Hi Adam,
I had this exact same issue. If you are running a JEE stack with JSF on the Service
Provider (SP), the issue has to do with how a logout is initiated on SP side.
Generally, you just set a GLO parameter and have the Keycloak adapter on the SP side
logout:
externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true"
);
But setting that parameter results in the jsessionid on the SP side being killed, which
results in the SP trying to log in before logging out.
My work around was to preserve the jsessionid before setting the GLO parameter:
private void preserveJsessionidCookie(ExternalContext externalContext)
{
for (Cookie cookie :
((HttpServletRequest)externalContext.getRequest()).getCookies())
{
if (cookie.getName().equalsIgnoreCase("jsessionid"))
{
((HttpServletResponse)externalContext.getResponse()).addCookie(cookie);
break;
}
}
}
Hope this helps,
Jason
On Thursday, August 3, 2017, 11:29:11 PM PDT, Hynek Mlnarik <hmlnarik(a)redhat.com>
wrote:
It seems ADFS has not set the name format when logging in. Have you
configured output Name ID format in respective ADFS transform claim
rule?
--Hynek
On Fri, Aug 4, 2017 at 7:03 AM, Adam Keily <adam.keily(a)adelaide.edu.au> wrote:
Hi,
Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS
server. Signin works fine, but when I try to logout, I get an internal server error 500.
In the log I just see the below error. If I remove the value for Single Logout Service
URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field,
I get the exception below. Even if I put in a dummy
https://test.com it breaks.
I've tried recreating the IdP config. Tried different realms and keycloak instances.
I'm currently testing using the Red Hat SSO 7.1. version.
Help appreciated.
Thanks
Adam
14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling
request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
java.lang.NullPointerException
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
at
org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189)
at
org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266)
at
org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
... 37 more
Caused by: java.lang.NullPointerException
at java.net.URI$Parser.parse(URI.java:3042)
at java.net.URI.<init>(URI.java:588)
at java.net.URI.create(URI.java:850)
at
org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99)
at
org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88)
at
org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187)
... 51 more
--
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user