Open in app

Sign in

Write

Sign in

Federated IDP Initiated OIDC Back-Channel Logout with WSO2 Identity Server

Achini Udari Jayasena
GEEK GiRL
Published in
6 min readApr 10, 2022

When it comes to OIDC identity federation in Identity Server, WSO2 IS acts as an RP to the federated identity provider. Currently there is a mechanism to terminate the sessions and revoke tokens in WSO2 IS (RP), whenever there is a session update in the federated IDP (OP) side.

The OIDC Back Channel Logout v1.0 spec defines a mechanism for communicating logout requests to all RPs that have established sessions with an OP. This mechanism relies upon direct communication of such requests between OP and RPs — bypassing the User-Agent. It imposes new requirements that RPs have a logout endpoint that is reachable by the OP.

Try out Federated IDP Initiated OIDC Back-Channel Logout with WSO2 Identity Server

Prerequisites

  1. Install JDK8
  2. Download apache tomcat 8
  3. Add `localhost.com` in the `etc/host` file.
  4. Download and run WSO2 Identity Server
  5. Download Pickup-dispatch and Pickup-manager samples and deploy them in tomcat.

Trying out the flow with WSO2 Identity Server

To try out the scenario two identity servers uses in this blog and one server runs in port 9443 (Primary IS) and 9444 (Secondary IS). Also two application use Pickup-Dispatch and Pickup-Manager.In this scenario, Secondary IS acts as a federated OIDC identity provider and Pickup-Dispatch and Pickup-Manager acts as Application1 and Application2 respectively. Configuration steps as below

  1. Configure Primary IS as a service provider in the Secondary IS.
  2. Configure Secondary IS as an identity provider in the Primary IS.
  3. Configure Pickup Dispatch in Primary IS.
  4. Configure Pickup Manager in Secondary IS.

Note

Since there can be issues with cookies when the same hostname is configured for both WSO2 identity servers (primary and federated), you need to configure different hostnames for both servers. Follow Change hostname of the WSO2 IS guide to change the hostname of the Secondary IS. In this guide, the hostname of the Secondary IS is configured as localhost.com.

  1. Set the port in secondary IS and host name

Update <IS_HOME>/repository/conf/deployment.toml file to a different value so that there are no port conflicts.

[server]
offset = "1"
hostname = "localhost.com"
internal_hostname = "localhost.com"

2. Have to create new wso2carbon .jks once the hostname changed and replace it with , Repository -> resources -> security

  • Create a keystore using a new certificate
keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks -keysize 2048
  • Use the following command to view details of the created keystore
keytool -list -v -keystore wso2carbon.jks
  • Export the public certificate to a .pem file
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file publickey.pem
  • Import the .pem file to client-truststore.jks.
keytool -import -alias wso212 -file publickey.pem -keystore client-truststore.jks -storepass wso2carbon

3. Copy the .pem created in secondary IS side to primary IS -> repository -> resources -> security folder and import the .pem file to client-truststore.jks

keytool -import -alias wso2 -file publickey.pem -keystore client-truststore.jks -storepass wso2carbon

4. Copy the .pem file created in secondary IS side to <TOMCAT_HOME>/webapps/pickup-manager/WEB-INF/classes and import the .pem file to client-truststore.jks

Configure Primary IS as a service provider in the Secondary IS.

  1. Start the WSO2 Identity Server on port 9444 (Secondary IS).

2. Log in to the management console.

3. Navigate to Main -> service provider -> and click Add.

4. Fill in the service provider suitable name in the Basic Information section like PrimaryIS and click Register.

5. Expand the OAuth2/OpenID Connect Configuration section under the Inbound Authentication Configuration section and click Configure.

6. Add https://localhost:9443/commonauth as Callback Url.

7. Tick the Enable OIDC Back-channel Logout checkbox and add https://localhost:9443/identity/oidc/slo as Back-channel Logout Url.

Configure Secondary IS as an identity provider in the Primary IS.

