我正在测试Shibboleth SP的SLO功能以及WSO2 Identity Server作为IDP。如果我在服务提供商通过反向通道收到注销消息后很快就尝试登录服务,则会显示标题异常(更多详细信息如下)。
我的问题是,可以通过配置关闭Shibboleth服务提供商的这种行为吗?这类似于可以由SecutiryPolicy规则控制的内容,但我找不到哪个。
测试场景:
配置了WSO2IS ver的实例。 5.1.0,以及Shibboleth SP ver的两个实例。 2.6(Apache 2.4)。 WSO2IS配置为使用Shibboleth的/ SLO / POST绑定点进行单点注销。
(到目前为止,一切都按预期工作 - 成功的SLO SP2必须再次登录才能访问受保护的资源。)
我将补充说,查看日志文件并没有向我揭示这个问题。 WSO2IS日志显示没有错误。
shibd.log of SP2
(after first login to SP2)
INFO Shibboleth.SessionCache [5]: new session created: ID (_1cf4bfa247ec917f987d485e32aa102c) IdP (wso2is) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (147...)
(after logout from SP1)
INFO Shibboleth.Logout.SAML2 [1]: processing front channel logout request with no active session
INFO Shibboleth.SessionCache [1]: request to logout sessions from (wso2is) for (user@carbon.super)
INFO Shibboleth.SessionCache [9]: removed session (_1cf4bfa247ec917f987d485e32aa102c)
INFO Shibboleth.Logout.SAML2 [9]: client's session isn't available, skipping front-channel notifications
(than after second login, event tho SAML messages are exchanged with the IDP the same way as the first time, and with no errors, new session is not created)
(at that point shibboleth-www/native.log shows:)
DEBUG Shibboleth.Listener [10379] shib_handler: sending message (default/SAML2/POST)
DEBUG Shibboleth.Listener [10379] shib_handler: send completed, reading response message
ERROR Shibboleth.Listener [10379] shib_handler: remoted message returned an error: A logout message from your identity provider has blocked your login attempt.
ERROR Shibboleth.Apache [10379] shib_handler: A logout message from your identity provider has blocked your login attempt.