[keycloak-user] ADFS SAML Logout

Jason Spittel jasonspittel at yahoo.com
Fri Aug 4 09:47:08 EDT 2017


Hi Adam,
I had this exact same issue. If you are running a JEE stack with JSF on the Service Provider (SP), the issue has to do with how a logout is initiated on SP side.
Generally, you just set a GLO parameter and have the Keycloak adapter on the SP side logout:
externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" );
But setting that parameter results in the jsessionid on the SP side being killed, which results in the SP trying to log in before logging out.
My work around was to preserve the jsessionid before setting the GLO parameter:
   private void preserveJsessionidCookie(ExternalContext externalContext)
   {
      for (Cookie cookie : ((HttpServletRequest)externalContext.getRequest()).getCookies())
      {
         if (cookie.getName().equalsIgnoreCase("jsessionid"))
         {
            ((HttpServletResponse)externalContext.getResponse()).addCookie(cookie);
            break;
         }
      }
   }

Hope this helps,
Jason
On Thursday, August 3, 2017, 11:29:11 PM PDT, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

It seems ADFS has not set the name format when logging in. Have you
configured output Name ID format in respective ADFS transform claim
rule?

--Hynek

On Fri, Aug 4, 2017 at 7:03 AM, Adam Keily <adam.keily at adelaide.edu.au> wrote:
> Hi,
>
> Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS server. Signin works fine, but when I try to logout, I get an internal server error 500.
>
> In the log I just see the below error. If I remove the value for Single Logout Service URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field, I get the exception below. Even if I put in a dummy https://test.com it breaks.
>
> I've tried recreating the IdP config. Tried different realms and keycloak instances. I'm currently testing using the Red Hat SSO 7.1. version.
>
> Help appreciated.
> Thanks
> Adam
>
> 14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: java.lang.NullPointerException
>        at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
>        at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
>        at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
>        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
>        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
>        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
>        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
>        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
>        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246)
>        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
>        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>        at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.RuntimeException: java.lang.NullPointerException
>        at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189)
>        at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266)
>        at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>        at java.lang.reflect.Method.invoke(Method.java:498)
>        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
>        ... 37 more
> Caused by: java.lang.NullPointerException
>        at java.net.URI$Parser.parse(URI.java:3042)
>        at java.net.URI.<init>(URI.java:588)
>        at java.net.URI.create(URI.java:850)
>        at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99)
>        at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88)
>        at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187)
>        ... 51 more
>
> --
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list