  1. Run WSO2 Identity Server on port 9443 (Primary IS).
  2. Navigate to Main -> Identity and click Add.
  3. Fill in the identity provider suitable name in the Basic Information section like SecondaryIS and click Register.
  4. Expand the OAuth2/OpenID Connect Configuration section under Federated Authenticators section and fill followings
  5. Here the client id and secret is the Oauth Client Key and Secret generated in the above step.
  • Under the Basic Information section, select the Use IDP JWKS endpoint option from Choose IDP certificate type and add the JWKS uri https://localhost.com:9444/oauth2/jwks to Identity Provider's JWKS Endpoint.
  • Alternatively, select the Upload IDP certificate option from Choose IDP certificate type and upload the certificate of the SecondaryIS.

6. Identity Provider’s Issuer Name of the Identity Provider in Primary IS should be same as the Identity Provider Entity ID in the Identity Providers > Resident > Inbound Authentication Configuration > OAuth2/OpenID Connect Configuration in the Secondary IS.

Add https://localhost:9444/oauth2/token as the Identity Provider's Issuer Name.

Configure Pickup Dispatch in Primary IS.

  1. Log in to the primary IS management console. https://localhost:9443/carbon
  2. Navigate to Main -> service provider -> and click Add.
  3. Enter pickup-dispatch in the Service Provider Name text box, and click Register.
  4. In the Inbound Authentication Configuration section, click Configure under the OAuth/OpenID Connect Configuration section.
  5. Enter the following value as the Callback URL http://localhost:8080/pickup-dispatch/oauth2client
  6. Tick the Enable OIDC Back-channel Logout checkbox and addhttp://localhost:8080/pickup-dispatch/bclogout as Back-channel Logout Url.

7. Select Federated Authentication and from the dropdown menu select SecondaryIS.

8. Click update

9. Update the dispatch.properties file located in the <TOMCAT_HOME>/webapps/pickup-dispatch/WEB-INF/classes folder

Configure Pickup Manager in Secondary IS.

  1. Log in to the secondary IS management console. https://localhost.com:9444/carbon
  2. Navigate to Main -> service provider -> and click Add.
  3. Enter pickup-manager in the Service Provider Name text box, and click Register.
  4. In the Inbound Authentication Configuration section, click Configure under the OAuth/OpenID Connect Configuration section.
  5. Enter the following value as the Callback URL http://localhost:8080/pickup-manager/oauth2client
  6. Click update
  7. Update the manager.properties file located in the <TOMCAT_HOME>/webapps/pickup-manager/WEB-INF/classes folder

Try it out

  1. Access the URL on a browser window, http://localhost:8080/pickup-dispatch/
  2. Click Login. You will be redirected to the WSO2 Identity Server login page (SecondaryIS — port 9444).
  3. Log in using your WSO2 Identity Server credentials. You will be redirected to the Pickup Dispatch application home page.
  4. Now access the following URL on same browser different tab to access the Pickup Manager application, which is registered in the federated identity provider: http://localhost:8080/pickup-manager/ .
  5. Once you click Login, you will be automatically logged in and redirected to the Pickup Manager application home page.
  6. Log out of the Pickup Manager application. You will be redirected back to the login page of the application.
  7. Now attempt to access the Pickup Dispatch application. You will be automatically logged out of this application as well.

This means that you have successfully configured an OIDC federated identity provider initiated logout.

Ref:

🔐 Unlock IAM Excellence!

📖 Follow me on Medium for insights on into Identity and Access Management strategies, WSO2 Identity Server, Asgardeo and tech trends. Connect with me on LinkedIn and Twitter for more content!

📧 Got questions? Email me at aaujayasena@gmail.com 😊

Wso2is
Oidc
Wso2

--

--

Achini Udari Jayasena
GEEK GiRL

Written by Achini Udari Jayasena

44 Followers
Editor for

🌟 With over 8 years in IT, I'm Senior Software Quality Engineer, dedicated to delivering excellence. Let's build exceptional software experiences together

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams