適用於API管理器和身份服務器的WSO2 SAML SSO / SLO
[英]WSO2 SAML SSO/SLO for API Manager and Identity Server
問題描述
環境:
Windows Server 2008 R2
wso2is-5.3.0
wso2am-2.1.0
網址/端口:
-主機名:9443 / carbon-
-主機名:9443 /發布商-
-主機名:9443 /存儲
-主機名:9444 / carbon(身份服務器)
問題:
我已經使用IS作為身份提供者,為上面列出的所有組件配置了SAML SSO,如下所示: https : //docs.wso2.com/display/AM210/Configuring+Identity+Server+as+IDP+for+SSO
單點登錄非常有效。 我點擊了上述任何一個URL,將我重定向到IS,進行身份驗證,並且登錄了所有URL,而無需重新進行身份驗證。 問題來自單次注銷。 如果我先退出商店或發布者,則表明該會話無效,並且我注銷了所有組件(即,如果刷新瀏覽器,系統將提示我重新進行身份驗證)。 但是,我在IS日志中看到以下錯誤。
TID: [-1] [] [2017-09-20 10:13:41,047] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 1 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:13:41,062] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 1 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:14:41,060] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 2 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:14:41,076] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 2 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:15:41,073] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 3 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:15:41,089] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 3 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:16:41,086] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 4 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:16:41,118] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 4 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:17:41,100] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 5 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:17:41,100] ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Single logout failed after retrying 5 times with time interval 60000 in milli seconds.
TID: [-1] [] [2017-09-20 10:17:41,146] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 5 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:17:41,146] ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Single logout failed after retrying 5 times with time interval 60000 in milli seconds.
TID: [-1] [] [2017-09-20 10:18:41,128] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 1 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:19:41,188] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 2 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:20:41,202] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 3 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:21:41,215] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 4 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:22:41,228] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 5 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:22:41,228] ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Single logout failed after retrying 5 times with time interval 60000 in milli seconds.
當我打開SSO日志記錄時,我發現在上面的重試之前,每個服務提供者都將從共享會話中清除,並且該會話已從緩存中刪除。 那么,為什么還要將額外的SLO請求發送給每個提供商?
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Removed SLO supported service provider from session info data with name IS_CONSOLE
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Removed SLO supported service provider from session info data with name API_STORE
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Removed SLO supported service provider from session info data with name carbonServer
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Removed SLO supported service provider from session info data with name API_PUBLISHER
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Clearing the session data from cache with session index 55a88216-1b09-425e-b616-2f881bc6a717 and issuer API_PUBLISHER
TID: [-1234] [] [2017-09-21 08:48:32,686] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - SSO tokenId Cookie is removed
1 個解決方案
解決方案1
2 2017-09-21 13:39:48
WSO2IS(和其他產品)的“功能”是眾所周知的。 至少使用WSO2IS 5.2.0就是這樣。
WSO2IS使用適當的SAML SSO登錄。 為了注銷,WSO2IS使用戶會話無效,向每個服務提供者發送一個通道外(后端)SLO請求,並等待HTTP 200響應。
但是,由WSO2(IS或AM)實現的服務提供商根本不基於SAML會話ID(沒有前端客戶端會話Cookie)偵聽注銷請求。 因此,在您真正注銷之前,這就是您所需要的,並且您可能會愉快地忽略后端嘗試注銷的嘗試。
您可以嘗試在多個SP(在不同主機上)上使用注銷,在那里您可能擁有無效的會話。
將 WSO2 發布者和開發門戶(即商店)SAML SSO 從默認 API 管理器更改為身份服務器
[英]Change WSO2 publisher and devportal(i.e store) SAML SSO from default API manager to Identity Server
在WSO2 Identity Server中更改SAML SSO的加載消息
[英]Changing the loading message for SAML SSO in WSO2 Identity Server
WSO2 Identity Server是否支持SAML中服務提供商發起的SSO?
[英]WSO2 Identity Server supports service provider initiated SSO in SAML?
WSO2 IS和API管理器SAML SSO - 登錄到商店/發布者失敗
[英]WSO2 IS and API Manager SAML SSO - Login to store/publisher fail
WSO2身份服務器 - SAML SSO - 被動STS示例無法正常工作
[英]WSO2 Identity Server - SAML SSO - Passive STS example not working
WSO2 Identity Server ver 4.0 - 用於路由到自定義API以進行驗證的SAML SSO憑據
[英]WSO2 Identity Server ver 4.0 - SAML SSO credentials to route to custom API for validation
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
帶有WSO2身份服務器的SAML和OpenID SSO
將 WSO2 發布者和開發門戶(即商店)SAML SSO 從默認 API 管理器更改為身份服務器
在WSO2 Identity Server中更改SAML SSO的加載消息
WSO2 Identity Server是否支持SAML中服務提供商發起的SSO?
使用WSO2 Identity Server的SAML2.0 SSO?
WSO2 IS和API管理器SAML SSO - 登錄到商店/發布者失敗
WSO2 Identity Server 5中的SAML SSO注銷失敗
WSO2身份服務器 - SAML SSO - 被動STS示例無法正常工作
WSO2 Identity Server SAML SSO返回URL
WSO2 Identity Server ver 4.0 - 用於路由到自定義API以進行驗證的SAML SSO憑據
相關標簽