WSO2 IS Single Logout partially working

Question

I am testing SAML SSO using WSO2 Identity Server 5.0.0 with two PHP application instances as service providers (using onelogin phpsaml). I managed to make the single sign on to

Answer 1

Michael, In the SAML Single Logout implementation, when the PHPApp1 initiates the logout, it redirects the user to WSO2 IDP. Then WSO2 IDP validates the LogoutRequest message, after successful validation, WSO2 IDP figure-out the existing session participants (in this case WSO2 IDP will detect PHPApp2). So after session participants are figured, the WSO2 IDP will send Logout Requests to those in stateless way (no browser involvement) and the session participants (PHPApp2) should validate the Logout Requests from the WSO2 IDP and should send the Logout Response back (no browser involvement, no redirections) to the WSO2 IDP. After WSO2 IDP receives all the LogoutResponses back from the all session participants, WSO2 IDP contract it's Logout Response to the initiator which is PHPApp1, this will be sent as a browser redirection (HTTP Form submission).