将 WSO2 身份服务器与 Liferay 集成 - 单一注销问题
Integrating WSO2 Identity server with Liferay - Single Log Out issues
我正在尝试将 WSO2 IS 与 Liferay 作为服务提供商集成,但到目前为止我还没有成功。根据 Benjamin Schmeling 在 WSO2 氧气罐上提出的三个 JIRA 问题和补丁,对代码进行了一些修改:
https://wso2.org/jira/browse/IDENTITY-2856
WSO2 IS上的SAML设置如下:
Assertion Consumer URL: liferayserver:8080/c/portal/saml/acs
NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Use fully Qualified username on NameID
Enable Response Signing
Enable Assertion Signing
Enable Single logout
-> ConsumerURL: liferayserver:8080/c/portal/saml/slo_redirect
Enable attribute profile
然而 Liferay returns 出现以下异常:
Liferay returns the following exception:
[code]23:00:50,071 ERROR [http-thread-pool-8080(4)][BaseSamlStrutsAction:45] com.liferay.saml.UnsupportedBindingException
com.liferay.saml.UnsupportedBindingException
at com.liferay.saml.profile.SingleLogoutProfileImpl.processSingleLogout(SingleLogoutProfileImpl.java:216)
at com.liferay.saml.profile.SingleLogoutProfileUtil.processSingleLogout(SingleLogoutProfileUtil.java:54)
at com.liferay.saml.hook.action.SingleLogoutAction.doExecute(SingleLogoutAction.java:39)
at com.liferay.saml.hook.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:42)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39)
我也尝试将单一注销端点更改为 liferayserver:8080/c/portal/saml/slo 但无济于事。在这两种情况下,会话都在身份服务器(WSO2)上关闭,但在服务提供者(Liferay)上没有关闭。
对问题可能是什么有任何想法吗?
事实证明,为了使单点注销工作,还需要进行两项额外的修改。我将把它们留在这里以防它们帮助其他人,直到这些补丁被集成到它们各自的产品中。特别感谢 Benjamin Schmeling.
For SAML-based SLO you should use the /c/portal/saml/slo_redirect
endpoint, however, Liferay is not able to handle post requests (at
least in the newest version of the SAML portlet). You have to adapt
the Liferay SAML portlet as follows:
In SingleLogoutProfileImpl.processSingleLogout(HttpServletRequest
request, HttpServletesponse response) add a new else if branch:
else if(requestPath.endsWith("/slo_redirect") &&
method.equalsIgnoreCase(HttpMethods.POST)){
samlBinding = getSamlBinding(
SAMLConstants.SAML2_POST_BINDING_URI); }
Furthermore, in
SingleLogoutProfileImpl.sendSpLogoutRequest(HttpServletRequest
request, HttpServletResponse response) after logoutRequest.setVersion
add the SessionIndex required by Wso2 by calling:
addSessionIndex(logoutRequest, samlSpSession.getSessionIndex());
我正在尝试将 WSO2 IS 与 Liferay 作为服务提供商集成,但到目前为止我还没有成功。根据 Benjamin Schmeling 在 WSO2 氧气罐上提出的三个 JIRA 问题和补丁,对代码进行了一些修改: https://wso2.org/jira/browse/IDENTITY-2856
WSO2 IS上的SAML设置如下:
Assertion Consumer URL: liferayserver:8080/c/portal/saml/acs
NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Use fully Qualified username on NameID
Enable Response Signing
Enable Assertion Signing
Enable Single logout
-> ConsumerURL: liferayserver:8080/c/portal/saml/slo_redirect
Enable attribute profile
然而 Liferay returns 出现以下异常:
Liferay returns the following exception:
[code]23:00:50,071 ERROR [http-thread-pool-8080(4)][BaseSamlStrutsAction:45] com.liferay.saml.UnsupportedBindingException
com.liferay.saml.UnsupportedBindingException
at com.liferay.saml.profile.SingleLogoutProfileImpl.processSingleLogout(SingleLogoutProfileImpl.java:216)
at com.liferay.saml.profile.SingleLogoutProfileUtil.processSingleLogout(SingleLogoutProfileUtil.java:54)
at com.liferay.saml.hook.action.SingleLogoutAction.doExecute(SingleLogoutAction.java:39)
at com.liferay.saml.hook.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:42)
at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39)
我也尝试将单一注销端点更改为 liferayserver:8080/c/portal/saml/slo 但无济于事。在这两种情况下,会话都在身份服务器(WSO2)上关闭,但在服务提供者(Liferay)上没有关闭。
对问题可能是什么有任何想法吗?
事实证明,为了使单点注销工作,还需要进行两项额外的修改。我将把它们留在这里以防它们帮助其他人,直到这些补丁被集成到它们各自的产品中。特别感谢 Benjamin Schmeling.
For SAML-based SLO you should use the /c/portal/saml/slo_redirect endpoint, however, Liferay is not able to handle post requests (at least in the newest version of the SAML portlet). You have to adapt the Liferay SAML portlet as follows:
In SingleLogoutProfileImpl.processSingleLogout(HttpServletRequest request, HttpServletesponse response) add a new else if branch:
else if(requestPath.endsWith("/slo_redirect") && method.equalsIgnoreCase(HttpMethods.POST)){ samlBinding = getSamlBinding( SAMLConstants.SAML2_POST_BINDING_URI); }
Furthermore, in SingleLogoutProfileImpl.sendSpLogoutRequest(HttpServletRequest request, HttpServletResponse response) after logoutRequest.setVersion add the SessionIndex required by Wso2 by calling: addSessionIndex(logoutRequest, samlSpSession.getSessionIndex());