<div dir="ltr">Hi,<div><br></div><div>Unfortunately i cannot use picketlink binding adapters because my application is running on websphere and we are not allowed to use keycloak proxy. I guess the only way is to use SP Filter. Can someone advise the alternative/solution to clear web application session after global logout is performed?<br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 7, 2015 at 4:47 PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Nope, it's using the proper picketlink
binding adapters (ServiceProviderAuthenticator valve on EAP6 and
SPServletExtension on Wildfly). If you have opportunity to use
those instead of SPFilter, it may be better though. I am not sure
if Picketlink SPFilter is not deprecated (or if it supports all
the features like binding adapters). Maybe Bill or Pedro knows
more.<span class=""><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<br>
<br>
On 7.4.2015 10:41, Chen Keong Yap wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr"><br>
<div><br>
</div>
<div>
<div><?xml version="1.0" encoding="ISO-8859-1"?></div>
<div><br>
</div>
<div>Hi,</div>
<div><br>
</div>
<div>I cannot find the spfilter definition in web.xml of the
sample demo. Just wondering is the demo running on SP
filter?</div>
<div><br>
</div>
<div><!DOCTYPE web-app</div>
<div> PUBLIC "-//Sun Microsystems, Inc.//DTD Web
Application 2.3//EN"</div>
<div> "<a href="http://java.sun.com/dtd/web-app_2_3.dtd" target="_blank">http://java.sun.com/dtd/web-app_2_3.dtd</a>"></div>
<div><br>
</div>
<div><web-app></div>
<div><br>
</div>
<div><welcome-file-list></div>
<div><span style="white-space:pre-wrap"> </span><filter></div>
<div><span style="white-space:pre-wrap"> </span><filter-name>SPFilter</filter-name></div>
<div><span style="white-space:pre-wrap"> </span><filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class></div>
<div><span style="white-space:pre-wrap"> </span><init-param></div>
<div><span style="white-space:pre-wrap"> </span><param-name>IGNORE_SIGNATURES</param-name></div>
<div><span style="white-space:pre-wrap"> </span><param-value>true</param-value></div>
<div><span style="white-space:pre-wrap"> </span></init-param></div>
<div><span style="white-space:pre-wrap"> </span><init-param></div>
<div><span style="white-space:pre-wrap"> </span><param-name>ROLES</param-name></div>
<div><span style="white-space:pre-wrap"> </span><param-value>PRUONE</param-value></div>
<div><span style="white-space:pre-wrap"> </span></init-param></div>
<div><init-param></div>
<div><span style="white-space:pre-wrap"> </span><param-name>LOGOUT_PAGE</param-name></div>
<div><span style="white-space:pre-wrap"> </span><param-value>/logout1.jsp</param-value></div>
<div><span style="white-space:pre-wrap"> </span></init-param></div>
<div><span style="white-space:pre-wrap"> </span></filter></div>
<div><span style="white-space:pre-wrap"> </span><filter-mapping></div>
<div><span style="white-space:pre-wrap"> </span><filter-name>SPFilter</filter-name></div>
<div><span style="white-space:pre-wrap"> </span><url-pattern>/*</url-pattern></div>
<div><span style="white-space:pre-wrap"> </span></filter-mapping></div>
<div></web-app></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Apr 7, 2015 at 3:20 PM, Marek
Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>The demo is bundled in keycloak-appliance-dist ZIP
in directory examples/saml . <br>
<br>
The demo sources are here: <a href="https://github.com/keycloak/keycloak/tree/master/examples/saml" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/saml</a><span><font color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 7.4.2015 02:37, Chen Keong Yap wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<p dir="ltr">Hi bill,</p>
<p dir="ltr">Can you give me the link or path for
the demo? Not sure if you are using keycloak or
picketlink demo for testing? </p>
<div class="gmail_quote">On Apr 6, 2015 9:20 PM,
"Bill Burke" <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Demos
work fine for me, but I'm using the wildfly
Picketlink SP adapter. I am able to have an
SSO session with all the examples, then I am
able to logout and have all sessions
invalidated.<br>
<br>
On 4/6/2015 9:01 AM, Chen Keong Yap wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hi bill,<br>
<br>
Are you using 2 applications for testing?<br>
<br>
If yes, need to know have you logged out the
first application then<br>
redirect to keycloak login page? After that
refresh the second<br>
application then redirect to keycloak login
page?<br>
<br>
Can i know which version of picketlink
federation lib are you using?<br>
<br>
On Apr 6, 2015 8:56 PM, "Bill Burke" <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br>
<mailto:<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>>
wrote:<br>
<br>
I tried out the saml demo app and logout
works just fine, so I'm<br>
guessing this is a bug in the PL SP
Filter.<br>
<br>
On 4/6/2015 6:47 AM, Chen Keong Yap
wrote:<br>
<br>
Hi bill,<br>
<br>
Global logout only removed sp
sessions but not web application<br>
sessions<br>
and this created security loopholes.<br>
<br>
Please advise<br>
<br>
On Mon, Apr 6, 2015 at 6:41 AM, Chen
Keong Yap<br>
<<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>
<mailto:<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>><br>
<mailto:<a href="mailto:chenkeong.yap@izeno." target="_blank">chenkeong.yap@izeno.</a>__com<br>
<mailto:<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>>>>
wrote:<br>
<br>
Guys,<br>
<br>
Can share your ideas why global
logout is not working?<br>
<br>
On Apr 3, 2015 3:47 PM, "Chen
