9 Replies Latest reply on Mar 15, 2013 4:49 PM by Luis

    SAML2.0 Single logout weblogic 10.3


      I wanted to implement the Web SSO on weblogic domain using SAML 2.0. I have been able to successfully configured the SAML 2.0 on IDP and two SP WL domain. However i am unable to find a way for single logout feature of the SAML2.0. Is it supported on WL10.3? I searched a lot but could not find any documents on it. Any one have any idea about implementing single logout in weblogic?

      Any help is greatly appreciated.

      Edited by: user650218 on Jun 6, 2011 1:35 PM
        • 1. Re: SAML2.0 Single logout weblogic 10.3
          Faisal WebLogic Wonders
          SAML logout is not supported in WebLogic Server


          You can use the following way to log out users who have been authenticated using SAML.

          * ServletAuthentication.logout()
          * ServletAuthentication.invalidateAll()
          * ServletAuthentication.killCookie()


          1 person found this helpful
          • 2. Re: SAML2.0 Single logout weblogic 10.3
            Hi Faisal. Its really surprising to know that Weblogic is not supporting the single logout feature. This makes using SAML2.0 very difficult to use. I had tried these options of ServletAuthentication but It does not seems to be working with multiple domains, specially with IDP.
            The logout happens on the SP side. The cookie gets deleted but gets created again if user hits the secured resource on service provider again. In case of successful logout user should have challenged for the credentials again which is not happening. Apparently the session on the IDP is not getting invalidated, thats exactly what we need.
            I am wondering how every one was implementing in it SAML1.0?

            Thanks fro help
            • 3. Re: SAML2.0 Single logout weblogic 10.3

              Here: [http://git.springsource.org/spring-security/se-security/blobs/80ccb029118197a18f2ca9452918d1fe4623554c/spring-security-saml/saml2-core/src/main/java/org/springframework/security/saml/SAMLLogoutFilter.java you can find a sample on how is implemented a logout filter using spring-security. Spring security uses "under the hood" SAML2, so maybe it could bring you at least a clue...

              Surely I have to implement also a logout filter for my applications, but for the moment I am trying to configure my Weblogic SP servers properly.

              Hope it helps,


              ps: by the way, have you been able to configure a Weblogic Server as a Service Provider?. I have configured one server for working as a Service Provider, but for the moment I am only able to authenticate users that belong to the "users" role (it is supposed that all authenticated users have this rol). Thanks in advance...

              Edited by: 868221 on Jul 5, 2011 1:45 AM

              Edited by: 868221 on Jul 5, 2011 1:46 AM                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
              • 4. Re: SAML2.0 Single logout weblogic 10.3

                I am implementing the Single Log Out protocol for Weblogic 10.3. For the moment I am doing it +"manually"+, this is, having enabled a managed server for the Service Provider Role I follow this steps:

                1. Send a <AuthnRequest> to the IdP
                2. Logged in and get the SAMLResponse
                3. Decode the <Response> from the IdP and get the SessionIndex value
                4. Create a <LogoutRequest> (basic values, Destination, NameID, Issuer, SessionIndex)
                5. Sign the <LogoutRequest> and send to the IdP
                6. Verify the <LogoutResponse>

                My first requirement would be to get the SessionIndex value. I am wondering if there is a simple way to get it, API invocation or similar... I guess that I still have a "little" code to do...

                Hope it helps,

                • 5. Re: SAML2.0 Single logout weblogic 10.3

                  Finally I have developd a custom implementation of the Single Log Out Protocol. The core is a servlet that creates the SAMLrequest's (<LogoutRequest>) and manages the SAMLResponses (<LogoutResponse>).

                  Also I have added the <SingleLogoutService> element to my SP metadata in order to register the Single Log Out endpoint at the IdP side.
                  <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myHost/saml2slo/SPSloRedirect/sp"/>
                  Hope it helps,

                  • 6. Re: SAML2.0 Single logout weblogic 10.3
                    Hi Luis
                    Can you provide more details on how you implemented the SAML logout Response (<LogoutResponse>).

                    My weblogic server is acting as the SAML 2.0 Identity Provider (relying party) and an ADFS app as the SAML 2.0 Identity Provider (aka Asserting Party). ADFS is expecting a SAML logout response from Weblogic when user attempt to logout.

                    • 7. Re: SAML2.0 Single logout weblogic 10.3
                      Hello Jon,

                      Yes I can. The idea is simple.

                      * I assume that you have registered Weblogic as a SP in ADFS. For the SLO endpoint I am using HTTP-Redirect binding: <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your.weblogic.domain/saml2slo/sp"/>

                      * In the applications you only have to add a link to the ADFS logout. i.e: https://your.adfs.domain/adfs/ls/?wa=wsignout1.0. Click this link will trigger the SLO process.

                      * In the Weblogic side: you will need to developed a servlet, mapped to saml2slo/sp, that will perform this actions:

                      1. Get the SAMLRequest parameter from ADFS.

                      2. Verify this SAMLRequest (you could skip this step, but you should not).For this:

                      2.1 urlEncode it
                      2.2 Decode (Base64) the signature (Signature) parameter
                      2.3 Verify using the ADFS public key (you must have it in your Weblogic Security Realm IdPartner configuration). You can get it through JMX.

                      3. Generate the SAMLResponse:
                      3.1 You will need to get this elements from the SAMLRequest: ID and Destination
                      3.2 Create the LogoutResponse xml. This two fields are really important:
                      3.2.1 ID: you have to generated see SAML2 specs. I use this recipe:
                      byte[] buf = new byte[16];
                      id="_".concat(new String(Hex.encode(buf)));
                      3.2.6 InResponseTo = SAMLResquest ID!!!
                      3.3 Deflate and encode (base64) the LogoutResponse
                      3.4 URL-encode the above deflatedResponse
                      3.5 Sign the SAMLResponse=value&SigAlg=value
                      3.6 URL-encode the signature
                      3.7 Constructs the final URL: https://your.adfs.domain?SAMLResponse=value&SigAlg=value&Signature=value

                      4. Before send the final response you should make the local logout: http://download.oracle.com/
                           * docs/cd/E17904_01/web.1111/e13712/sessions.htm#WBAPP300

                      And you are done!

                      Hope it helps,

                      • 8. Re: SAML2.0 Single logout weblogic 10.3
                        Hi Luis
                        Thank you for your detailed response. I have extracted the ID from the SAMLRequest and built a SAMLResponse using oracle.security.xmlsec.saml2.protocol.LogoutResponse and set the InResponseTo and status code etc in the XML response object. The question I have is what key do you use to sign the message response (your step 3.5) and how do you obtain the key?


                        • 9. Re: SAML2.0 Single logout weblogic 10.3
                          Hi Jon,

                          Good question. You have to use the Single Sign-on Signing Key Alias . You should specify this value in Home >Summary of Servers >your_server , Configuration, Federation Services, SAML 2.0 General tab, Single Sign-on section.

                          If you have not filled the above value, you must use the default managed server private key (the one that you specify in the SSL tab).

                          You can access the key through the CustomIdentityKeyStoreFileName MBean (using JMX)

                          Hope it helps,