[keycloak-dev] mod_auth_mellon
Bill Burke
bburke at redhat.com
Wed Feb 10 13:56:46 EST 2016
On 2/10/2016 1:18 PM, John Dennis wrote:
> On 01/18/2016 08:04 AM, Bill Burke wrote:
>> Make sure that the SP and IDP metadata files both have a post binding in
>> there for single logout service. That's the only thing I can think of.
>> Maybe mellon just doesn't support it. The example file in the mellon
>> doc uses redirect for logout. *shrug*
>
> Bill:
>
> mod_auth_mellon *only* supports the HTTP-Redirect binding for issuing
> logout requests to the IdP. The reason is simple, mellon as an apache
> module does not have a mechanism for POST'ing a request to another
> location while it's processing a request. As such it relies on
> redirects to get the logout request to the IdP.
>
Huh? apache doesn't need to make any background HTTP requests. The
trick is to encode and pass back an HTML document with javascript in
it. That's how the spec recommends it and how we support POST binding.
Its all done via browser requests.
> The problem is the metadata returned by Keycloak only includes a
> SingleLogoutService with the HTTP-POST binding.
>
> Others have tested changing the binding in the IdP metdata to
> HTTP-Redirect and retaining the same URL endpoint (see below and
> others have done the same). It works. Therefore it seems like there is
> no reason for Keycloak not to support SingleLogoutService with the
> HTTP-Redirect binding. Seems like this would be a trivial edit to the
> metadata generator.
>
> Agreed? Should we open a bug?
Yes please.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list