<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The demo is bundled in
keycloak-appliance-dist ZIP in directory examples/saml . <br>
<br>
The demo sources are here:
<a class="moz-txt-link-freetext" href="https://github.com/keycloak/keycloak/tree/master/examples/saml">https://github.com/keycloak/keycloak/tree/master/examples/saml</a><br>
<br>
Marek<br>
<br>
On 7.4.2015 02:37, Chen Keong Yap wrote:<br>
</div>
<blockquote
cite="mid:CAC2UnuWdqCrcFf-v=UT55bKEjHmm195yE09smwLyPzy=tQO0kg@mail.gmail.com"
type="cite">
<p dir="ltr">Hi bill,</p>
<p dir="ltr">Can you give me the link or path for the demo? Not
sure if you are using keycloak or picketlink demo for testing? </p>
<div class="gmail_quote">On Apr 6, 2015 9:20 PM, "Bill Burke" <<a
moz-do-not-send="true" href="mailto:bburke@redhat.com">bburke@redhat.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Demos work
fine for me, but I'm using the wildfly Picketlink SP adapter.
I am able to have an SSO session with all the examples, then I
am able to logout and have all sessions invalidated.<br>
<br>
On 4/6/2015 9:01 AM, Chen Keong Yap wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi bill,<br>
<br>
Are you using 2 applications for testing?<br>
<br>
If yes, need to know have you logged out the first
application then<br>
redirect to keycloak login page? After that refresh the
second<br>
application then redirect to keycloak login page?<br>
<br>
Can i know which version of picketlink federation lib are
you using?<br>
<br>
On Apr 6, 2015 8:56 PM, "Bill Burke" <<a
moz-do-not-send="true" href="mailto:bburke@redhat.com"
target="_blank">bburke@redhat.com</a><br>
<mailto:<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>>
wrote:<br>
<br>
I tried out the saml demo app and logout works just
fine, so I'm<br>
guessing this is a bug in the PL SP Filter.<br>
<br>
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:<br>
<br>
Hi bill,<br>
<br>
Global logout only removed sp sessions but not web
application<br>
sessions<br>
and this created security loopholes.<br>
<br>
Please advise<br>
<br>
On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap<br>
<<a moz-do-not-send="true"
href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>><br>
<mailto:<a moz-do-not-send="true"
href="mailto:chenkeong.yap@izeno." target="_blank">chenkeong.yap@izeno.</a>__com<br>
<mailto:<a moz-do-not-send="true"
href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>>>>
wrote:<br>
<br>
Guys,<br>
<br>
Can share your ideas why global logout is not
working?<br>
<br>
On Apr 3, 2015 3:47 PM, "Chen Keong Yap"<br>
<<a moz-do-not-send="true"
href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>><br>
<mailto:<a moz-do-not-send="true"
href="mailto:chenkeong.yap@izeno." target="_blank">chenkeong.yap@izeno.</a>__com<br>
<mailto:<a moz-do-not-send="true"
href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>>>>
wrote:<br>
<br>
Hi Marek,<br>
<br>
I've just tested backchannel logout and
it's showing<br>
same issue.<br>
Both applications are using PL SP Filter
and the steps<br>
below are<br>
used for testing.<br>
<br>
1. Open <a moz-do-not-send="true"
href="https://localhost:8443/__employee/" target="_blank">https://localhost:8443/__employee/</a><br>
<<a moz-do-not-send="true"
href="https://localhost:8443/employee/" target="_blank">https://localhost:8443/employee/</a>>
and http request is<br>
redirected to<br>
<a moz-do-not-send="true"
href="https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml"
target="_blank">https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml</a><br>
<<a moz-do-not-send="true"
href="https://localhost:8443/auth/realms/saml-demo-1/protocol/saml"
target="_blank">https://localhost:8443/auth/realms/saml-demo-1/protocol/saml</a>><br>
<br>
2. Enter username and password into
keycloak login page and<br>
redirected to employee landing page<br>
<br>
3. Open <a moz-do-not-send="true"
href="https://localhost:8443/sales-__post/"
target="_blank">https://localhost:8443/sales-__post/</a><br>
<<a moz-do-not-send="true"
href="https://localhost:8443/sales-post/" target="_blank">https://localhost:8443/sales-post/</a>>
and redirected to<br>
sales-post landing page without login<br>
