single-sign-onsaml-2.0websphere-8websphere-libertyadfs3.0

SAML Logout in Websphere Liberty/Classic Websphere


We are trying to achieve SP-Initiated SAML SSO with ADFS(our IDP) from WebSphere applications. We have used Liberty server which acts as the Service Provider/Relying Party. Using Liberty as a bridge we are able to do Sign-In for all applications deployed in classic WebSphere. But we are stuck at Logout process.

As of now WebSphere does not provide any SAML Logout feature. We tried using session.invalidate() method, also tried removing all cookies and request.logout() method. Though request.logout() removes the Authentication object, still we are able to access the application in the same browser session without any need to enter credentials.

We tried using ADFS WS-Federation Sign-Out URL mentioned here:

https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0

But as because Liberty is not able to handle Logout request and response, sign-out does not happen for WebSphere applications.

Are we following the correct approach? Is there any other work around for achieving Sign-Out?Is there a way to programmatically send SAML Logout request to ADFS from WebSphere?


Solution

  • Finally we are able to achieve logout after the addition of logout functionality in Websphere Liberty by IBM as mentioned here. Liberty is working as SP/bridge for SAML login and logout and applications are deployed in Websphere Application Server.