问题
I'm trying to implement WSO2 Single Logout functionality in my java webapp.
And I cannot understand this thing:
I set SAML Single Logout option for 2 my Issuers.
Then I call logout for first Service Provider (SP), IdP redirects it to some logout url with SAML Response, SP gets this request and invalidates http session.
Second SP also gets request from IdP with SAML Response, but http session in this request is a session between IdP and SP, and I need to invalidate session between web browser and SP. How can I get this session?
回答1:
What you need to do is to manually keep track over what http session is associated with what sessionSAMLIndex(you get this in the assertion at login). Perhaps Map<String, HttpSession>
The LogoutRequest contains the session index. When you get the LogoutRequest, you find the http session and invalidate it.
来源:https://stackoverflow.com/questions/14768962/wso2-single-logout-implementation