I tried out the saml demo app and logout works just fine, so I'm
guessing this is a bug in the PL SP Filter.
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
Hi bill,
Global logout only removed sp sessions but not web application sessions
and this created security loopholes.
Please advise
On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>> wrote:
Guys,
Can share your ideas why global logout is not working?
On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>> wrote:
Hi Marek,
I've just tested backchannel logout and it's showing same issue.
Both applications are using PL SP Filter and the steps below are
used for testing.
1. Open
https://localhost:8443/employee/ and http request is
redirected to
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
2. Enter username and password into keycloak login page and
redirected to employee landing page
3. Open
https://localhost:8443/sales-post/ and redirected to
sales-post landing page without login
4. Logon to keycloak admin console and noticed there are 2
active sessions
5. Perform global logout from employee landing page
(
https://localhost:8443/employee/?GLO=true) and http request is
redirected to
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
6. Logon to keycloak admin console and noticed all sessions are gone
7. Refresh sales-post landing page and it's not redirected to
keycloak login page. sales-post session still active.
Kindly advise why GLO is performed but the second application
(sales-post) session still active?
On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
<mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
Switch the "Front channel logout" to off. In this case it
should use backchannel (not redirecting through browser, but
sending logout requests from Keycloak in background)
Marek
On 3.4.2015 08:28, Chen Keong Yap wrote:
>
> Hi Merek,
>
> I've tried frontChannel logout in 1.2.0.Beta1 and it's
> giving me the same issues, please refer to the settings
> shown in the screen shot.
>
> Can you please advise how to test backchannel logout?
>
>
> Inline image 1
>
>
>
> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> I would try to upgrade to latest 1.2.0.Beta1 as it has
> some related fixes AFAIK.
>
> In this version, you have also possibility to setup
> either frontChannel logout or backchannel logout for
> the application. It could be set in Keycloak admin
> console. I think that at least one of them will work
> with SP filter in latest version (if not both).
>
> Marek
>
>
> On 3.4.2015 01:44, Chen Keong Yap wrote:
>> Hi,
>>
>> I've 2 applications installed with Picketlink
>> SPFilter to authenticate with keycloak 1.1.0 beta 2.
>>
>> When i perform global logout, first application was
>> logged out successfully because SP/keycloak session
>> and application http session are removed but the
>> problem is second
>> application SP/keycloak session is removed but
>> application http session is still remained. I've set
>> admin url for these 2 applications in keycloak admin
>> console. Kindly share your ideas.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>