Re: [keycloak-dev] Session SPI for adapters
On 10/7/2014 8:38 AM, Bill Burke wrote:
>>>
>>> SAML has out-of-band logout requests too. At least thats what I think
>>> Pedro told me.
>>>
>>
>> For Picketlink SAML SPs, you either do a browse redirect protocol to
>> each SP for Single Log out, or you do an out of band logout request to
>> the SP. PL SAML SP adapter currently has the same problem as us in a
>> cluster. They keep an in-memory map between username and http session.
>
> Would it make sense to add redirect logout as well? Then you can set in the admin
console which logout mechanism you want (none, redirect or out-of-band request?)
>
Yes. I'm going to do that. I need to add logout to the protocol SPI.
IMO, logouts via redirects are really ugly and you don't really need a
redirect logout for keycloak.js clients. With the iframe hack OpenID
Connect has (and we implemented), you can just check if the user is
logged out when a UI event happens.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com