WSO2 IS Single Logout部分工作 [英] WSO2 IS Single Logout partially working

问题描述

我正在使用WSO2 Identity Server 5.0.0和两个PHP应用程序实例作为服务提供者(使用onelogin phpsaml)来测试SAML SSO.我设法使单点登录正常工作，但现在我面临单点注销的问题.

I am testing SAML SSO using WSO2 Identity Server 5.0.0 with two PHP application instances as service providers (using onelogin phpsaml). I managed to make the single sign on to work but now I'm facing a problem with single logout.

1. 当我触发来自PHPApp1的注销请求时，WSO2 IDP响应 退出响​​应，并且看起来效果很好；
2. WSO2 IDP触发向saml会话参与者(在本例中为PHPApp2)的注销请求；
3. PHPApp2处理注销请求，并使用LogoutResponse重定向到WSO2 IDP注销URL；
4. 现在的问题是:WSO2似乎无法处理来自PHPApp2的注销响应，并在日志中打印以下消息:

1. When I trigger a logout request from the PHPApp1, WSO2 IDP responds with a logout response and it seems to works fine;
2. WSO2 IDP triggers a logout request to the saml session particants, in this case to the PHPApp2;
3. The PHPApp2 handles the logout request and redirect to the WSO2 IDP logout url with the LogoutResponse;
4. And now the issue: WSO2 does not seems to handle the logout response from PHPApp2 and prints in logs the following message:

WARN {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender}-来自

WARN {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Failed single logout response from http://php-app2.dev/saml/sls with status code Moved Temporarily {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender}

此后，WSO2继续尝试向PHPApp2发送注销请求，并最终显示以下消息:

After that WSO2 keeps trying sending logout requests to the PHPApp2 and ends up with the following message:

错误{org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender}-重试5次(时间间隔为60000，以毫秒为单位)后，单次注销失败. {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender}

ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Single logout failed after retrying 5 times with time interval 60000 in milli seconds. {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender}

我试图在WSO2中启用调试日志以获取有关此问题的更多详细信息，但是我无法获得任何有用的信息.

I tried to enable debug logs in WSO2 to obtain more detailed information about the issue but I am not able to get any helpful information.

有什么方法可以获取有关此问题的更多详细信息吗?

Is there any way to get more detailed information about this issue?

欢迎任何帮助.

推荐答案

Michael，在SAML单一注销实现中，当PHPApp1启动注销时，它将用户重定向到WSO2 IDP.然后，WSO2 IDP验证LogoutRequest消息，在成功验证之后，WSO2 IDP找出现有的会话参与者(在这种情况下，WSO2 IDP将检测到PHPApp2).因此，在确定会话参与者之后，WSO2 IDP将以无状态方式(不涉及浏览器)将注销请求发送给那些参与者，并且会话参与者(PHPApp2)应验证来自WSO2 IDP的注销请求，并应将注销响应发送回去(无浏览器)参与，没有重定向)到WSO2 IDP. WSO2 IDP收到所有会话参与者返回的所有LogoutResponses之后，WSO2 IDP约定将它的注销响应发给发起方PHPApp1，这将作为浏览器重定向发送(HTTP表单提交).

Michael, In the SAML Single Logout implementation, when the PHPApp1 initiates the logout, it redirects the user to WSO2 IDP. Then WSO2 IDP validates the LogoutRequest message, after successful validation, WSO2 IDP figure-out the existing session participants (in this case WSO2 IDP will detect PHPApp2). So after session participants are figured, the WSO2 IDP will send Logout Requests to those in stateless way (no browser involvement) and the session participants (PHPApp2) should validate the Logout Requests from the WSO2 IDP and should send the Logout Response back (no browser involvement, no redirections) to the WSO2 IDP. After WSO2 IDP receives all the LogoutResponses back from the all session participants, WSO2 IDP contract it's Logout Response to the initiator which is PHPApp1, this will be sent as a browser redirection (HTTP Form submission).

这篇关于WSO2 IS Single Logout部分工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！