<?xml version="1.0" encoding="ISO-8859-1"?>
Hi,
I cannot find the spfilter definition in web.xml of the sample demo. Just
wondering is the demo running on SP filter?
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<filter>
<filter-name>SPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
<init-param>
<param-name>IGNORE_SIGNATURES</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ROLES</param-name>
<param-value>PRUONE</param-value>
</init-param>
<init-param>
<param-name>LOGOUT_PAGE</param-name>
<param-value>/logout1.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
The demo is bundled in keycloak-appliance-dist ZIP in directory
examples/saml .
The demo sources are here:
https://github.com/keycloak/keycloak/tree/master/examples/saml
Marek
On 7.4.2015 02:37, Chen Keong Yap wrote:
Hi bill,
Can you give me the link or path for the demo? Not sure if you are using
keycloak or picketlink demo for testing?
On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
> Demos work fine for me, but I'm using the wildfly Picketlink SP adapter.
> I am able to have an SSO session with all the examples, then I am able to
> logout and have all sessions invalidated.
>
> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>
>> Hi bill,
>>
>> Are you using 2 applications for testing?
>>
>> If yes, need to know have you logged out the first application then
>> redirect to keycloak login page? After that refresh the second
>> application then redirect to keycloak login page?
>>
>> Can i know which version of picketlink federation lib are you using?
>>
>> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
>> <mailto:bburke@redhat.com>> wrote:
>>
>> I tried out the saml demo app and logout works just fine, so I'm
>> guessing this is a bug in the PL SP Filter.
>>
>> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>>
>> Hi bill,
>>
>> Global logout only removed sp sessions but not web application
>> sessions
>> and this created security loopholes.
>>
>> Please advise
>>
>> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
>> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
>> <mailto:chenkeong.yap@izeno.__com
>> <mailto:chenkeong.yap@izeno.com>>> wrote:
>>
>> Guys,
>>
>> Can share your ideas why global logout is not working?
>>
>> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
>> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
>> <mailto:chenkeong.yap@izeno.__com
>> <mailto:chenkeong.yap@izeno.com>>> wrote:
>>
>> Hi Marek,
>>
>> I've just tested backchannel logout and it's showing
>> same issue.
>> Both applications are using PL SP Filter and the steps
>> below are
>> used for testing.
>>
>> 1. Open
https://localhost:8443/__employee/
>> <
https://localhost:8443/employee/> and http request is
>> redirected to
>>
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>> <
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>
>> 2. Enter username and password into keycloak login page
>> and
>> redirected to employee landing page
>>
>> 3. Open
https://localhost:8443/sales-__post/
>> <
https://localhost:8443/sales-post/> and redirected to
>> sales-post landing page without login
>>
>> 4. Logon to keycloak admin console and noticed there
>> are 2
>> active sessions
>>
>> 5. Perform global logout from employee landing page
>> (
https://localhost:8443/__employee/?GLO=true
>> <
https://localhost:8443/employee/?GLO=true>) and http request is
>> redirected to
>>
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>> <
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>
>> 6. Logon to keycloak admin console and noticed all
>> sessions are gone
>>
>> 7. Refresh sales-post landing page and it's not
>> redirected to
>> keycloak login page. sales-post session still active.
>>
>> Kindly advise why GLO is performed but the second
>> application
>> (sales-post) session still active?
>>
>> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>
>> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>>
>> wrote:
>>
>> Switch the "Front channel logout" to off. In this
>> case it
>> should use backchannel (not redirecting through
>> browser, but
>> sending logout requests from Keycloak in background)
>>
>> Marek
>>
>>
>>
>> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>
>>
>> Hi Merek,
>>
>> I've tried frontChannel logout in 1.2.0.Beta1
>> and it's
>> giving me the same issues, please refer to the
>> settings
>> shown in the screen shot.
>>
>> Can you please advise how to test backchannel
>> logout?
>>
>>
>> Inline image 1
>>
>>
>>
>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
>> <mposolda(a)redhat.com
>> <mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
>> <mailto:mposolda@redhat.com>>> wrote:
>>
>> I would try to upgrade to latest
>> 1.2.0.Beta1 as it has
>> some related fixes AFAIK.
>>
>> In this version, you have also possibility
>> to setup
>> either frontChannel logout or backchannel
>> logout for
>> the application. It could be set in
>> Keycloak admin
>> console. I think that at least one of them
>> will work
>> with SP filter in latest version (if not
>> both).
>>
>> Marek
>>
>>
>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>
>> Hi,
>>
>> I've 2 applications installed with
>> Picketlink
>> SPFilter to authenticate with keycloak
>> 1.1.0 beta 2.
>>
>> When i perform global logout, first
>> application was
>> logged out successfully because
>> SP/keycloak session
>> and application http session are
>> removed but the
>> problem is second
>> application SP/keycloak session is
>> removed but
>> application http session is still
>> remained. I've set
>> admin url for these 2 applications in
>> keycloak admin
>> console. Kindly share your ideas.
>>
>>
>>
>>
>> _________________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> <mailto:keycloak-user@lists.__jboss.org
>> <mailto:keycloak-user@lists.jboss.org>>
>>
https://lists.jboss.org/__mailman/listinfo/keycloak-user
>> <
https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>