[keycloak-user] Http Session is not invalidated
Bill Burke
bburke at redhat.com
Mon Apr 6 10:20:49 EDT 2015
Demos work fine for me, but I'm using the wildfly Picketlink SP adapter.
I am able to have an SSO session with all the examples, then I am able
to logout and have all sessions invalidated.
On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
> Hi bill,
>
> Are you using 2 applications for testing?
>
> If yes, need to know have you logged out the first application then
> redirect to keycloak login page? After that refresh the second
> application then redirect to keycloak login page?
>
> Can i know which version of picketlink federation lib are you using?
>
> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> I tried out the saml demo app and logout works just fine, so I'm
> guessing this is a bug in the PL SP Filter.
>
> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>
> Hi bill,
>
> Global logout only removed sp sessions but not web application
> sessions
> and this created security loopholes.
>
> Please advise
>
> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
> <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
> <mailto:chenkeong.yap at izeno.__com
> <mailto:chenkeong.yap at izeno.com>>> wrote:
>
> Guys,
>
> Can share your ideas why global logout is not working?
>
> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
> <chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>
> <mailto:chenkeong.yap at izeno.__com
> <mailto:chenkeong.yap at izeno.com>>> wrote:
>
> Hi Marek,
>
> I've just tested backchannel logout and it's showing
> same issue.
> Both applications are using PL SP Filter and the steps
> below are
> used for testing.
>
> 1. Open https://localhost:8443/__employee/
> <https://localhost:8443/employee/> and http request is
> redirected to
> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 2. Enter username and password into keycloak login page and
> redirected to employee landing page
>
> 3. Open https://localhost:8443/sales-__post/
> <https://localhost:8443/sales-post/> and redirected to
> sales-post landing page without login
>
> 4. Logon to keycloak admin console and noticed there are 2
> active sessions
>
> 5. Perform global logout from employee landing page
> (https://localhost:8443/__employee/?GLO=true
> <https://localhost:8443/employee/?GLO=true>) and http request is
> redirected to
> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 6. Logon to keycloak admin console and noticed all
> sessions are gone
>
> 7. Refresh sales-post landing page and it's not
> redirected to
> keycloak login page. sales-post session still active.
>
> Kindly advise why GLO is performed but the second
> application
> (sales-post) session still active?
>
> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
> <mposolda at redhat.com <mailto:mposolda at redhat.com>
> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>> wrote:
>
> Switch the "Front channel logout" to off. In this
> case it
> should use backchannel (not redirecting through
> browser, but
> sending logout requests from Keycloak in background)
>
> Marek
>
>
>
> On 3.4.2015 08:28, Chen Keong Yap wrote:
>
>
> Hi Merek,
>
> I've tried frontChannel logout in 1.2.0.Beta1
> and it's
> giving me the same issues, please refer to the
> settings
> shown in the screen shot.
>
> Can you please advise how to test backchannel
> logout?
>
>
> Inline image 1
>
>
>
> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
> <mposolda at redhat.com
> <mailto:mposolda at redhat.com> <mailto:mposolda at redhat.com
> <mailto:mposolda at redhat.com>>> wrote:
>
> I would try to upgrade to latest
> 1.2.0.Beta1 as it has
> some related fixes AFAIK.
>
> In this version, you have also possibility
> to setup
> either frontChannel logout or backchannel
> logout for
> the application. It could be set in
> Keycloak admin
> console. I think that at least one of them
> will work
> with SP filter in latest version (if not both).
>
> Marek
>
>
> On 3.4.2015 01:44, Chen Keong Yap wrote:
>
> Hi,
>
> I've 2 applications installed with
> Picketlink
> SPFilter to authenticate with keycloak
> 1.1.0 beta 2.
>
> When i perform global logout, first
> application was
> logged out successfully because
> SP/keycloak session
> and application http session are
> removed but the
> problem is second
> application SP/keycloak session is
> removed but
> application http session is still
> remained. I've set
> admin url for these 2 applications in
> keycloak admin
> console. Kindly share your ideas.
>
>
>
>
> _________________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list