On 2/10/2016 1:18 PM, John Dennis wrote:
On 01/18/2016 08:04 AM, Bill Burke wrote:
> Make sure that the SP and IDP metadata files both have a post binding in
> there for single logout service. That's the only thing I can think of.
> Maybe mellon just doesn't support it. The example file in the mellon
> doc uses redirect for logout. *shrug*
Bill:
mod_auth_mellon *only* supports the HTTP-Redirect binding for issuing
logout requests to the IdP. The reason is simple, mellon as an apache
module does not have a mechanism for POST'ing a request to another
location while it's processing a request. As such it relies on
redirects to get the logout request to the IdP.
Huh? apache doesn't need to make any background HTTP requests. The
trick is to encode and pass back an HTML document with javascript in
it. That's how the spec recommends it and how we support POST binding.
Its all done via browser requests.
The problem is the metadata returned by Keycloak only includes a
SingleLogoutService with the HTTP-POST binding.
Others have tested changing the binding in the IdP metdata to
HTTP-Redirect and retaining the same URL endpoint (see below and
others have done the same). It works. Therefore it seems like there is
no reason for Keycloak not to support SingleLogoutService with the
HTTP-Redirect binding. Seems like this would be a trivial edit to the
metadata generator.
Agreed? Should we open a bug?
Yes please.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com