[keycloak-dev] backchannel logout for SAML SP
Bill Burke
bburke at redhat.com
Mon Sep 14 15:28:06 EDT 2015
I agree with you 100% Marek, but what you did for the Keycloak adapter
Marek was an proprietary extension to OIDC. There is no standard way to
do this in SAML that I know of. We will have the same problem in the
new Logout OpenID Connection specification too.
We need something that will work with non-Keycloak IDPs.
On 9/14/2015 3:16 PM, Marek Posolda wrote:
> Is it about maintaining infinispan cache on adapter side? I would rather
> avoid this if possible. It's another needed step for setup and IMO
> possible source of troubles (especially in cluster environments).
>
> Isn't it better to start HttpSession on adapter even before SAML
> authentication and transmit HttpSessionID to auth-server in SAMLRequest
> for login? Then auth-server will receive SAMLRequest and save
> HttpSessionID to CLIENT_SESSION_STATE note on ClientSession (similarly
> like done for OIDC). Then server knows HttpSessionId and backchannel
> logout isn't an issue.
>
> Marek
>
> On 14/09/15 17:52, Bill Burke wrote:
>> I'm running into a problem implementing backchannel logout for our new
>> SAML SP. SAML has no way of transmitting client specific session
>> information that I can tell. So, I need some way of associating an
>> auth-server specific session index and the Principal so that I can look
>> up an Http Session and invalidate it based on one of those parameters.
>>
>> We're gonna have the same exact problems when we implement the OIDC
>> equivalent specifics (these are new BTW).
>>
>> I'm thinking of writing a simple Infinispan cache that associates
>> principals/session-indexes to http session ids and have it reusable
>> between SAML and OIDC adapters.
>>
>>
>>
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list