WSO2 IS - Do a Single Logout using the IdentitySAMLSSOService

Question

I want to use the IdentitySAMLSSOService.wsdl to end a session using the doSingleLogout method but I can't find any documentation around. The method asks for a sessionId, the problem is that I don't know where to find that value, I've looking in the SAML Response, headers, etc.

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://org.apache.axis2/xsd">
       <soap:Header/>
       <soap:Body>
          <xsd:doSingleLogout>
             <!--Optional:-->
             <xsd:sessionId></xsd:sessionId>
          </xsd:doSingleLogout>
       </soap:Body>
    </soap:Envelope>

The ouput seems to be the same always with all the values I've tried.

<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
   <soapenv:Body>
      <ns:doSingleLogoutResponse xmlns:ns="http://org.apache.axis2/xsd">
         <ns:return xsi:type="ax2362:SAMLSSOReqValidationResponseDTO" xmlns:ax2360="http://base.identity.carbon.wso2.org/xsd" xmlns:ax2362="http://dto.saml.sso.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ax2364="http://util.java/xsd">
            <ax2362:assertionConsumerURL xsi:nil="true"/>
            <ax2362:destination xsi:nil="true"/>
            <ax2362:doSingleLogout>false</ax2362:doSingleLogout>
            <ax2362:forceAuthn>false</ax2362:forceAuthn>
            <ax2362:id xsi:nil="true"/>
            <ax2362:idPInitSSO>false</ax2362:idPInitSSO>
            <ax2362:issuer xsi:nil="true"/>
            <ax2362:logOutReq>true</ax2362:logOutReq>
            <ax2362:loginPageURL xsi:nil="true"/>
            <ax2362:logoutRespDTO xsi:nil="true"/>
            <ax2362:logoutResponse xsi:nil="true"/>
            <ax2362:passive>false</ax2362:passive>
            <ax2362:queryString xsi:nil="true"/>
            <ax2362:requestMessageString xsi:nil="true"/>
            <ax2362:response xsi:nil="true"/>
            <ax2362:rpSessionId xsi:nil="true"/>
            <ax2362:subject xsi:nil="true"/>
            <ax2362:valid>false</ax2362:valid>
         </ns:return>
      </ns:doSingleLogoutResponse>
   </soapenv:Body>
</soapenv:Envelope>

I'm using Identity Server 5.0.0 without SP1. The WebService is built into org.wso2.carbon.identity.sso.saml (4.2.3) and it's exposed in identityserverurl:9443/services/IdentitySAMLSSOService?wsdl.

Thanks in advance.

Answer 1

According to the execution flow, it can be any value. As doSingleLogout method does not consider an actual SAML2 logout request, there is no any validate is happened according to the sessionid value. However, in real SSO signal logout flow, sessionid would be the value of the 'samlssoTokenId' cookie which is set in to the browser. Please note, doSingleLogout method can not be used to send SAML logout request to other session participants. As i know, it can be used to destroy the SSO session in WSO2IS.

Also, you can destroy the WSO2IS SSO session using following way by calling commonauth end point as mentioned in last selection in this

https://localhost:9443/commonauth?commonAuthLogout=true&type=oidc2&sessionDataKey=7fa50562-2d0f-4234-8e39-8a7271b9b273&commonAuthCallerPath=http://localhost:8080/SSOWebApp/&relyingParty=SSOWebAPP