Re: [keycloak-dev] backchannel logout for SAML SP
Is it about maintaining infinispan cache on adapter side? I would rather
avoid this if possible. It's another needed step for setup and IMO
possible source of troubles (especially in cluster environments).
Isn't it better to start HttpSession on adapter even before SAML
authentication and transmit HttpSessionID to auth-server in SAMLRequest
for login? Then auth-server will receive SAMLRequest and save
HttpSessionID to CLIENT_SESSION_STATE note on ClientSession (similarly
like done for OIDC). Then server knows HttpSessionId and backchannel
logout isn't an issue.
Marek
On 14/09/15 17:52, Bill Burke wrote:
I'm running into a problem implementing backchannel logout for
our new
SAML SP. SAML has no way of transmitting client specific session
information that I can tell. So, I need some way of associating an
auth-server specific session index and the Principal so that I can look
up an Http Session and invalidate it based on one of those parameters.
We're gonna have the same exact problems when we implement the OIDC
equivalent specifics (these are new BTW).
I'm thinking of writing a simple Infinispan cache that associates
principals/session-indexes to http session ids and have it reusable
between SAML and OIDC adapters.