<div dir="ltr">Hi,<div><br></div><div>Unfortunately i cannot use  picketlink binding adapters because my application is running on websphere and we are not allowed to use keycloak proxy. I guess the only way is to use SP Filter. Can someone advise the alternative/solution to clear  web application session after global logout is performed?<br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 7, 2015 at 4:47 PM, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Nope, it&#39;s using the proper picketlink
      binding adapters (ServiceProviderAuthenticator valve on EAP6 and
      SPServletExtension on Wildfly). If you have opportunity to use
      those instead of SPFilter, it may be better though. I am not sure
      if Picketlink SPFilter is not deprecated (or if it supports all
      the features like binding adapters). Maybe Bill or Pedro knows
      more.<span class=""><font color="#888888"><br>
      <br>
      Marek</font></span><div><div class="h5"><br>
      <br>
      <br>
      On 7.4.2015 10:41, Chen Keong Yap wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr"><br>
        <div><br>
        </div>
        <div>
          <div>&lt;?xml version=&quot;1.0&quot; encoding=&quot;ISO-8859-1&quot;?&gt;</div>
          <div><br>
          </div>
          <div>Hi,</div>
          <div><br>
          </div>
          <div>I cannot find the spfilter definition in web.xml of the
            sample demo. Just wondering is the demo running on SP
            filter?</div>
          <div><br>
          </div>
          <div>&lt;!DOCTYPE web-app</div>
          <div>    PUBLIC &quot;-//Sun Microsystems, Inc.//DTD Web
            Application 2.3//EN&quot;</div>
          <div>    &quot;<a href="http://java.sun.com/dtd/web-app_2_3.dtd" target="_blank">http://java.sun.com/dtd/web-app_2_3.dtd</a>&quot;&gt;</div>
          <div><br>
          </div>
          <div>&lt;web-app&gt;</div>
          <div><br>
          </div>
          <div>&lt;welcome-file-list&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;filter&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;filter-name&gt;SPFilter&lt;/filter-name&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;filter-class&gt;org.picketlink.identity.federation.web.filters.SPFilter&lt;/filter-class&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;init-param&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;param-name&gt;IGNORE_SIGNATURES&lt;/param-name&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;param-value&gt;true&lt;/param-value&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;/init-param&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;init-param&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;param-name&gt;ROLES&lt;/param-name&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;param-value&gt;PRUONE&lt;/param-value&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;/init-param&gt;</div>
          <div>&lt;init-param&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;param-name&gt;LOGOUT_PAGE&lt;/param-name&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;param-value&gt;/logout1.jsp&lt;/param-value&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;/init-param&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;/filter&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;filter-mapping&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;filter-name&gt;SPFilter&lt;/filter-name&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;url-pattern&gt;/*&lt;/url-pattern&gt;</div>
          <div><span style="white-space:pre-wrap"> </span>&lt;/filter-mapping&gt;</div>
          <div>&lt;/web-app&gt;</div>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Tue, Apr 7, 2015 at 3:20 PM, Marek
            Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div bgcolor="#FFFFFF" text="#000000">
                <div>The demo is bundled in keycloak-appliance-dist ZIP
                  in directory examples/saml . <br>
                  <br>
                  The demo sources are here: <a href="https://github.com/keycloak/keycloak/tree/master/examples/saml" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/saml</a><span><font color="#888888"><br>
                      <br>
                      Marek</font></span>
                  <div>
                    <div><br>
                      <br>
                      On 7.4.2015 02:37, Chen Keong Yap wrote:<br>
                    </div>
                  </div>
                </div>
                <div>
                  <div>
                    <blockquote type="cite">
                      <p dir="ltr">Hi bill,</p>
                      <p dir="ltr">Can you give me the link or path for
                        the demo? Not sure if you are using keycloak or
                        picketlink demo for testing? </p>
                      <div class="gmail_quote">On Apr 6, 2015 9:20 PM,
                        &quot;Bill Burke&quot; &lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;
                        wrote:<br type="attribution">
                        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Demos
                          work fine for me, but I&#39;m using the wildfly
                          Picketlink SP adapter.  I am able to have an
                          SSO session with all the examples, then I am
                          able to logout and have all sessions
                          invalidated.<br>
                          <br>
                          On 4/6/2015 9:01 AM, Chen Keong Yap wrote:<br>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                            Hi bill,<br>
                            <br>
                            Are you using 2 applications for testing?<br>
                            <br>
                            If yes, need to know have you logged out the
                            first application then<br>
                            redirect to keycloak login page? After that
                            refresh the second<br>
                            application then redirect to keycloak login
                            page?<br>
                            <br>
                            Can i know which version of picketlink
                            federation lib are you using?<br>
                            <br>
                            On Apr 6, 2015 8:56 PM, &quot;Bill Burke&quot; &lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br>
                            &lt;mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;&gt;

