[英]WSO2 SAML SSO/SLO for API Manager and Identity Server
環境:
Windows Server 2008 R2
wso2is-5.3.0
wso2am-2.1.0
網址/端口:
-主機名:9443 / carbon-
-主機名:9443 /發布商-
-主機名:9443 /存儲
-主機名:9444 / carbon(身份服務器)
問題:
我已經使用IS作為身份提供者,為上面列出的所有組件配置了SAML SSO,如下所示: https : //docs.wso2.com/display/AM210/Configuring+Identity+Server+as+IDP+for+SSO
單點登錄非常有效。 我點擊了上述任何一個URL,將我重定向到IS,進行身份驗證,並且登錄了所有URL,而無需重新進行身份驗證。 問題來自單次注銷。 如果我先退出商店或發布者,則表明該會話無效,並且我注銷了所有組件(即,如果刷新瀏覽器,系統將提示我重新進行身份驗證)。 但是,我在IS日志中看到以下錯誤。
TID: [-1] [] [2017-09-20 10:13:41,047] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 1 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:13:41,062] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 1 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:14:41,060] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 2 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:14:41,076] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 2 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:15:41,073] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 3 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:15:41,089] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 3 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:16:41,086] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 4 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:16:41,118] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 4 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:17:41,100] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 5 after waiting for 60000 milli seconds to https://hostname:9443/acs
TID: [-1] [] [2017-09-20 10:17:41,100] ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Single logout failed after retrying 5 times with time interval 60000 in milli seconds.
TID: [-1] [] [2017-09-20 10:17:41,146] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 5 after waiting for 60000 milli seconds to https://hostname:9444/acs
TID: [-1] [] [2017-09-20 10:17:41,146] ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Single logout failed after retrying 5 times with time interval 60000 in milli seconds.
TID: [-1] [] [2017-09-20 10:18:41,128] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 1 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:19:41,188] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 2 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:20:41,202] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 3 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:21:41,215] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 4 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:22:41,228] INFO {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Sending single log out request again with retry count 5 after waiting for 60000 milli seconds to https://hostname:9443/publisher/jagg/jaggery_acs.jag
TID: [-1] [] [2017-09-20 10:22:41,228] ERROR {org.wso2.carbon.identity.sso.saml.logout.LogoutRequestSender} - Single logout failed after retrying 5 times with time interval 60000 in milli seconds.
當我打開SSO日志記錄時,我發現在上面的重試之前,每個服務提供者都將從共享會話中清除,並且該會話已從緩存中刪除。 那么,為什么還要將額外的SLO請求發送給每個提供商?
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Removed SLO supported service provider from session info data with name IS_CONSOLE
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Removed SLO supported service provider from session info data with name API_STORE
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Removed SLO supported service provider from session info data with name carbonServer
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Removed SLO supported service provider from session info data with name API_PUBLISHER
TID: [-1234] [] [2017-09-21 08:48:32,655] DEBUG {org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager} - Clearing the session data from cache with session index 55a88216-1b09-425e-b616-2f881bc6a717 and issuer API_PUBLISHER
TID: [-1234] [] [2017-09-21 08:48:32,686] DEBUG {org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet} - SSO tokenId Cookie is removed
WSO2IS(和其他產品)的“功能”是眾所周知的。 至少使用WSO2IS 5.2.0就是這樣。
WSO2IS使用適當的SAML SSO登錄。 為了注銷,WSO2IS使用戶會話無效,向每個服務提供者發送一個通道外(后端)SLO請求,並等待HTTP 200響應。
但是,由WSO2(IS或AM)實現的服務提供商根本不基於SAML會話ID(沒有前端客戶端會話Cookie)偵聽注銷請求。 因此,在您真正注銷之前,這就是您所需要的,並且您可能會愉快地忽略后端嘗試注銷的嘗試。
您可以嘗試在多個SP(在不同主機上)上使用注銷,在那里您可能擁有無效的會話。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.