Skip to end of metadata
Go to start of metadata

The login, logout and sessions are handled in App Manager as follows.

Handling login 

Logging in to App Manager is handled according to the following sequence of events. 

  1. When a user tries to access an App Manager gateway URL of a successfully subscribed application via the browser, a GET request is made to the gateway, which will be intercepted by a Synapse API Handler. 
  2. Synapse API Handler handler checks if a certain cache key is present in the request header. If it is the first time the URL is being invoked, there won't be a cache key present in the request. Hence the user is redirected to the login page of the identity provider (which is WSO2 Identity Server in this case) for authentication. 
  3. Once the user is authenticated, the Identity Provider (IDP) sends a SAML response back to the gateway, which will in turn be cached in the App Manager for future reference. (The cache key for this response is sent back to the browser as a Cookie). 
  4. The gateway drafts a JWT token with claims recovered from the IDP SAML response, which will be sent back to the web app along with the initial cache key. The web app will now have all the values needed for authentication.

Handling logout 

Logging out of App Manager is handled according to the following sequence of events.

  1. Once a request is made to the logout URL, the handler identifies the request as a logout call and a redirect is made to the IDP with a single logout, along with the session index and other utility parameters. 

    App Manager does not maintain a session for the user. It is delegated to the IDP to take care of. The only reference of the user withheld on App Manager, is the cached SAML response stored against the cache key, which is sent back to the browser. 

  2. Once the IDP encounters a single logout request, it will clear the session maintained for the user, against the session index. 
  3. Once this is done, the APP Manager will also wipe from its cache, the original cache response held against the cache key rendering the user as unauthenticated. 
  4. The user will be redirected to the IDP LogIn page.
  • No labels