                            wrote:<br>
                            <br>
                                I tried out the saml demo app and logout
                            works just fine, so I&#39;m<br>
                                guessing this is a bug in the PL SP
                            Filter.<br>
                            <br>
                                On 4/6/2015 6:47 AM, Chen Keong Yap
                            wrote:<br>
                            <br>
                                    Hi bill,<br>
                            <br>
                                    Global logout only removed sp
                            sessions but not web application<br>
                                    sessions<br>
                                    and this created security loopholes.<br>
                            <br>
                                    Please advise<br>
                            <br>
                                    On Mon, Apr 6, 2015 at 6:41 AM, Chen
                            Keong Yap<br>
                                    &lt;<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>
                            &lt;mailto:<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>&gt;<br>
                                    &lt;mailto:<a href="mailto:chenkeong.yap@izeno." target="_blank">chenkeong.yap@izeno.</a>__com<br>
                                    &lt;mailto:<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>&gt;&gt;&gt;

                            wrote:<br>
                            <br>
                                         Guys,<br>
                            <br>
                                         Can share your ideas why global
                            logout is not working?<br>
                            <br>
                                         On Apr 3, 2015 3:47 PM, &quot;Chen
                            Keong Yap&quot;<br>
                                    &lt;<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>
                            &lt;mailto:<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>&gt;<br>
                                         &lt;mailto:<a href="mailto:chenkeong.yap@izeno." target="_blank">chenkeong.yap@izeno.</a>__com<br>
                                    &lt;mailto:<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>&gt;&gt;&gt;

                            wrote:<br>
                            <br>
                                             Hi Marek,<br>
                            <br>
                                             I&#39;ve just tested
                            backchannel logout and it&#39;s showing<br>
                                    same issue.<br>
                                             Both applications are using
                            PL SP Filter and the steps<br>
                                    below are<br>
                                             used for testing.<br>
                            <br>
                                             1. Open <a href="https://localhost:8443/__employee/" target="_blank">https://localhost:8443/__employee/</a><br>
                                    &lt;<a href="https://localhost:8443/employee/" target="_blank">https://localhost:8443/employee/</a>&gt;

                            and http request is<br>
                                             redirected to<br>
                                    <a href="https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml" target="_blank">https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml</a><br>
                                    &lt;<a href="https://localhost:8443/auth/realms/saml-demo-1/protocol/saml" target="_blank">https://localhost:8443/auth/realms/saml-demo-1/protocol/saml</a>&gt;<br>
                            <br>
                                             2. Enter username and
                            password into keycloak login page and<br>
                                             redirected to employee
                            landing page<br>
                            <br>
                                             3. Open <a href="https://localhost:8443/sales-__post/" target="_blank">https://localhost:8443/sales-__post/</a><br>
                                    &lt;<a href="https://localhost:8443/sales-post/" target="_blank">https://localhost:8443/sales-post/</a>&gt;

                            and redirected to<br>
                                             sales-post landing page
                            without login<br>
                            <br>
                                             4. Logon to keycloak admin
                            console and noticed there are 2<br>
                                             active sessions<br>
                            <br>
                                             5. Perform global logout
                            from employee landing page<br>
                                             (<a href="https://localhost:8443/__employee/?GLO=true" target="_blank">https://localhost:8443/__employee/?GLO=true</a><br>
                                    &lt;<a href="https://localhost:8443/employee/?GLO=true" target="_blank">https://localhost:8443/employee/?GLO=true</a>&gt;)

                            and http request is<br>
                                             redirected to<br>
                                    <a href="https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml" target="_blank">https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml</a><br>
                                    &lt;<a href="https://localhost:8443/auth/realms/saml-demo-1/protocol/saml" target="_blank">https://localhost:8443/auth/realms/saml-demo-1/protocol/saml</a>&gt;<br>
                            <br>
                                             6. Logon to keycloak admin
                            console and noticed all<br>
                                    sessions are gone<br>
                            <br>
                                             7. Refresh sales-post
                            landing page and it&#39;s not<br>
                                    redirected to<br>
                                             keycloak login page.
                            sales-post session still active.<br>
                            <br>
                                             Kindly advise why GLO is
                            performed but the second<br>
                                    application<br>
                                             (sales-post) session still
                            active?<br>
                            <br>
                                             On Fri, Apr 3, 2015 at 3:36
                            PM, Marek Posolda<br>
                                             &lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>
                            &lt;mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;<br>
                                    &lt;mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>
                            &lt;mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;&gt;&gt;

