[keycloak-dev] mod_auth_mellon

John Dennis jdennis at redhat.com
Wed Feb 10 13:18:57 EST 2016


On 01/18/2016 08:04 AM, Bill Burke wrote:
> Make sure that the SP and IDP metadata files both have a post binding in
> there for single logout service.  That's the only thing I can think of.
> Maybe mellon just doesn't support it.  The example file in the mellon
> doc uses redirect for logout.  *shrug*

Bill:

mod_auth_mellon *only* supports the HTTP-Redirect binding for issuing 
logout requests to the IdP. The reason is simple, mellon as an apache 
module does not have a mechanism for POST'ing a request to another 
location while it's processing a request. As such it relies on redirects 
to get the logout request to the IdP.

The problem is the metadata returned by Keycloak only includes a 
SingleLogoutService with the HTTP-POST binding.

Others have tested changing the binding in the IdP metdata to 
HTTP-Redirect and retaining the same URL endpoint (see below and others 
have done the same). It works. Therefore it seems like there is no 
reason for Keycloak not to support SingleLogoutService with the 
HTTP-Redirect binding. Seems like this would be a trivial edit to the 
metadata generator.

Agreed? Should we open a bug?

John


>
> On 1/18/2016 5:58 AM, Michal Hajas wrote:
>> Maybe I configured something wrongly. Do you have any ideas what? Mellon somehow thinks that keycloak doesn't support it so he doesn't even try.
>>
>> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Friday, January 15, 2016 3:02:17 PM
>> Subject: Re: [keycloak-dev] mod_auth_mellon
>>
>> Looks like its on the auth mellon side as I don't see any request after:
>> /mellon/logout?ReturnTo=/
>>
>>
>>
>> On 1/15/2016 3:57 AM, Michal Hajas wrote:
>>
>>
>>
>> I can't see anything even in console log.
>>
>> I enclosed whole proccess of login and logout in network tab.
>>
>> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com> To: "Michal Hajas" <mhajas at redhat.com> Cc: keycloak-dev at lists.jboss.org Sent: Thursday, January 14, 2016 5:01:30 PM
>> Subject: Re: [keycloak-dev] mod_auth_mellon
>>
>> You can probably see a trace in your browser console?
>>
>> On 1/14/2016 10:21 AM, Michal Hajas wrote:
>>
>>
>>
>> Actually, I am not sure but it looks like not. There is nothing in both keycloak server log and events in admin console.
>>
>> Michal.
>>
>> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com> To: keycloak-dev at lists.jboss.org Sent: Thursday, January 14, 2016 3:28:36 PM
>> Subject: Re: [keycloak-dev] mod_auth_mellon
>>
>> Is mellon actually sending a logout request to Keycloak?
>> Do you see any error message on the keycloak server side? We definitely support POST binding for logout.
>> On 1/14/2016 8:34 AM, Michal Hajas wrote:
>>
>>
>>
>> Hi,
>>
>> I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider.
>>
>> Steps:
>> 1. Install apache and mod_auth_mellon module
>> 2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to /mellon directory
>> 3. Download idp_metadata.xml from keycloak/auth/realm/{REALM}/protocol/saml/descriptor and copy it to /mellon directory
>> 4. Configure auth_mod_mellon with enclosed file auth_mellon.conf
>> 5. Create client in keycloak from xml file generated in step 2 (There must be enabled Sign Documents, Sign Assertions signing and Force POST Binding)
>>
>> Login works, when I access /auth, mellon redirect me to keycloak and after successful login it redirect me back to protected resource.
>>
>> Problem:
>> I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it doesn't destroy session in keycloak and in apache's error log there is:
>> Current identity provider does not support single logout. Destroying local session only.
>>
>> Only way I was able to log out is change
>>
>> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location= "http://localhost:8080/auth/realms/mellon-test/protocol/saml" />
>>
>> to
>>
>> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location= "http://localhost:8080/auth/realms/mellon-test/protocol/saml" />
>>
>> POST -> Redirect
>>
>> in idp_metadata.xml and set "Logout Service Redirect Binding URL" to http://localhost/mellon/logout in admin console.
>>
>> Is it correct or it should work with POST binding too?
>>
>> Thank you,
>> Michal.
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list keycloak-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list keycloak-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>


-- 
John


More information about the keycloak-dev mailing list