using the SAML protocol.
SAML2 Federated IdP initiated single logout for tenanted scenario: External SAML IdP is federated to a tenant of the WSO2 Identity server hence it terminates the active sessions of applications created inside the tenant by sending the SLO request to the tenant qualified slo endpoint.
WSO2 Identity Server (WSO2 IS) facilitates handling SAML single logout requests from federated identity providers. After the SAML single logout request is received by the federated identity provider, WSO2 IS processes the request, terminates the sessions of the particular user, and then responds to the identity provider. When configuring WSO2 IS for this flow, there are 2 possible scenarios such as configuring the flow in super-tenant and a tenanted flow. I will be elaborating on a special scenario with ‘tenanted’ SAML federated flow. Since it involves some additional configs and things to keep in mind, It will be easier to apply that learning from here to try out any usual SLO scenarios which already have detailed steps explained in WSO2 documentation and another blog.
Scenario
To demonstrate this scenario, I will be using two instances of WSO2 IS, one running on port 9443 (Primary IS) and the other on 9444 (Secondary IS), and a sample SAML web application called “Pickup Manager” and a sample “OIDC debugger” web application. The Secondary IS acts as the external federated identity provider for the Primary IS shown in the diagram below.
Above diagram shows the SAML federated identity provider initiated logout flow between Primary WSO2 Identity Server (which serves as the primary identity provider) and the Secondary WSO2 IS (which acts as the Federated Identity Provider). OIDC debugger application is a service provider of the Primary WSO2 IS. Pickup Manager application and primary WSO2 IS are service providers of the Federated IdP. The Federated IdP acts as the federated authenticator of the OIDC debugger application.
When a user attempts to log out from pickup manager app, the service provider sends a logout request to the federated IdP. The IdP determines the session participants using the session index available in the logout request. Since WSO2 IS is a session participant, it receives a logout request from the federated IdP. WSO2 IS handles this request, terminates the session and responds with a valid logout response.
The following sections will guide you through configuring SAML2 single logout requests handling and trying it out with the sample applications.
- Configuring Secondary IS as an IdP in the Primary IS
- Configuring Primary IS as a Service Provider in the Secondary IS
- Configuring OIDC application in the Primary IS
- Configuring Pickup Manager application in the Secondary IS
Section 1: Configuring Secondary IS as an IdP in the Primary IS
- Download and install the latest WSO2 Identity Server.
- Open the <IS_home>/bin folder and run the below command to start the WSO2 Identity Server on port 9443 (Primary IS)
sh wso2server.sh3. Log in to the management console of the Primary IS with admin:admin credentials.
4. We need to create a tenant since we are going to try out the flow in a tenanted scenario.
Navigate to the Configure tab and click Add New Tenant. Fill the empty fields as shown below and click save.
Domain : org1.com
First Name : abc
Last Name : abc
Admin Username : abc
Admin Password : abc
5. Logout and re-login with the credentials of the tenant.
Username: abc@org1.com
Password: abc
5. Navigate to Main>Identity>Identity Providers and click Add. Provide the name as Secondary.
6. In the Federated Authenticators section, expand the SAML2 Web SSO Configuration sub-section. Now set the below configurations.
- Enable SAML2 Web SSO
- Service Provider Entity ID: Primary
- Identity Provider Entity ID: Secondary
- SSO URL:
https://test.com:9444/samlsso - Enable check-boxes for Specifies if logout request must be propagated to the identity provider and Specifies if single logout request from the identity provider is accepted. (Once this is enabled, WSO2 Identity Server accepts and handles the logout requests. This configuration is a must to try this scenario.)
- Logout url:
https://test.com:9444/samlsso - Click Register.
Section 2: Configuring Primary IS as a Service Provider in the Secondary IS
- Download and install the latest WSO2 Identity Server.
- Since there are 2 instances of WSO2 IS involved with the flow, Lets change the host-name of secondary IS to ‘test.com’ to avoid overriding the commonauth cookie.
Open the etc/hosts file and add the below entry and save the file.
127.0.0.1 test.comOpen the <IS_home>/repository/conf/deployment.toml file and change the host-name to “test.com”
3. Open the <IS_home>/bin folder and run the below command to start the WSO2 Identity Server on port 9444 (SecondaryIS)
sh wso2server.sh -DportOffset=14. Log in to the management console of the Secondary IS(https://test.com:9444/carbon/) with admin:admin credentials.
5. Navigate to Main>Identity>Service Providers and click Add. Provide the name as Primary.
6. In the Inbound Authentication Configuration section, click Configure under the SAML2 Web SSO Configuration section.
Now provide the configurations as follows:
- Issuer :
Primary - Assertion Consumer URL :
https://localhost:9443/commonauth - SLO Request URL :
https://localhost:9443/t/org1.com/identity/saml/slo - Check the Enable Single Logout checkbox.
- Select one of the front channel bindings for the logout method.
- Click Register.
Note: SLO Request URL should be tenant qualified since we are trying out a tenanted scenario.
Section 3: Configuring OIDC application in the Primary IS
- Navigate to Main>Identity>Service Providers and click Add. Provide the name as OIDCsp9443.
- In the Inbound Authentication Configuration section, click Configure under the OAuth/OpenID Connect Configuration section.
- 3. Provide the Callback Url as
https://oidcdebugger.com/debugand click Add. - Next, copy the generated OAuth Client Key which will be required in the next step.
- Go to https://oidcdebugger.com/ and set the below configurations.
- Authorize URI: https://localhost:9443/oauth2/authorize
- Redirect URI: https://oidcdebugger.com/debug
- Client ID: OAuth Client Key copied from step 4 above.
6. Navigate to Local & Outbound Authentication Configuration section and select Federated Authentication radio button and select Secondary from the dropdown.
Section 4: Configuring Pickup Manager application in the Secondary IS
- Follow the steps in deploying the saml2-web-app-pickup-manager webapp to download, deploy and register pickup-manager sample.
- Navigate to <tomcat_home>/webapps/<pickup-manager_home>/WEB-INF/classes and open the file
sso.properties. - Modify the configurations mentioned below.
- SAML2.IdPEntityId=test.com
- SAML2.IdPURL=https://test.com:9444/samlsso
4. Restart the tomcat server.
Try it out!
Yay! Finally we have completed all required configurations in WSO2 IS so let’s try out the flow by running the sample applications.
- Access the following URL on a browser window: http://localhost.com:8080/saml2-web-app-pickup-manager.com to log into the pickup-manager application.
- Log in using the credentials of any user in the Federated Identity Provider. You will be redirected to the Pickup Manager application home page.
- Now go to the https://oidcdebugger.com/ site with our pre-configured values in section 2 above, and click Send Request. You will be automatically SSO-ed and logged in to the application.
- Now log out from the Pickup Manager application. You will be redirected back to the login page of the application.
- Click Start Over in the OIDC application and you’ll notice that you’ve been automatically logged out from this application as well.
This means you have successfully tried out the SAML2 Federated IdP initiated single logout flow for a tenanted scenario in WSO2 Identity Server.