问题描述
OKTA-Shibboleth(Apache)-Nakisa(Tomcat)
OKTA-Shibboleth(Apache)-Nakisa(Tomcat)
SSO正在登录.现在,我需要配置注销.因此,用户从应用程序注销,需要将用户重定向到带有磁贴的OKTA页面.
SSO is working for logging-in.Now, I need to configure Logout. So, user logs out from the app, user needs to be redirected to OKTA page with tiles.
但是,当前,用户再次被重定向到该应用.
But, currently,user is redirected to the app again.
它将用户发送到/logout?redirect=default.html,但是default.html被Apache规则捕获并重新登录用户.
It's sending user to /logout?redirect=default.html but that default.html is captured by Apache rule and logging user back in.
似乎需要命中 https://xxxx/Shibboleth.sso/Logout .当我访问此URL时,它说注销已成功完成,尽管它没有返回OKTA.这是否意味着在应用程序的注销设置中,他们需要重定向到此位置?
It looks like it needs to hithttps://xxxx/Shibboleth.sso/Logout. When I access this url, it says logout is successfully done although it's not going back to OKTA. Does that mean that in the App's logout setting, they need to redirect to this?
但是,如何让用户再次返回IdP(即OKTA)?
But, how do I make user to go back to IdP(i.e OKTA) again?
这是我认为会发生的事情.
This is what I assume that will happen.
Logout button click > logout from Shibboleth > return to OKTA so user can click other tiles.
要配置Shibboleth2.xml吗?文档说,我只需要配置默认情况下存在的以下内容.
Something to configure Shibboleth2.xml?Document says i just need to configure the following which is there by default.
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
但是,一旦用户注销完成,它将如何将用户重定向到OKTA(IdP).是否在IdP的元数据中进行了配置?
But, how does it redirect user to OKTA(IdP) once user log out completes.Is it configured in IdP's metadata ?
推荐答案
您可以在本地注销事件之后将用户重定向到任意位置,方法是将?return=
参数传递给URL编码的目标,即应更新您的注销链接到:
You can redirect the user after a local logout event anywhere you'd like, via passing the ?return=
parameter a URL-encoded destination, i.e. you should update your logout link to:
https://xxxx/Shibboleth.sso/Logout?return=https%3A%2F%2Fgoogle.com
在注销后将人们重定向到Google.
in order to redirect folks to Google once logout has taken place.
现在,您只需要一个Okta URL即可将人员返回......所以我认为,如果您客户的Okta租户是"foobar.okta.com",请在本地注销后将其重定向到Okta登录页面. t 提示他们登录,因为他们已经进行了Okta会话...所以可以尝试:
Now, you only need an Okta URL to return folks to... so I think if your client's Okta tenant is "foobar.okta.com", redirecting them after local logout to the Okta login page shouldn't prompt them to login, since they will already have the Okta Session... so maybe try:
https://xxxx/Shibboleth.sso/Logout?return=https%3A%2F%2Ffoobar.okta.com%2Flogin
当然,您需要测试...但是它应该可以工作,并且在用户的Shibboleth SP会话处于活动状态并且他们的Okta会话通过其他某种机制无效的情况下,这仅会返回他们进入常规的Okta登录页面.
Of course, you'll need to test that... but it should work, and on the off chance that the user's Shibboleth SP session was active, and their Okta session invalidated through some other mechanism, that'll just return them to their regular Okta login page.
您显然可以使用return
参数将它们重定向到任何终结点,例如,任何Okta的注销URL(如果您也想终止其Okta会话).
You can obviously redirect them to any endpoint with the return
parameter, for example, whatever Okta's logout URL (if you wanted to kill their Okta session too).
元数据唯一可配置的注销是SLO(单个注销),即,如果您愿意,Shibboleth可以在用户完成SP会话的注销后将用户重定向到Okta,还可以使用特制的<LogoutRequest>
断言有效载荷,Okta将以多种方式对其进行解析和操作,即杀死用户的Okta会话,将Okta发起的后续<LogoutRequest>
断言传播给其他服务提供者,等等.实际上,这实际上是行不通的,因为这样的配置在所有相关方面之间开展工作非常困难.
The only logout that's configurable by Metadata is SLO (single logout), i.e. if you wanted it to, Shibboleth can redirect the user to Okta after they complete the logout of the SP session, along with a specially-craft <LogoutRequest>
assertion payload, which Okta would parse and act on in any number of ways, i.e. killing the user's Okta session, propagating Okta-initiated subsequent <LogoutRequest>
assertions to other Service Providers, etc. In practice, this never really works, because such configurations are very difficult to get working between all of the relevant parties.
这篇关于单点注销如何与OKTA(IDP)-Shibboleth(SP)-App一起使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!