Configuring SAML2 Front-Channel Logout on WSO2 Identity Server
The SAML2 specification defines two bindings for single logout (SLO) profile as follows.
- Asynchronous Binding (Front-Channel)
- Synchronous Binding (Back-Channel)
So far WSO2 Identity Server supported only SAML Back-Channel Logout. But from version 5.8.0 onwards it supports SAML Front-Channel logout as well. By default, Back-Channel logout is enabled as the logout mechanism for service providers with SAML protocol. And also the choice to select between Front-Channel and Back-Channel logout is provided for users when configuring the service provider. I will show how it is done later in this blog.
In SAML Front-Channel logout, the session participant uses an asynchronous binding such as HTTP Redirect binding, HTTP POST Binding or Artifact binding to send a request to the identity provider through the user agent. You can learn more about SAML Front-Channel logout in my next blog post.
WSO2 IS supports SAML2 Front-Channel logout with HTTP Redirect and HTTP POST Bindings. Let’s look at how to actually configure and test out this feature.
Deploying the Sample Application
In order to test out this feature, we need a sample application that supports HTTP-Redirect or HTTP-POST bindings for SLO. So we can do this using the Spring SAML sample provided by Spring Security SAML Extension in here. Or you can get one of the releases of Spring SAML sample from here.
Here onwards I will refer to the location of the downloaded Spring SAML sample as <SAMPLE_HOME>.
- Create a SAML metadata file (wso2.xml) as follows. For this, you need to change the entityID, samlsso url and X509Certificate according to your installation of the Identity Server. Values given below are the default values. Refer this blog post in order to find X509Certificate of your Identity Server deployment.
2. Copy the created wso2.xml metadata file to the following directory. <SAMPLE_HOME>/sample/src/main/resources/metadata
3. This metadata file needs to be referred to from the sample application. In order to do that, open <SAMPLE_HOME>/sample/src/main/webapp/WEB-INF/securityContext.xml file and find the bean with id as “metadata”. In that, add the following under the <list> tag to include Identity Server as an identity provider.
4. Navigate to <SAMPLE_HOME>/sample from the terminal and run the command given below to build the project.
mvn clean install
5. Locate the spring-security-saml2-sample.war file under <SAMPLE_HOME>/sample/target directory and deploy two instances of the sample application in Tomcat as spring-security-saml2-sample.war and spring-security-saml2-sample2.war.
Creating the Service Provider
Now we need to create two service providers for the two sample applications we deployed. Follow the steps given below to create a service provider and configure SAML2 front-channel logout on WSO2 IS.
- Download WSO2 Identity Server version 5.8.0 or above from here and start the server by executing the wso2server.sh file in the bin folder.
- Log in to the management console (https://localhost:9443/carbon/) by entering “admin” for both username and password.
- To add a new service provider, click on Add under Service Providers menu, enter a name for the service provider and click Register.
- Expand Inbound Authentication Configuration > SAML2 Web SSO Configuration and click Configure.
- Add the following configurations and click on Register to register the SAML configurations of the service provider.
- Issuer: http://localhost:8080/spring-security-saml2-sample/saml/metadata
- Assertion Consumer URLs: http://localhost:8080/spring-security-saml2-sample/saml/SSO
- Tick Enable Response Signing
- Untick Enable Signature Validation in Authentication Requests and Logout Requests
- Tick Enable Single Logout
- SLO Response URL: http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout
- SLO Request URL: http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout
- Logout Method: Select Front-Channel Logout (HTTP Redirect Binding) or Front-Channel Logout (HTTP POST Binding)
- Tick Enable Attribute Profile
- Tick Include Attributes in the Response Always
The following screenshot shows how this page will look like after finishing configurations.
Testing SAML Front-Channel Logout
- Go to the following URL and you will be redirected to the index page of the first sample application.
Here you can see that “localhost” is listed as an IDP under the set of IDPs to authenticate with. This is because we set the entityID as “localhost” in the metadata file (wso2.xml) we created earlier.
2. From the list select localhost and click “Start single sign-on” button. This will redirect you to WSO2 Identity Server login page.
3. Enter “admin” for both username and password and click “SIGN IN”. Once you click sign in you will be redirected back to the sample application. Now you are logged in to the sample application as admin and you can see the details of the authenticated user.
4. Now access the second sample application through the following URL. Just like you logged into sample application one, select localhost and click “Start single sign-on” button. This will SSO you to the second sample application.
5. Once you click on “Global Logout” in one of the sample applications, you will get logged out from both sample applications. You can confirm this by refreshing the other sample application as it will then show the index page of that sample application.
In order to view SAML messages sent through the browser during the single logout process, you can install a browser extension like SAML-tracer. Using that you will be able to see the initial logout request sent by application one to IS, IS sending a logout request to application two, application two sending logout response to IS and finally, IS sending logout response back to application one.
Aaand that’s how you configure SAML front-channel logout on WSO2 Identity Server. 😊 Please do comment below if you have any questions regarding this.