search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 729 forks source link

IDP will not be logged out when two service providers authenticate with two different IDPs #13818

Closed ThaminduDilshan closed 2 weeks ago

ThaminduDilshan commented 2 years ago

Describe the issue: In the current DefaultLogoutRequestHandler, it retrieves authenticated IDPs from the sequenceConfig (in each step) [1]. This sequence config is read from the authentication context [2]. This flow initiates incorrect behaviors when we have two service providers which are authenticated with two different IDPs.

How to reproduce: Consider below two scenarios.

Scenario 1

  1. Configure two seperate IS instances as federated IDPs in the main IS (Let's call them PrimaryIS, SecondaryIS and TertiaryIS). [I configured SAML federated IDPs]
  2. Create two service providers (SAML SP and OIDC SP) in the PrimaryIS and configure to authenticate with federated IDP as below.
    • SAML SP -> Federated authenticate with SecondaryIS
    • OIDC SP -> Federated authenticate with TertiaryIS
  3. Login to the SAML application with SecondaryIS.
  4. Login to the OIDC application with TertiaryIS.
  5. Open SAML tracer and logout from SAML app.

Ideally this should initiate a logout for the SecondaryIS where the SAML app is authenticated with. This flow will not detect SecondaryIS as a authenticated IDP. Only the TertiaryIS will exist as previousAuthenticatedIdP in the context.

Scenario 2 Try out the same scenario with two SAML service providers.

The same behavior can be observed.

Note With the fix for #13696, the logout request will be sent to the TertiaryIS. However still the SecondaryIS session will not be logged out. Hence this should be fixed for both force and normal authentication flows.

Expected behavior: When initiating the logout, both IDPs should be logged out from the session.

[1] https://github.com/wso2/carbon-identity-framework/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/DefaultLogoutRequestHandler.java#L166 [2] https://github.com/wso2/carbon-identity-framework/blob/master/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/DefaultLogoutRequestHandler.java#L107 [3] Configuring wso2 IS as federated IDPs

isharak commented 2 weeks ago

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!