Make sure that the SP and IDP metadata files both have a post binding in
there for single logout service. That's the only thing I can think of.
Maybe mellon just doesn't support it. The example file in the mellon
doc uses redirect for logout. *shrug*
On 1/18/2016 5:58 AM, Michal Hajas wrote:
Maybe I configured something wrongly. Do you have any ideas what?
Mellon somehow thinks that keycloak doesn't support it so he doesn't even try.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, January 15, 2016 3:02:17 PM
Subject: Re: [keycloak-dev] mod_auth_mellon
Looks like its on the auth mellon side as I don't see any request after:
/mellon/logout?ReturnTo=/
On 1/15/2016 3:57 AM, Michal Hajas wrote:
I can't see anything even in console log.
I enclosed whole proccess of login and logout in network tab.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com> To: "Michal Hajas"
<mhajas(a)redhat.com> Cc: keycloak-dev(a)lists.jboss.org Sent: Thursday, January 14,
2016 5:01:30 PM
Subject: Re: [keycloak-dev] mod_auth_mellon
You can probably see a trace in your browser console?
On 1/14/2016 10:21 AM, Michal Hajas wrote:
Actually, I am not sure but it looks like not. There is nothing in both keycloak server
log and events in admin console.
Michal.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com> To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, January 14, 2016 3:28:36 PM
Subject: Re: [keycloak-dev] mod_auth_mellon
Is mellon actually sending a logout request to Keycloak?
Do you see any error message on the keycloak server side? We definitely support POST
binding for logout.
On 1/14/2016 8:34 AM, Michal Hajas wrote:
Hi,
I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider.
Steps:
1. Install apache and mod_auth_mellon module
2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to
/mellon directory
3. Download idp_metadata.xml from keycloak/auth/realm/{REALM}/protocol/saml/descriptor
and copy it to /mellon directory
4. Configure auth_mod_mellon with enclosed file auth_mellon.conf
5. Create client in keycloak from xml file generated in step 2 (There must be enabled
Sign Documents, Sign Assertions signing and Force POST Binding)
Login works, when I access /auth, mellon redirect me to keycloak and after successful
login it redirect me back to protected resource.
Problem:
I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it
doesn't destroy session in keycloak and in apache's error log there is:
Current identity provider does not support single logout. Destroying local session only.
Only way I was able to log out is change
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=
"http://localhost:8080/auth/realms/mellon-test/protocol/saml" />
to
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=
"http://localhost:8080/auth/realms/mellon-test/protocol/saml" />
POST -> Redirect
in idp_metadata.xml and set "Logout Service Redirect Binding URL" to
http://localhost/mellon/logout in admin console.
Is it correct or it should work with POST binding too?
Thank you,
Michal.
_______________________________________________
keycloak-dev mailing list keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev