Re: [keycloak-dev] Session SPI for adapters

From: "Marek Posolda" <mposolda(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 7 October, 2014 9:38:07 AM Subject: Re: [keycloak-dev] Session SPI for adapters On 7.10.2014 08:13, Stian Thorgersen wrote: > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: keycloak-dev(a)lists.jboss.org >> Sent: Monday, 6 October, 2014 8:38:01 PM >> Subject: Re: [keycloak-dev] Session SPI for adapters >> >> >> >> On 10/6/2014 10:28 AM, Bill Burke wrote: >>> >>> On 10/6/2014 9:58 AM, Marek Posolda wrote: >>>> On 6.10.2014 15:26, Bill Burke wrote: >>>>> >>>>> A few more things: >>>>> >>>>> Stian made a good point that any extensions we do have to be >>>>> compatible with non keycloak pure oidc adapters. The thing is though, >>>>> OIDC doesn't have a logout request like SAML does. I'll ping pedro to >>>>> see if session information can be extracted from a logout request. >>>>> >>>> AFAIR SAML single-sign out is based on chain of browser redirections to >>>> all apps where you are logged. No "out-of-bound" requests . At least >>>> that's how picketlink is doing afaik (not 100% sure and not sure about >>>> SAML specs). So in this case logout request is browser-based and have >>>> access to JSESSIONID cookie. Hence there is no need to maintain >>>> sessionId in keycloak or any state on adapters as well. I am not 100% >>>> sure (will try to doublecheck..) >>>> >>> SAML has out-of-band logout requests too. At least thats what I think >>> Pedro told me. >>> >> For Picketlink SAML SPs, you either do a browse redirect protocol to >> each SP for Single Log out, or you do an out of band logout request to >> the SP. PL SAML SP adapter currently has the same problem as us in a >> cluster. They keep an in-memory map between username and http session. > Would it make sense to add redirect logout as well? Then you can set in the > admin console which logout mechanism you want (none, redirect or > out-of-band request?) For me it makes sense. Regarding SAML I looked briefly that specs supports both redirect and out-of-band . Redirect seems to be preferred according to SAML-Profiles-2.0, section 4.4.3.1: "The identity provider SHOULD then propagate any required logout messages to additional session participants as required using either a synchronous or asynchronous binding. The use of an asynchronous binding for the original request is preferred because it gives the identity provider the best chance of successfully propagating the logout to the other session participants during step 3." By asynchronous binding it's meant to propagate request through browser. It seems that supporting redirect will be good. Even if picketlink SP has some possible solution for out-of-band (which is not cluster-aware), for interoperability with other 3rd party SAML SPs redirect might be the only possibility.

Marek >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev