Re: [keycloak-dev] mod_auth_mellon

I can't see anything even in console log. I enclosed whole proccess of login and logout in network tab. ----- Original Message ----- From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Michal Hajas" <mhajas(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Thursday, January 14, 2016 5:01:30 PM Subject: Re: [keycloak-dev] mod_auth_mellon You can probably see a trace in your browser console? On 1/14/2016 10:21 AM, Michal Hajas wrote: > Actually, I am not sure but it looks like not. There is nothing in both keycloak server log and events in admin console. > > Michal. > > ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-dev(a)lists.jboss.org > Sent: Thursday, January 14, 2016 3:28:36 PM > Subject: Re: [keycloak-dev] mod_auth_mellon > > Is mellon actually sending a logout request to Keycloak? > Do you see any error message on the keycloak server side? We definitely support POST binding for logout. > On 1/14/2016 8:34 AM, Michal Hajas wrote: > > > > Hi, > > I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider. > > Steps: > 1. Install apache and mod_auth_mellon module > 2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to /mellon directory > 3. Download idp_metadata.xml from keycloak/auth/realm/{REALM}/protocol/saml/descriptor and copy it to /mellon directory > 4. Configure auth_mod_mellon with enclosed file auth_mellon.conf > 5. Create client in keycloak from xml file generated in step 2 (There must be enabled Sign Documents, Sign Assertions signing and Force POST Binding) > > Login works, when I access /auth, mellon redirect me to keycloak and after successful login it redirect me back to protected resource. > > Problem: > I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it doesn't destroy session in keycloak and in apache's error log there is: > Current identity provider does not support single logout. Destroying local session only. > > Only way I was able to log out is change > > <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location= "http://localhost:8080/auth/realms/mellon-test/protocol/saml" /> > > to > > <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location= "http://localhost:8080/auth/realms/mellon-test/protocol/saml" /> > > POST -> Redirect > > in idp_metadata.xml and set "Logout Service Redirect Binding URL" to http://localhost/mellon/logout in admin console. > > Is it correct or it should work with POST binding too? > > Thank you, > Michal. > > > _______________________________________________ > keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev