Re: [keycloak-dev] Session SPI for adapters

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-dev(a)lists.jboss.org > Sent: Monday, 6 October, 2014 8:38:01 PM > Subject: Re: [keycloak-dev] Session SPI for adapters > > > > On 10/6/2014 10:28 AM, Bill Burke wrote: >> >> >> On 10/6/2014 9:58 AM, Marek Posolda wrote: >>> On 6.10.2014 15:26, Bill Burke wrote: >>>> >>>> >>>> A few more things: >>>> >>>> Stian made a good point that any extensions we do have to be >>>> compatible with non keycloak pure oidc adapters. The thing is though, >>>> OIDC doesn't have a logout request like SAML does. I'll ping pedro to >>>> see if session information can be extracted from a logout request. >>>> >>> AFAIR SAML single-sign out is based on chain of browser redirections to >>> all apps where you are logged. No "out-of-bound" requests . At least >>> that's how picketlink is doing afaik (not 100% sure and not sure about >>> SAML specs). So in this case logout request is browser-based and have >>> access to JSESSIONID cookie. Hence there is no need to maintain >>> sessionId in keycloak or any state on adapters as well. I am not 100% >>> sure (will try to doublecheck..) >>> >> >> SAML has out-of-band logout requests too. At least thats what I think >> Pedro told me. >> > > For Picketlink SAML SPs, you either do a browse redirect protocol to > each SP for Single Log out, or you do an out of band logout request to > the SP. PL SAML SP adapter currently has the same problem as us in a > cluster. They keep an in-memory map between username and http session. Would it make sense to add redirect logout as well? Then you can set in the admin console which logout mechanism you want (none, redirect or out-of-band request?)