<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Is mellon actually sending a logout request to Keycloak?<br>
Do you see any error message on the keycloak server side? We
definitely support POST binding for logout. <br>
<div class="moz-cite-prefix">On 1/14/2016 8:34 AM, Michal Hajas
wrote:<br>
</div>
<blockquote
cite="mid:2064286463.15643462.1452778442811.JavaMail.zimbra@redhat.com"
type="cite">
<pre wrap="">Hi,
I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider.
Steps:
1. Install apache and mod_auth_mellon module
2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to /mellon directory
3. Download idp_metadata.xml from keycloak/auth/realm/{REALM}/protocol/saml/descriptor and copy it to /mellon directory
4. Configure auth_mod_mellon with enclosed file auth_mellon.conf
5. Create client in keycloak from xml file generated in step 2 (There must be enabled Sign Documents, Sign Assertions signing and Force POST Binding)
Login works, when I access /auth, mellon redirect me to keycloak and after successful login it redirect me back to protected resource.
Problem:
I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it doesn't destroy session in keycloak and in apache's error log there is:
Current identity provider does not support single logout. Destroying local session only.
Only way I was able to log out is change
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=<a class="moz-txt-link-rfc2396E" href="http://localhost:8080/auth/realms/mellon-test/protocol/saml">"http://localhost:8080/auth/realms/mellon-test/protocol/saml"</a>/>
to
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=<a class="moz-txt-link-rfc2396E" href="http://localhost:8080/auth/realms/mellon-test/protocol/saml">"http://localhost:8080/auth/realms/mellon-test/protocol/saml"</a>/>
POST -> Redirect
in idp_metadata.xml and set "Logout Service Redirect Binding URL" to <a class="moz-txt-link-freetext" href="http://localhost/mellon/logout">http://localhost/mellon/logout</a> in admin console.
Is it correct or it should work with POST binding too?
Thank you,
Michal.</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>