I don't like the idea of a prompt to the user. I'd rather have a configuration
option on IdP to select when logout should be propagated:
* Always
* Only if used as log-in mechanism
* Never
Same goes for the other way around (user logs out of SalesForce).
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Marek Posolda" <mposolda(a)redhat.com>, "Stian Thorgersen"
<stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 26 March, 2015 12:18:48 AM
Subject: Re: [keycloak-dev] social/broker errors
On 3/25/2015 12:23 PM, Marek Posolda wrote:
> On 25.3.2015 16:27, Bill Burke wrote:
>> So Salesforce IDP is the "parent" and Keycloak is the child?
> Yes
>> I think Salesforce IDP should be logged out as well, because think
>> of it this way
>>
>> 1. user logs out of keycloak app, but doesn't get logged out of
>> Salesforce
>> 2. user goes away form machine
>> 3. Attacker sits down at desk
>> 4. Attacker visits keycloak app
>> 5. Still logged in at Salesforce, so keycloak app has a successful
>> login due to SSO.
> I see the point. However if you consider scenario like:
>
> 1. I am logged in
salesforce.com and doing some important transactions
> there
> 2. Now I clicked to different browser tab and want to quickly check
> something in some keycloak-secured-app. I logged-in to the app through
> Keycloak + Salesforce broker
> 3. I checked calendar, clicked "logout" in Zimbra and I want to continue
> back in Salesforce. But I am logged out from Salesforce... :-(
>
>
> The prompt makes sense to me. At least for the cases when user was
> logged in before. But not sure if there is a way to track this (In case
> that Keycloak itself is parent broker, we can check if auth-method was
> FORM (user just logged in) or SSO (user was already logged before)), but
> that would require propagate this info from parent broker to child
> broker too. Maybe easiest is to always display prompt?
>
What should the prompt say? User will have no idea what it means by
"Should I logout of parent broker?"
Maybe "Logout of <broker> too?"
i.e.
"Logout of Saleforce too?"
"Logout of Facebook too?"
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com