support for front-channel SingleLogoutService profiles #167
Description
Description:
When a user has an SSO session active at an SP and logs out from WSO2, they should also be logged out of those SPs per the SAML2 Single Logout specification. I have not had reason to check SOAP profile support, but neither POST nor Redirect profiles are used.
Suggested Labels:
Complexity/High (https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues)
Feature
Type/New Feature
Affected Product Version:
WSO2 IS 5.4.0
OS, DB, other environment details and versions:
Debian stable (9), WSO2 IS 5.4.0, FireFox LTS (52)
Steps to reproduce:
- set up a default installation of WSO2 IS 5.4.0
- set up a Service Provider with a SAML metadata file including SingleLogoutService endpoints with a binding of either "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
- set up a user in both the SP and WSO2, with access to log in to the WSO2 dashboard
- use a request from that service provider to log in to WSO2
- navigate to the WSO2 dashboard
- open dev tools to watch the request
- logout (via the WSO2 dashboard)
- see that no SLO request was made to the service provider
- navigate to the service provider and see that you are still authenticated