SAML 2.0 Front-Channel Logout with WSO2 Identity Server
Identity and Access Management (IAM) is becoming more prominent than ever. The concept of managing identity and access securely in a standardized approach is a must expected from enterprises and applications moving towards digitalization. Over the recent decades many protocols and standards for IAM have been introduced.
In the world of IAM, SSO is a commonly heard jargon. SSO stands for Single Sign-On. Simply put into words, SSO gives the flexibility for a user to utilize a single pair of credentials to obtain access to several applications. Security Assertion Markup Language 2.0 (SAML 2.0) is the most widely used protocol to implement SSO.
So we know SAML 2.0 specification describes an approach for Single Sign-On and everyone talks about it. You may be wondering about how logout is handled via SAML… That is where Single Logout (SLO) comes into play.
SAML 2.0 protocol has two approaches towards SLO.
- Synchronous Binding (Back-Channel)
- Asynchronous Binding (Front-Channel)
Let me explain the difference between the aforementioned approaches.
In Back-Channel logout, the web browser is not involved with terminating the sessions. It is handled via server-to-server communication. However, in Front-Channel, the web browser of the end-user is utilized. The SAML 2.0 specification states the requirement for Front-Channel logout as quoted below.
“A front-channel binding may be required, for example, in cases in which a principal’s session state exists solely in a user agent in the form of a cookie and a direct interaction between the user agent and the session participant or session authority is required.”
The SAML 2.0 specification mentions three types of asynchronous bindings for Front-Channel.
- HTTP Redirect binding
- HTTP POST binding
- Artifact binding
WSO2 Identity Server is a leading open source Identity and Access Management solution. By default, WSO2 Identity Server has been supporting Back-Channel logout and from the 5.8.0 release, the support for Front-Channel logout with HTTP Redirect and HTTP POST Bindings is also now available.
In this blog post, I will be guiding you through how to configure and test the newly introduced Front-Channel logout feature with WSO2 Identity Server. WSO2 Identity Server provides the support for multitenancy and the configuration steps that are provided in this blog can be used to configure this feature in any tenant (super tenant or sub tenant environments).
Pre-requisites:
Download the latest WSO2 Identity Server from here. For details on running the Identity Server, see Running the Product.
Step 01:
Download Spring SAML application from here and unzip it. Let’s refer to unzipped directory as <SAMPLE_HOME>.
Step 02:
- Start the WSO2 Identity Server and log in to management console as the super tenant user using admin:admin credential.
- Add a new tenant. Let's name the tenant as abc.com. Refer Adding New Tenants for detailed instructions.
Step 03:
- Login to WSO2 IS as the administrator of the tenant created in step 02.
- On the Main tab, click Resident Identity Provider under Identity Providers.
- Expand the Inbound Authentication Configuration section.
- Select SAML2 Web SSO Configuration and Download SAML Metadata.
As quoted from SAML 2.0 specification,
“Metadata (as in [SAMLMeta]) MAY be used to determine the location of this endpoint and the bindings supported by the identity provider.”
Step 04:
- Rename the downloaded metadata file as wso2_abc.xml and copy it to the <SAMPLE_HOME>/sample/src/main/resources/metadata location.
- Open <SAMPLE_HOME>/sample/src/main/webapp/WEB-INF/securityContext.xml file. Search for the bean id with the tag as metadata (bean id=”metadata”). Under the list tag of the metadata bean id add the following xml configuration and save the file.
<?xml version="1.0" encoding="UTF-8"?>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer" />
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource"> <constructor-arg value="/metadata/wso2_abc.xml" />
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata" />
</constructor-arg>
</bean>This xml configuration provides the link to the metadata file (wso2_abc.xml) which we had downloaded from WSO2 IS in step 03.
Step 05:
- In this step, we will be building the webapp. Open a terminal from the <SAMPLE_HOME>/sample location and run the following command.
mvn clean install- Upon successful project build, the spring-security-saml2-sample.war webapp can be found under <SAMPLE_HOME>/sample/target directory. Make a copy of this webapp and rename it as spring-security-saml2-sample2.war such that there are two webapps available.
- Deploy the two webapps in Tomcat server.
Step 06:
Two service providers need to be created to represent the two webapps.
- Log into WSO2 IS as the administrator for abc.com tenant.
- On the Main tab, click Add under Service Providers. Create a new service provider called ‘application1’.
- Expand Inbound Authentication Configuration and then expand SAML2 Web SSO Configuration.
Provide the given below configurations.
Issuer: http://localhost:8080/spring-security-saml2-sample/saml/metadata
Assertion Consumer URLs: http://localhost:8080/spring-security-saml2-sample/saml/SSO
Tick Enable Response Signing
Untick Enable Signature Validation in Authentication Requests and Logout Requests
Tick Enable Single Logout
SLO Response URL: http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout
SLO Request URL: http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout
Logout Method: Select Front-Channel Logout (HTTP Redirect Binding) or Front-Channel Logout (HTTP POST Binding)
Tick Enable Attribute Profile
Tick Include Attributes in the Response Always
Repeat step 06, to create the other service provider as “application2”. Make sure to replace the Issuer, Assertion Consumer URL, SLO Response URL and SLO Request URL to match the spring-security-saml2-sample2 webapp.
Step 07:
- Browser the first sample application.
http://localhost:8080/spring-security-saml2-sample- Select localhost and click on Start single sign-on.
- Login as tenant admin.
- On successful login, you will be directed to the page with authenticated user information as provided in the screenshot below.
- Open a new tab on the browser and log into the second application by selecting localhost and clicking Start single sign-on.
http://localhost:8080/spring-security-saml2-sample2- On either of the applications click on Global logout.
- You will be successfully logged out from both applications.
We have reached the end of this blog post. In summary, I have guided you on configuring and testing Front-Channel logout in WSO2 Identity Server in any tenant. WSO2 Identity Server provides the users with effortless SLO functionality and the choice of either Back-Channel logout or Front-Channel logout to terminate all sessions once the user signs out from one server.
I also recommend you to go through https://medium.com/identity-beyond-borders/configuring-saml2-front-channel-logout-on-wso2-identity-server-13ce4cf3dc38 which provides a good understanding of this feature and testing the functionality on the super tenant.
References: