The demo is bundled in keycloak-appliance-dist ZIP in directory
examples/saml .
The demo sources are here:
Hi bill,
Can you give me the link or path for the demo? Not sure if you are
using keycloak or picketlink demo for testing?
On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
Demos work fine for me, but I'm using the wildfly Picketlink SP
adapter. I am able to have an SSO session with all the examples,
then I am able to logout and have all sessions invalidated.
On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
Hi bill,
Are you using 2 applications for testing?
If yes, need to know have you logged out the first application
then
redirect to keycloak login page? After that refresh the second
application then redirect to keycloak login page?
Can i know which version of picketlink federation lib are you
using?
On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
I tried out the saml demo app and logout works just fine,
so I'm
guessing this is a bug in the PL SP Filter.
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
Hi bill,
Global logout only removed sp sessions but not web
application
sessions
and this created security loopholes.
Please advise
On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
<chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>
<mailto:chenkeong.yap@izeno.com <mailto:chenkeong.yap@izeno.com>>
<mailto:chenkeong.yap@izeno.
<mailto:chenkeong.yap@izeno.>__com
<mailto:chenkeong.yap@izeno.com
<mailto:chenkeong.yap@izeno.com>>>> wrote:
Guys,
Can share your ideas why global logout is not
working?
On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
<chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>
<mailto:chenkeong.yap@izeno.com <mailto:chenkeong.yap@izeno.com>>
<mailto:chenkeong.yap@izeno.
<mailto:chenkeong.yap@izeno.>__com
<mailto:chenkeong.yap@izeno.com
<mailto:chenkeong.yap@izeno.com>>>> wrote:
Hi Marek,
I've just tested backchannel logout and it's
showing
same issue.
Both applications are using PL SP Filter and
the steps
below are
used for testing.
1. Open
https://localhost:8443/__employee/
<
https://localhost:8443/employee/> and http request is
redirected to
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
<
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
2. Enter username and password into keycloak
login page and
redirected to employee landing page
3. Open
https://localhost:8443/sales-__post/
<
https://localhost:8443/sales-post/> and redirected to
sales-post landing page without login
4. Logon to keycloak admin console and
noticed there are 2
active sessions
5. Perform global logout from employee
landing page
(
https://localhost:8443/__employee/?GLO=true
<
https://localhost:8443/employee/?GLO=true>) and http
request is
redirected to
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
<
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
6. Logon to keycloak admin console and
noticed all
sessions are gone
7. Refresh sales-post landing page and it's not
redirected to
keycloak login page. sales-post session still
active.
Kindly advise why GLO is performed but the second
application
(sales-post) session still active?
On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
<mposolda(a)redhat.com
<mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>
<mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>>> wrote:
Switch the "Front channel logout" to off.
In this
case it
should use backchannel (not redirecting
through
browser, but
sending logout requests from Keycloak in
background)
Marek
On 3.4.2015 08:28, Chen Keong Yap wrote:
Hi Merek,
I've tried frontChannel logout in
1.2.0.Beta1
and it's
giving me the same issues, please
refer to the
settings
shown in the screen shot.
Can you please advise how to test
backchannel
logout?
Inline image 1
On Fri, Apr 3, 2015 at 1:50 PM, Marek
Posolda
<mposolda(a)redhat.com
<mailto:mposolda@redhat.com>
<mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>
<mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>>> wrote:
I would try to upgrade to latest
1.2.0.Beta1 as it has
some related fixes AFAIK.
In this version, you have also
possibility
to setup
either frontChannel logout or
backchannel
logout for
the application. It could be set in
Keycloak admin
console. I think that at least
one of them
will work
with SP filter in latest version
(if not both).
Marek
On 3.4.2015 01:44, Chen Keong Yap
wrote:
Hi,
I've 2 applications installed
with
Picketlink
SPFilter to authenticate with
keycloak
1.1.0 beta 2.
When i perform global logout,
first
application was
logged out successfully because
SP/keycloak session
and application http session are
removed but the
problem is second
application SP/keycloak
session is
removed but
application http session is still
remained. I've set
admin url for these 2
applications in
keycloak admin
console. Kindly share your ideas.
_________________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
<mailto:keycloak-user@lists.
<mailto:keycloak-user@lists.>__jboss.org <
http://jboss.org>
<mailto:keycloak-user@lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>>
https://lists.jboss.org/__mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com