Keong Yap"<br>
<<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>
<mailto:<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>><br>
<mailto:<a href="mailto:chenkeong.yap@izeno." target="_blank">chenkeong.yap@izeno.</a>__com<br>
<mailto:<a href="mailto:chenkeong.yap@izeno.com" target="_blank">chenkeong.yap@izeno.com</a>>>>
wrote:<br>
<br>
Hi Marek,<br>
<br>
I've just tested
backchannel logout and it's showing<br>
same issue.<br>
Both applications are using
PL SP Filter and the steps<br>
below are<br>
used for testing.<br>
<br>
1. Open <a href="https://localhost:8443/__employee/" target="_blank">https://localhost:8443/__employee/</a><br>
<<a href="https://localhost:8443/employee/" target="_blank">https://localhost:8443/employee/</a>>
and http request is<br>
redirected to<br>
<a href="https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml" target="_blank">https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml</a><br>
<<a href="https://localhost:8443/auth/realms/saml-demo-1/protocol/saml" target="_blank">https://localhost:8443/auth/realms/saml-demo-1/protocol/saml</a>><br>
<br>
2. Enter username and
password into keycloak login page and<br>
redirected to employee
landing page<br>
<br>
3. Open <a href="https://localhost:8443/sales-__post/" target="_blank">https://localhost:8443/sales-__post/</a><br>
<<a href="https://localhost:8443/sales-post/" target="_blank">https://localhost:8443/sales-post/</a>>
and redirected to<br>
sales-post landing page
without login<br>
<br>
4. Logon to keycloak admin
console and noticed there are 2<br>
active sessions<br>
<br>
5. Perform global logout
from employee landing page<br>
(<a href="https://localhost:8443/__employee/?GLO=true" target="_blank">https://localhost:8443/__employee/?GLO=true</a><br>
<<a href="https://localhost:8443/employee/?GLO=true" target="_blank">https://localhost:8443/employee/?GLO=true</a>>)
and http request is<br>
redirected to<br>
<a href="https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml" target="_blank">https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml</a><br>
<<a href="https://localhost:8443/auth/realms/saml-demo-1/protocol/saml" target="_blank">https://localhost:8443/auth/realms/saml-demo-1/protocol/saml</a>><br>
<br>
6. Logon to keycloak admin
console and noticed all<br>
sessions are gone<br>
<br>
7. Refresh sales-post
landing page and it's not<br>
redirected to<br>
keycloak login page.
sales-post session still active.<br>
<br>
Kindly advise why GLO is
performed but the second<br>
application<br>
(sales-post) session still
active?<br>
<br>
On Fri, Apr 3, 2015 at 3:36
PM, Marek Posolda<br>
<<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>
<mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>><br>
<mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>
<mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>>>>
wrote:<br>
<br>
Switch the "Front
channel logout" to off. In this<br>
case it<br>
should use backchannel
(not redirecting through<br>
browser, but<br>
sending logout requests
from Keycloak in background)<br>
<br>
Marek<br>
<br>
<br>
<br>
On 3.4.2015 08:28, Chen
Keong Yap wrote:<br>
<br>
<br>
Hi Merek,<br>
<br>
I've tried
frontChannel logout in 1.2.0.Beta1<br>
and it's<br>
giving me the same
issues, please refer to the<br>
settings<br>
shown in the screen
shot.<br>
<br>
Can you please
advise how to test backchannel<br>
logout?<br>
<br>
<br>
Inline image 1<br>
<br>
<br>
<br>
On Fri, Apr 3, 2015
at 1:50 PM, Marek Posolda<br>
<<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a><br>
<mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>>
<mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a><br>
<mailto:<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>>>>
wrote:<br>
<br>
I would try to
upgrade to latest<br>
1.2.0.Beta1 as it has<br>
some related
fixes AFAIK.<br>
<br>
In this
version, you have also possibility<br>
to setup<br>
either
frontChannel logout or backchannel<br>
logout for<br>
the
application. It could be set in<br>
Keycloak admin<br>
console. I
think that at least one of them<br>
will work<br>
with SP filter
in latest version (if not both).<br>
<br>
Marek<br>
<br>
<br>
On 3.4.2015
01:44, Chen Keong Yap wrote:<br>
<br>
Hi,<br>
<br>
I've 2
applications installed with<br>
Picketlink<br>
SPFilter to
authenticate with keycloak<br>
1.1.0 beta 2.<br>
<br>
When i
perform global logout, first<br>
application was<br>
logged out
successfully because<br>
SP/keycloak session<br>
and
application http session are<br>
removed but the<br>
problem is
second<br>
application
SP/keycloak session is<br>
removed but<br>
application
http session is still<br>
remained. I've set<br>
admin url
for these 2 applications in<br>
keycloak admin<br>
console.
Kindly share your ideas.<br>
<br>
<br>
<br>
<br>
_________________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
<mailto:<a href="mailto:keycloak-user@lists." target="_blank">keycloak-user@lists.</a>__<a href="http://jboss.org" target="_blank">jboss.org</a><br>
<mailto:<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>>><br>
<a href="https://lists.jboss.org/__mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/__mailman/listinfo/keycloak-user</a><br>
<<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a>><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
<br>
</blockquote>
<br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
</div></div></blockquote></div></div></div></blockquote></div><div class="gmail_signature"><div dir="ltr"><div style="text-align:left"><br></div></div></div>
</div></div></div>