How can I get Global Logout working in a multi tenant SAML application using spring-security-saml?

假如想象 提交于 2020-01-25 22:02:17

问题


The multi tenant SAML application I'm working on uses spring-security-saml and contains two service providers and one IDP (Active Directory Federation Services). The developer who worked SSO into this application chose to make it multi tenant because it is a dual-purpose application with two different interfaces - essentially two applications in one. It is designed to be used in a browser with two tabs open, so one interface runs in the first tab and the other interface runs in the second tab. Everything seems to be working properly with the exception of one particular workflow:

  1. Open a browser, navigate to the ADFS sign in page, and sign in to the application with the first service provider
  2. Open another tab, navigate to the ADFS sign in page, and choose the second service provider
  3. Perform a Global Logout

The log file contains errors like this:

Message a598hd6ff68479a44c3495f7h4216aa not found in session 11cfm6ja982te14dxxul71iufg Received logout response is invalid InResponseToField in LogoutResponse doesn't correspond to sent message a598hd6ff68479a44c3495f7h4216aa

I suspect that this is related to the fact that the same JSESSIONID cookie is being shared between tabs, so when one SP logs out it terminates the associated session. Then when the other SP tries to log out with the same session it fails because the session is gone. Can someone please help me solve this problem?


回答1:


I was finally able to make this work correctly by setting invalidateHttpSession to false in the SecurityContextLogoutHandler bean. Now, when the first service provider logs out, the authentication still gets cleared, but the session remains alive. Then when the second service provider logs out, it finds the session and logs out successfully. This should be okay, as Jetty by default will timeout the session after 30 minutes of inactivity. Here is the bean I changed:

// Logout handler terminating local session @Bean public SecurityContextLogoutHandler logoutHandler() { SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler(); logoutHandler.setInvalidateHttpSession(false); logoutHandler.setClearAuthentication(true); return logoutHandler; }



来源:https://stackoverflow.com/questions/39174802/how-can-i-get-global-logout-working-in-a-multi-tenant-saml-application-using-spr

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!