[keycloak-user] ADFS SAML Logout
Adam Keily
adam.keily at adelaide.edu.au
Sun Aug 6 22:16:03 EDT 2017
Awesome. Thanks for your help guys. Hynek, you were correct, I’d been able to get ADFS brokered sign on working using the ‘unspecified’ Name ID format. Unfortunately, it looks like this breaks sign out.
Once I configured ADFS to send NameID in email address format. It would indeed pass the signout request to ADFS. This post was useful too http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html. I’d read it before but obviously not well enough. For me I just preferred using email address (actually UPN), rather than the Windows qualified domain name.
I also had “Want AuthnRequests Signed” set to off in keycloak which is required for successful signout along with setting the SAML signature key name to CERT_SUBJECT. Once I did all that, single logout now works.
Incidentally, I wanted to keep the username in keycloak as the sAMAccountName value so I configured ADFS to send the sAMAccountName as the Common Name claim and then configured a username template importer mapper with ${ATTRIBUTE.http://schemas.xmlsoap.org/claims/CommonName}.
Thanks for the help.
Adam
From: Jason Spittel [mailto:jasonspittel at yahoo.com]
Sent: Friday, 4 August 2017 11:17 PM
To: Hynek Mlnarik <hmlnarik at redhat.com>; Adam Keily <adam.keily at adelaide.edu.au>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] ADFS SAML Logout
Hi Adam,
I had this exact same issue. If you are running a JEE stack with JSF on the Service Provider (SP), the issue has to do with how a logout is initiated on SP side.
Generally, you just set a GLO parameter and have the Keycloak adapter on the SP side logout:
externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" );
But setting that parameter results in the jsessionid on the SP side being killed, which results in the SP trying to log in before logging out.
My work around was to preserve the jsessionid before setting the GLO parameter:
private void preserveJsessionidCookie(ExternalContext externalContext)
{
for (Cookie cookie : ((HttpServletRequest)externalContext.getRequest()).getCookies())
{
if (cookie.getName().equalsIgnoreCase("jsessionid"))
{
((HttpServletResponse)externalContext.getResponse()).addCookie(cookie);
break;
}
}
}
Hope this helps,
Jason
On Thursday, August 3, 2017, 11:29:11 PM PDT, Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com>> wrote:
It seems ADFS has not set the name format when logging in. Have you
configured output Name ID format in respective ADFS transform claim
rule?
--Hynek
On Fri, Aug 4, 2017 at 7:03 AM, Adam Keily <adam.keily at adelaide.edu.au<mailto:adam.keily at adelaide.edu.au>> wrote:
> Hi,
>
> Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS server. Signin works fine, but when I try to logout, I get an internal server error 500.
>
> In the log I just see the below error. If I remove the value for Single Logout Service URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field, I get the exception below. Even if I put in a dummy https://test.com <https://test.com%20> it breaks.
>
> I've tried recreating the IdP config. Tried different realms and keycloak instances. I'm currently testing using the Red Hat SSO 7.1. version.
>
> Help appreciated.
> Thanks
> Adam
>
> 14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: java.lang.NullPointerException
> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
> at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
> at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.RuntimeException: java.lang.NullPointerException
> at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189)
> at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266)
> at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
> ... 37 more
> Caused by: java.lang.NullPointerException
> at java.net.URI$Parser.parse(URI.java:3042)
> at java.net.URI.<init>(URI.java:588)
> at java.net.URI.create(URI.java:850)
> at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99)
> at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88)
> at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187)
> ... 51 more
>
> --
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list