<div dir="ltr">Hi bill,<div><br></div><div>Global logout only removed sp sessions but not web application sessions and this created security loopholes.</div><div><br></div><div>Please advise<br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <span dir="ltr">&lt;<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><p dir="ltr">Guys,</p>

<p dir="ltr">Can share your ideas why global logout is not working?</p><div class=""><div class="h5">

<div class="gmail_quote">On Apr 3, 2015 3:47 PM, &quot;Chen Keong Yap&quot; &lt;<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Hi Marek,<div><br></div><div>I&#39;ve just tested backchannel logout and it&#39;s showing same issue. Both applications are using PL SP Filter and the steps below are used for testing.</div><div><div class="gmail_extra"><br></div><div class="gmail_extra">1. Open <a href="https://localhost:8443/employee/" target="_blank">https://localhost:8443/employee/</a> and http request is redirected to <a href="https://localhost:8443/auth/realms/saml-demo-1/protocol/saml" target="_blank">https://localhost:8443/auth/realms/saml-demo-1/protocol/saml</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">2. Enter username and password into keycloak login page and redirected to employee landing page</div><div class="gmail_extra"><br></div><div class="gmail_extra">3. Open <a href="https://localhost:8443/sales-post/" target="_blank">https://localhost:8443/sales-post/</a> and redirected to sales-post landing page without login</div><div class="gmail_extra"><br></div><div class="gmail_extra">4. Logon to keycloak admin console and noticed there are 2 active sessions<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">5. Perform global logout from employee landing page (<a href="https://localhost:8443/employee/?GLO=true" target="_blank">https://localhost:8443/employee/?GLO=true</a>) and http request is redirected to <a href="https://localhost:8443/auth/realms/saml-demo-1/protocol/saml" target="_blank">https://localhost:8443/auth/realms/saml-demo-1/protocol/saml</a></div><div class="gmail_extra"><br></div><div class="gmail_extra">6. Logon to keycloak admin console and noticed all sessions are gone</div><div class="gmail_extra"><br></div><div class="gmail_extra">7. Refresh sales-post landing page and it&#39;s not redirected to keycloak login page. sales-post session still active.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Kindly advise why GLO is performed but the second application (sales-post) session still active?</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

  <div bgcolor="#FFFFFF" text="#000000">

    <div>Switch the &quot;Front channel logout&quot; to

      off. In this case it should use backchannel (not redirecting

      through browser, but sending logout requests from Keycloak in

      background)<span><font color="#888888"><br>

      <br>

      Marek</font></span><div><div><br>

      <br>

      <br>

      On 3.4.2015 08:28, Chen Keong Yap wrote:<br>

    </div></div></div><div><div>

    <blockquote type="cite">

      <div dir="ltr">

        <div class="gmail_extra"><br>

        </div>

        <div class="gmail_extra">Hi Merek,</div>

        <div class="gmail_extra"><br>

        </div>

        <div class="gmail_extra">I&#39;ve tried frontChannel logout in

          1.2.0.Beta1 and it&#39;s giving me the same issues, please refer

          to the settings shown in the screen shot.</div>

        <div class="gmail_extra"><br>

        </div>

        <div class="gmail_extra">Can you please advise how to test

           backchannel logout?</div>

        <div class="gmail_extra"><br>

        </div>

        <div class="gmail_extra"><br>

        </div>

        <div class="gmail_extra"><img src="cid:part1.08040304.03040901@redhat.com" alt="Inline

            image 1" height="282" width="538"><br>

        </div>

        <div class="gmail_extra"><br>

        </div>

        <div class="gmail_extra"><br>

        </div>

        <div class="gmail_extra"><br>

          <div class="gmail_quote">On Fri, Apr 3, 2015 at 1:50 PM, Marek

            Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>

            wrote:<br>

            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

              <div bgcolor="#FFFFFF" text="#000000">

                <div>I would try to upgrade to latest 1.2.0.Beta1 as it

                  has some related fixes AFAIK.<br>

                  <br>

                  In this version, you have also possibility to setup

                  either frontChannel logout or backchannel logout for

                  the application. It could be set in Keycloak admin

                  console. I think that at least one of them will work

                  with SP filter in latest version (if not both).<br>

                  <br>

                  Marek

                  <div>

                    <div><br>

                      <br>

                      On 3.4.2015 01:44, Chen Keong Yap wrote:<br>

                    </div>

                  </div>

                </div>

                <blockquote type="cite">

                  <div>

                    <div>

                      <div dir="ltr">

                        <div>

                          <div>Hi,</div>

                          <div><br>

                          </div>

                          <div>I&#39;ve 2 applications installed with

                            Picketlink SPFilter to authenticate with

                            keycloak 1.1.0 beta 2.</div>

                          <div><br>

                          </div>

                          <div>When i perform global logout, first

                            application was logged out successfully

                            because SP/keycloak session and application

                            http session are removed but the problem is

                            second </div>

                          <div>application SP/keycloak session is

                            removed but application http session is

                            still remained. I&#39;ve set admin url for these

                            2 applications in keycloak admin console.

                            Kindly share your ideas.</div>

                          <div><br>

                          </div>

                        </div>

                      </div>

                      <br>

                      <fieldset></fieldset>

                      <br>

                    </div>

                  </div>

                  <pre>_______________________________________________

keycloak-user mailing list

<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>

<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>

                </blockquote>

                <br>

              </div>

            </blockquote>

          </div>

          <br>

          <br clear="all">

          <div><br>

          </div>

          <br>

          <div>

            <div dir="ltr">

              <div style="text-align:left"><br>

              </div>

            </div>

          </div>

        </div>

      </div>

    </blockquote>

    <br>

  </div></div></div>

</blockquote></div><br><br clear="all"><div><br></div> <br><div><div dir="ltr"><div style="text-align:left"><br></div></div></div>

</div></div></div>

</blockquote></div>

</div></div></blockquote></div><br><div class="gmail_signature"><div dir="ltr"><div style="text-align:left"><br></div></div></div>

</div></div></div>