<div dir="ltr">Isn't the http session id part of the standard backchannel log out?</div><div class="gmail_extra"><br><div class="gmail_quote">On 15 September 2015 at 14:58, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">We can do anything we want on the server side, the problem is that our client adapters, SAML and OIDC, should be able to work with non-Keycloak IdPs.<span class=""><br>
<br>
On 9/15/2015 7:25 AM, Stian Thorgersen wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Could we store the mapping on the Keycloak side? client-id + http<br>
session id --> KC session id?<br>
<br>
On 14 September 2015 at 22:41, Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br></span><div><div class="h5">
<mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>> wrote:<br>
<br>
<br>
<br>
On 9/14/2015 4:20 PM, Marek Posolda wrote:<br>
> On 14/09/15 21:46, Bill Burke wrote:<br>
>> The SAML IdP is not required to send back that id. That ID is just<br>
>> the ID of the request.<br>
> The SAML IdP doesn't need to send anything back. I meant that<br>
> HttpSessionID will be send in the ID of SAMLRequest from SAML SP to<br>
> auth-server . I don't know if there is any better attribute/element of<br>
> AuthnRequest, which can be used to transmit such "custom" data.<br>
><br>
<br>
SAML logout requests to the SP client contain the principal name and/or<br>
possibly one *or more* SSO IDs (session indexes). New OIDC spec will<br>
work similarly.<br>
<br>
>><br>
>> A hack I'm thinking of is to create an HttpSession that is shared by<br>
>> everybody and store this SSO id/username -> to -> HttpSession id map<br>
>> there.<br>
> That's good, we can avoid dependency on infinispan.<br>
<br>
Ugh, unfortunately, you can't provide our own session id with Undertow's<br>
or Jetty's sessionmanager interface. :( So no way to hack this except<br>
for Tomcat and JbossWeb.<br>
<br>
> But still, we will<br>
> need the stuff like periodic cleaner thread, which will remove expired<br>
> items from this HttpSession map. And this solution requires HttpSession<br>
> replication if I understand correctly?<br>
><br>
<br>
Replication would be required, but all these servlet containers contain<br>
session lifecycle listener SPIs, so there is no need for reaper threads.<br>
But, can't do it anyways...<br>
<br>
> As of now, we don't require HttpSession replication for OIDC. Qe support<br>
> the deployments when the application is deployed on more "cluster" nodes<br>
> behind loadbalancer, but application cluster nodes don't communicate<br>
> with each other. In other words, there is no "distributable" in web.xml<br>
> . For this case, we have CLIENT_SESSION_HOST note, so the OIDC<br>
> backchannel request is sent to same cluster node from which was<br>
> code-to-token request sent earlier.<br>
><br>
<br>
Again, not something we can implement in a standard/portable way.<br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br></div></div>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
<br>
<br>
</blockquote><div class="HOEnZb"><div class="h5">
<br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
</div></div></blockquote></div><br></div>