[keycloak-user] Problems logging out using JEE to keycloak to SAML (ADFS) (better formatted)
Hynek Mlnarik
hmlnarik at redhat.com
Mon Jul 10 09:09:12 EDT 2017
How are ADFS and Keycloak configured? If according to [1], the
sessions should be cleared. Beware that ADFS also leaves ssoCookie in
the browser so that it might just relogin the user behind the scenes,
see discussion on [2] for further details.
--Hynek
[1] http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
[2] https://issues.jboss.org/browse/KEYCLOAK-4398
On Tue, Jul 4, 2017 at 11:51 PM, Jason Spittel <jasonspittel at yahoo.com> wrote:
> Apparently my formatting was lost. So I'm reposting this in a more readable format:
>
> Hello,
>
> I'm having difficulty completing a logout.
> SETUP:
> JEE webapp to keycloak to IdP (ADFS (SAML))
>
> WORKFLOW:
> 1) On logout in the webapp
> externalContext.redirect(externalContext.getRequestContextPath() + "?GLO=true");
>
> 2) User is sent to ADFS letting them know they have successfully logged out.
>
> 3) However, there is still a keycloak user session alive (seen in the admin console)
>
> 4) Hitting a protected resource in the webapp lets user in without having to log back in.
>
> Debugging the keycloak server, I found this bit of code in AuthenticationManager.browserLogout() line 262:
>
> String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
>
> if (brokerId != null) {
> IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);
> Response response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);
> if (response != null) return response;
> }
>
> return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers);
>
> I think, unless I'm misunderstanding it, that I need to hit the finishBrowserLogout method, to clear the keycloak user session.
> But the way this is written makes it so it never will. Is keycloak expecting ADFS to clear its user session? Am I logging out incorrectly?
> Thanks,
> Jason
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
More information about the keycloak-user
mailing list