Make sure that the SP and IDP metadata files both have a post binding
in
there for single logout service. That's the only thing I can think of.
Maybe mellon just doesn't support it. The example file in the mellon
doc uses redirect for logout. *shrug*
Bill:
mod_auth_mellon *only* supports the HTTP-Redirect binding for issuing
logout requests to the IdP. The reason is simple, mellon as an apache
module does not have a mechanism for POST'ing a request to another
location while it's processing a request. As such it relies on redirects
to get the logout request to the IdP.
The problem is the metadata returned by Keycloak only includes a
SingleLogoutService with the HTTP-POST binding.
Others have tested changing the binding in the IdP metdata to
HTTP-Redirect and retaining the same URL endpoint (see below and others
have done the same). It works. Therefore it seems like there is no
reason for Keycloak not to support SingleLogoutService with the
HTTP-Redirect binding. Seems like this would be a trivial edit to the
metadata generator.
Agreed? Should we open a bug?
John
On 1/18/2016 5:58 AM, Michal Hajas wrote:
> Maybe I configured something wrongly. Do you have any ideas what? Mellon somehow
thinks that keycloak doesn't support it so he doesn't even try.
>
> ----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, January 15, 2016 3:02:17 PM
> Subject: Re: [keycloak-dev] mod_auth_mellon
>
> Looks like its on the auth mellon side as I don't see any request after:
> /mellon/logout?ReturnTo=/
>
>
>
> On 1/15/2016 3:57 AM, Michal Hajas wrote:
>
>
>
> I can't see anything even in console log.
>
> I enclosed whole proccess of login and logout in network tab.
>
> ----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com> To: "Michal Hajas"
<mhajas(a)redhat.com> Cc: keycloak-dev(a)lists.jboss.org Sent: Thursday, January 14,
2016 5:01:30 PM
> Subject: Re: [keycloak-dev] mod_auth_mellon
>
> You can probably see a trace in your browser console?
>
> On 1/14/2016 10:21 AM, Michal Hajas wrote:
>
>
>
> Actually, I am not sure but it looks like not. There is nothing in both keycloak
server log and events in admin console.
>
> Michal.
>
> ----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com> To:
keycloak-dev(a)lists.jboss.org Sent: Thursday, January 14, 2016 3:28:36 PM
> Subject: Re: [keycloak-dev] mod_auth_mellon
>
> Is mellon actually sending a logout request to Keycloak?
> Do you see any error message on the keycloak server side? We definitely support POST
binding for logout.
> On 1/14/2016 8:34 AM, Michal Hajas wrote:
>
>
>
> Hi,
>
> I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider.
>
> Steps:
> 1. Install apache and mod_auth_mellon module
> 2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to
/mellon directory
> 3. Download idp_metadata.xml from
keycloak/auth/realm/{REALM}/protocol/saml/descriptor and copy it to /mellon directory
> 4. Configure auth_mod_mellon with enclosed file auth_mellon.conf
> 5. Create client in keycloak from xml file generated in step 2 (There must be enabled
Sign Documents, Sign Assertions signing and Force POST Binding)
>
> Login works, when I access /auth, mellon redirect me to keycloak and after successful
login it redirect me back to protected resource.
>
> Problem:
> I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it
doesn't destroy session in keycloak and in apache's error log there is:
> Current identity provider does not support single logout. Destroying local session
only.
>
> Only way I was able to log out is change
>
> <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=
"http://localhost:8080/auth/realms/mellon-test/protocol/saml" />
>
> to
>
> <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=
"http://localhost:8080/auth/realms/mellon-test/protocol/saml" />
>
> POST -> Redirect
>
> in idp_metadata.xml and set "Logout Service Redirect Binding URL" to
http://localhost/mellon/logout in admin console.
>
> Is it correct or it should work with POST binding too?
>
> Thank you,
> Michal.
>
>
> _______________________________________________
> keycloak-dev mailing list keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>