<br>
4. Logon to keycloak admin console and
noticed there are 2<br>
active sessions<br>
<br>
5. Perform global logout from employee
landing page<br>
(<a moz-do-not-send="true"
href="https://localhost:8443/__employee/?GLO=true"
target="_blank">https://localhost:8443/__employee/?GLO=true</a><br>
<<a moz-do-not-send="true"
href="https://localhost:8443/employee/?GLO=true"
target="_blank">https://localhost:8443/employee/?GLO=true</a>>)
and http request is<br>
redirected to<br>
<a moz-do-not-send="true"
href="https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml"
target="_blank">https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml</a><br>
<<a moz-do-not-send="true"
href="https://localhost:8443/auth/realms/saml-demo-1/protocol/saml"
target="_blank">https://localhost:8443/auth/realms/saml-demo-1/protocol/saml</a>><br>
<br>
6. Logon to keycloak admin console and
noticed all<br>
sessions are gone<br>
<br>
7. Refresh sales-post landing page and it's
not<br>
redirected to<br>
keycloak login page. sales-post session
still active.<br>
<br>
Kindly advise why GLO is performed but the
second<br>
application<br>
(sales-post) session still active?<br>
<br>
On Fri, Apr 3, 2015 at 3:36 PM, Marek
Posolda<br>
<<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>><br>
<mailto:<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>>>>
wrote:<br>
<br>
Switch the "Front channel logout" to
off. In this<br>
case it<br>
should use backchannel (not redirecting
through<br>
browser, but<br>
sending logout requests from Keycloak
in background)<br>
<br>
Marek<br>
<br>
<br>
<br>
On 3.4.2015 08:28, Chen Keong Yap
wrote:<br>
<br>
<br>
Hi Merek,<br>
<br>
I've tried frontChannel logout in
1.2.0.Beta1<br>
and it's<br>
giving me the same issues, please
refer to the<br>
settings<br>
shown in the screen shot.<br>
<br>
Can you please advise how to test
backchannel<br>
logout?<br>
<br>
<br>
Inline image 1<br>
<br>
<br>
<br>
On Fri, Apr 3, 2015 at 1:50 PM,
Marek Posolda<br>
<<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a><br>
<mailto:<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>>
<mailto:<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a><br>
<mailto:<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>>>>
wrote:<br>
<br>
I would try to upgrade to
latest<br>
1.2.0.Beta1 as it has<br>
some related fixes AFAIK.<br>
<br>
In this version, you have also
possibility<br>
to setup<br>
either frontChannel logout or
backchannel<br>
logout for<br>
the application. It could be
set in<br>
Keycloak admin<br>
console. I think that at least
one of them<br>
will work<br>
with SP filter in latest
version (if not both).<br>
<br>
Marek<br>
<br>
<br>
On 3.4.2015 01:44, Chen Keong
Yap wrote:<br>
<br>
Hi,<br>
<br>
I've 2 applications
installed with<br>
Picketlink<br>
SPFilter to authenticate
with keycloak<br>
1.1.0 beta 2.<br>
<br>
When i perform global
logout, first<br>
application was<br>
logged out successfully
because<br>
SP/keycloak session<br>
and application http
session are<br>
removed but the<br>
problem is second<br>
application SP/keycloak
session is<br>
removed but<br>
application http session is
still<br>
remained. I've set<br>
admin url for these 2
applications in<br>
keycloak admin<br>
console. Kindly share your
ideas.<br>
<br>
<br>
<br>
<br>
_________________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<mailto:<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>><br>
<mailto:<a moz-do-not-send="true"
href="mailto:keycloak-user@lists." target="_blank">keycloak-user@lists.</a>__<a
moz-do-not-send="true" href="http://jboss.org"
target="_blank">jboss.org</a><br>
<mailto:<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>>><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/__mailman/listinfo/keycloak-user"
target="_blank">https://lists.jboss.org/__mailman/listinfo/keycloak-user</a><br>
<<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a>><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
<br>
</blockquote>
<br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true" href="http://bill.burkecentral.com"
target="_blank">http://bill.burkecentral.com</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>