Hi bill,
Are you using 2 applications for testing?
If yes, need to know have you logged out the first application then redirect to keycloak login page? After that refresh the second application then redirect to keycloak login page?
Can i know which version of picketlink federation lib are you using?
I tried out the saml demo app and logout works just fine, so I'm guessing this is a bug in the PL SP Filter.
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
Hi bill,
Global logout only removed sp sessions but not web application sessions
and this created security loopholes.
Please advise
On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <chenkeong.yap@izeno.com
<mailto:chenkeong.yap@izeno.com>> wrote:
Guys,
Can share your ideas why global logout is not working?
On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap@izeno.com
<mailto:chenkeong.yap@izeno.com>> wrote:
Hi Marek,
I've just tested backchannel logout and it's showing same issue.
Both applications are using PL SP Filter and the steps below are
used for testing.
1. Open https://localhost:8443/employee/ and http request is
redirected to
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
2. Enter username and password into keycloak login page and
redirected to employee landing page
3. Open https://localhost:8443/sales-post/ and redirected to
sales-post landing page without login
4. Logon to keycloak admin console and noticed there are 2
active sessions
5. Perform global logout from employee landing page
(https://localhost:8443/employee/?GLO=true) and http request is
redirected to
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
6. Logon to keycloak admin console and noticed all sessions are gone
7. Refresh sales-post landing page and it's not redirected to
keycloak login page. sales-post session still active.
Kindly advise why GLO is performed but the second application
(sales-post) session still active?
On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
<mposolda@redhat.com <mailto:mposolda@redhat.com>> wrote:
Switch the "Front channel logout" to off. In this case it
should use backchannel (not redirecting through browser, but
sending logout requests from Keycloak in background)
Marek
On 3.4.2015 08:28, Chen Keong Yap wrote:
Hi Merek,
I've tried frontChannel logout in 1.2.0.Beta1 and it's
giving me the same issues, please refer to the settings
shown in the screen shot.
Can you please advise how to test backchannel logout?
Inline image 1
On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
<mposolda@redhat.com <mailto:mposolda@redhat.com>> wrote:
I would try to upgrade to latest 1.2.0.Beta1 as it has
some related fixes AFAIK.
In this version, you have also possibility to setup
either frontChannel logout or backchannel logout for
the application. It could be set in Keycloak admin
console. I think that at least one of them will work
with SP filter in latest version (if not both).
Marek
On 3.4.2015 01:44, Chen Keong Yap wrote:
Hi,
I've 2 applications installed with Picketlink
SPFilter to authenticate with keycloak 1.1.0 beta 2.
When i perform global logout, first application was
logged out successfully because SP/keycloak session
and application http session are removed but the
problem is second
application SP/keycloak session is removed but
application http session is still remained. I've set
admin url for these 2 applications in keycloak admin
console. Kindly share your ideas.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com