3:39 a.m.
I'm killing sessions using keycloak's admin console GUI, namely Session
tab, where i can either kill a session or send a Revocation message.
I've tried setting up Single Log Out URL's the way examples suggest, i.e.
for SAML it is set to "
http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml";, as
specified in xml descriptor. Same with backchannel logout, switching it on
or off seems to do nothing in this case.
2017-03-07 21:51 GMT+03:00 <keycloak-user-request(a)lists.jboss.org>:
Date: Tue, 7 Mar 2017 08:57:04 -0500
From: Bill Burke <bburke(a)redhat.com>
Subject: Re: [keycloak-user] Logout in broker mode doesn't propagate
session's termination
To: keycloak-user(a)lists.jboss.org
Message-ID: <dabc3430-e5ed-e834-6f87-dd711b341117(a)redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
How exactly are you killing sessions? Through the admin console? Can
you specify exactly what operations you are performing.
For SAML and OIDC there is a logout URL you have to specify. There's
also a "Backchannel Logout" supported switch that has to be true.
On 3/7/17 6:33 AM, Dmitry Korchemkin wrote:
> I was testing single logout in broker mode and came around this logical,
> but not exactly desirable behaviour, when session on the broker and
session
> on the external idp states are not linked between the idp's.
>
> My setup is broker saml example provided with keycloak, but instead of an
> actual application i log in to the broker using "/account" url. Should be
> all the same, since it's just another web-app, protected by this realm.
>
> The behaviour is as follows:
> If i kill a session on the external keycloak idp, the user is not logged
> out. I assume since local session is alive and well the token is not
being
> revoked.
>
> If i kill a session on the broker keycloak, upon hitting f5 user is
> redirected to the broker login page, but when i press external idp login
> button, he's logged right back with no credentials asked. I guess since
the
> session between 2 idp's is still up, broker thinks this user is already
> authenticated.
>
> I tested both oidc and saml, tried different backchannel/frontchannel
> toggles in the UI of both broker and external IDP, but this had no
visible
> effect.
>
> Can you please clarify if the behaviour observed is expected and normal,
or
> did i miss some configuration steps?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
7:59 a.m.
New subject: Logout in broker mode doesn't propagate session's termination
Looking at the code, LogoutAll seems to expect that all connections are
OIDC. Logging out a single session does seem to use the appropriate
protocol. I'll dive into our tests to see what coverage we're missing here.
On 3/9/17 4:39 AM, Dmitry Korchemkin wrote:
I'm killing sessions using keycloak's admin console GUI,
namely Session
tab, where i can either kill a session or send a Revocation message.
I've tried setting up Single Log Out URL's the way examples suggest, i.e.
for SAML it is set to "
http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml";, as
specified in xml descriptor. Same with backchannel logout, switching it on
or off seems to do nothing in this case.
2017-03-07 21:51 GMT+03:00 <keycloak-user-request(a)lists.jboss.org>:
> Date: Tue, 7 Mar 2017 08:57:04 -0500
> From: Bill Burke <bburke(a)redhat.com>
> Subject: Re: [keycloak-user] Logout in broker mode doesn't propagate
> session's termination
> To: keycloak-user(a)lists.jboss.org
> Message-ID: <dabc3430-e5ed-e834-6f87-dd711b341117(a)redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> How exactly are you killing sessions? Through the admin console? Can
> you specify exactly what operations you are performing.
>
> For SAML and OIDC there is a logout URL you have to specify. There's
> also a "Backchannel Logout" supported switch that has to be true.
>
>
> On 3/7/17 6:33 AM, Dmitry Korchemkin wrote:
>> I was testing single logout in broker mode and came around this logical,
>> but not exactly desirable behaviour, when session on the broker and
> session
>> on the external idp states are not linked between the idp's.
>>
>> My setup is broker saml example provided with keycloak, but instead of an
>> actual application i log in to the broker using "/account" url. Should
be
>> all the same, since it's just another web-app, protected by this realm.
>>
>> The behaviour is as follows:
>> If i kill a session on the external keycloak idp, the user is not logged
>> out. I assume since local session is alive and well the token is not
> being
>> revoked.
>>
>> If i kill a session on the broker keycloak, upon hitting f5 user is
>> redirected to the broker login page, but when i press external idp login
>> button, he's logged right back with no credentials asked. I guess since
> the
>> session between 2 idp's is still up, broker thinks this user is already
>> authenticated.
>>
>> I tested both oidc and saml, tried different backchannel/frontchannel
>> toggles in the UI of both broker and external IDP, but this had no
> visible
>> effect.
>>
>> Can you please clarify if the behaviour observed is expected and normal,
> or
>> did i miss some configuration steps?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2864
days inactive
2864
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Dmitry Korchemkin