Nope, it's using the proper picketlink binding adapters
(ServiceProviderAuthenticator valve on EAP6 and SPServletExtension on
Wildfly). If you have opportunity to use those instead of SPFilter, it
may be better though. I am not sure if Picketlink SPFilter is not
deprecated (or if it supports all the features like binding adapters).
Maybe Bill or Pedro knows more.
Marek
On 7.4.2015 10:41, Chen Keong Yap wrote:
<?xml version="1.0" encoding="ISO-8859-1"?>
Hi,
I cannot find the spfilter definition in web.xml of the sample demo.
Just wondering is the demo running on SP filter?
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<filter>
<filter-name>SPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
<init-param>
<param-name>IGNORE_SIGNATURES</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ROLES</param-name>
<param-value>PRUONE</param-value>
</init-param>
<init-param>
<param-name>LOGOUT_PAGE</param-name>
<param-value>/logout1.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
The demo is bundled in keycloak-appliance-dist ZIP in directory
examples/saml .
The demo sources are here:
https://github.com/keycloak/keycloak/tree/master/examples/saml
Marek
On 7.4.2015 02:37, Chen Keong Yap wrote:
>
> Hi bill,
>
> Can you give me the link or path for the demo? Not sure if you
> are using keycloak or picketlink demo for testing?
>
> On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> Demos work fine for me, but I'm using the wildfly Picketlink
> SP adapter. I am able to have an SSO session with all the
> examples, then I am able to logout and have all sessions
> invalidated.
>
> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>
> Hi bill,
>
> Are you using 2 applications for testing?
>
> If yes, need to know have you logged out the first
> application then
> redirect to keycloak login page? After that refresh the
> second
> application then redirect to keycloak login page?
>
> Can i know which version of picketlink federation lib are
> you using?
>
> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>
wrote:
>
> I tried out the saml demo app and logout works just
> fine, so I'm
> guessing this is a bug in the PL SP Filter.
>
> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>
> Hi bill,
>
> Global logout only removed sp sessions but not
> web application
> sessions
> and this created security loopholes.
>
> Please advise
>
> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
> <chenkeong.yap(a)izeno.com
> <mailto:chenkeong.yap@izeno.com>
> <mailto:chenkeong.yap@izeno.com
> <mailto:chenkeong.yap@izeno.com>>
> <mailto:chenkeong.yap@izeno.
> <mailto:chenkeong.yap@izeno.>__com
> <mailto:chenkeong.yap@izeno.com
> <mailto:chenkeong.yap@izeno.com>>>> wrote:
>
> Guys,
>
> Can share your ideas why global logout is
> not working?
>
> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
> <chenkeong.yap(a)izeno.com
> <mailto:chenkeong.yap@izeno.com>
> <mailto:chenkeong.yap@izeno.com
> <mailto:chenkeong.yap@izeno.com>>
> <mailto:chenkeong.yap@izeno.
> <mailto:chenkeong.yap@izeno.>__com
> <mailto:chenkeong.yap@izeno.com
> <mailto:chenkeong.yap@izeno.com>>>> wrote:
>
> Hi Marek,
>
> I've just tested backchannel logout and
> it's showing
> same issue.
> Both applications are using PL SP Filter
> and the steps
> below are
> used for testing.
>
> 1. Open
https://localhost:8443/__employee/
> <
https://localhost:8443/employee/> and http
> request is
> redirected to
>
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>
> <
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 2. Enter username and password into
> keycloak login page and
> redirected to employee landing page
>
> 3. Open
https://localhost:8443/sales-__post/
> <
https://localhost:8443/sales-post/> and
> redirected to
> sales-post landing page without login
>
> 4. Logon to keycloak admin console and
> noticed there are 2
> active sessions
>
> 5. Perform global logout from employee
> landing page
> (
https://localhost:8443/__employee/?GLO=true
> <
https://localhost:8443/employee/?GLO=true>) and
> http request is
> redirected to
>
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>
> <
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 6. Logon to keycloak admin console and
> noticed all
> sessions are gone
>
> 7. Refresh sales-post landing page and
> it's not
> redirected to
> keycloak login page. sales-post session
> still active.
>
> Kindly advise why GLO is performed but
> the second
> application
> (sales-post) session still active?
>
> On Fri, Apr 3, 2015 at 3:36 PM, Marek
> Posolda
> <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>>
> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>>>> wrote:
>
> Switch the "Front channel logout" to
> off. In this
> case it
> should use backchannel (not
> redirecting through
> browser, but
> sending logout requests from
> Keycloak in background)
>
> Marek
>
>
>
> On 3.4.2015 08:28, Chen Keong Yap wrote:
>
>
> Hi Merek,
>
> I've tried frontChannel logout
> in 1.2.0.Beta1
> and it's
> giving me the same issues,
> please refer to the
> settings
> shown in the screen shot.
>
> Can you please advise how to
> test backchannel
> logout?
>
>
> Inline image 1
>
>
>
> On Fri, Apr 3, 2015 at 1:50 PM,
> Marek Posolda
> <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>
> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>
> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>>>> wrote:
>
> I would try to upgrade to latest
> 1.2.0.Beta1 as it has
> some related fixes AFAIK.
>
> In this version, you have
> also possibility
> to setup
> either frontChannel logout
> or backchannel
> logout for
> the application. It could be
> set in
> Keycloak admin
> console. I think that at
> least one of them
> will work
> with SP filter in latest
> version (if not both).
>
> Marek
>
>
> On 3.4.2015 01:44, Chen
> Keong Yap wrote:
>
> Hi,
>
> I've 2 applications
> installed with
> Picketlink
> SPFilter to authenticate
> with keycloak
> 1.1.0 beta 2.
>
> When i perform global
> logout, first
> application was
> logged out successfully
> because
> SP/keycloak session
> and application http
> session are
> removed but the
> problem is second
> application SP/keycloak
> session is
> removed but
> application http session
> is still
> remained. I've set
> admin url for these 2
> applications in
> keycloak admin
> console. Kindly share
> your ideas.
>
>
>
>
> _________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> <mailto:keycloak-user@lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> <mailto:keycloak-user@lists.
> <mailto:keycloak-user@lists.>__jboss.org <
http://jboss.org>
> <mailto:keycloak-user@lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>>>
>
https://lists.jboss.org/__mailman/listinfo/keycloak-user
>
> <
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>