                            wrote:<br>
                            <br>
                                                 Switch the &quot;Front
                            channel logout&quot; to off. In this<br>
                                    case it<br>
                                                 should use backchannel
                            (not redirecting through<br>
                                    browser, but<br>
                                                 sending logout requests
                            from Keycloak in background)<br>
                            <br>
                                                 Marek<br>
                            <br>
                            <br>
                            <br>
                                                 On 3.4.2015 08:28, Chen
                            Keong Yap wrote:<br>
                            <br>
                            <br>
                                                     Hi Merek,<br>
                            <br>
                                                     I&#39;ve tried
                            frontChannel logout in 1.2.0.Beta1<br>
                                        and it&#39;s<br>
                                                     giving me the same
                            issues, please refer to the<br>
                                        settings<br>
                                                     shown in the screen
                            shot.<br>
                            <br>
                                                     Can you please
                            advise how to test  backchannel<br>
                                        logout?<br>
                            <br>
                            <br>
                                                     Inline image 1<br>
                            <br>
                            <br>
                            <br>
                                                     On Fri, Apr 3, 2015
                            at 1:50 PM, Marek Posolda<br>
                                                     &lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a><br>
                                        &lt;mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;

                            &lt;mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a><br>
                                        &lt;mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;&gt;&gt;

                            wrote:<br>
                            <br>
                                                         I would try to
                            upgrade to latest<br>
                                        1.2.0.Beta1 as it has<br>
                                                         some related
                            fixes AFAIK.<br>
                            <br>
                                                         In this
                            version, you have also possibility<br>
                                        to setup<br>
                                                         either
                            frontChannel logout or backchannel<br>
                                        logout for<br>
                                                         the
                            application. It could be set in<br>
                                        Keycloak admin<br>
                                                         console. I
                            think that at least one of them<br>
                                        will work<br>
                                                         with SP filter
                            in latest version (if not both).<br>
                            <br>
                                                         Marek<br>
                            <br>
                            <br>
                                                         On 3.4.2015
                            01:44, Chen Keong Yap wrote:<br>
                            <br>
                                                             Hi,<br>
                            <br>
                                                             I&#39;ve 2
                            applications installed with<br>
                                            Picketlink<br>
                                                             SPFilter to
                            authenticate with keycloak<br>
                                            1.1.0 beta 2.<br>
                            <br>
                                                             When i
                            perform global logout, first<br>
                                            application was<br>
                                                             logged out
                            successfully because<br>
                                            SP/keycloak session<br>
                                                             and
                            application http session are<br>
                                            removed but the<br>
                                                             problem is
                            second<br>
                                                             application
                            SP/keycloak session is<br>
                                            removed but<br>
                                                             application
                            http session is still<br>
                                            remained. I&#39;ve set<br>
                                                             admin url
                            for these 2 applications in<br>
                                            keycloak admin<br>
                                                             console.
                            Kindly share your ideas.<br>
                            <br>
                            <br>
                            <br>
                            <br>
                                           
                            _________________________________________________<br>
                                                           
                             keycloak-user mailing list<br>
                                            <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
                                            &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>&gt;<br>
                                            &lt;mailto:<a href="mailto:keycloak-user@lists." target="_blank">keycloak-user@lists.</a>__<a href="http://jboss.org" target="_blank">jboss.org</a><br>
                                            &lt;mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>&gt;&gt;<br>
                                            <a href="https://lists.jboss.org/__mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/__mailman/listinfo/keycloak-user</a><br>
                                            &lt;<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a>&gt;<br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                            <br>
                                --<br>
                                Bill Burke<br>
                                JBoss, a division of Red Hat<br>
                                <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
                            <br>
                          </blockquote>
                          <br>
                          -- <br>
                          Bill Burke<br>
                          JBoss, a division of Red Hat<br>
                          <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
                        </blockquote>
                      </div>
                    </blockquote>
                    <br>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          </div></div></blockquote></div></div></div></blockquote></div><div class="gmail_signature"><div dir="ltr"><div style="text-align:left"><br></div></div></div>
</div></div></div>