6:56 a.m.
Hi,
I have a spring-security based application that connects to keycloak via
SAML. Keycloak itself is configured to connect via SAML to another external
identity provider (so Keycloak is just the identity broker in this case).
When I logout from my web application by going to
https://<app_url>/saml/logout?local=false,
a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the
external IDP. There is *no* LogoutResponse. Strangely, when I try to access
my web application again, I am not asked to login and can access it as if
the session is still valid. No AuthnRequest is seen in this case.
What could be wrong? It seems that either the web application or the
Keycloak is caching the session and not invalidating it upon a
LogoutRequest. Maybe someone can help shed some light on this.
Thanks,
Pieter
We empower scientists by building on open source software
7:34 a.m.
Check why there is no LogoutResponse. This is a violation of SAML
protocol [1]. You would need to inspect SAML message exchange by using
either using browser extension like SAML Tracer, or increasing
keycloak log level for SAML.
--Hynek
[1] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf,
l. 2631-2636
On Fri, Sep 15, 2017 at 1:56 PM, Pieter Lukasse <pieter(a)thehyve.nl> wrote:
Hi,
I have a spring-security based application that connects to keycloak via
SAML. Keycloak itself is configured to connect via SAML to another external
identity provider (so Keycloak is just the identity broker in this case).
When I logout from my web application by going to
https://<app_url>/saml/logout?local=false,
a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the
external IDP. There is *no* LogoutResponse. Strangely, when I try to access
my web application again, I am not asked to login and can access it as if
the session is still valid. No AuthnRequest is seen in this case.
What could be wrong? It seems that either the web application or the
Keycloak is caching the session and not invalidating it upon a
LogoutRequest. Maybe someone can help shed some light on this.
Thanks,
Pieter
We empower scientists by building on open source software
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
8:17 a.m.
I saw this while brokering with ADFS - the logout request goes nowhere,
and dies with NPE in keycloak.
Seems as the sso cookie still active and not invalidated on logout request.
I've asked the group but no answer - so you need to close the browser if
your flow is browser sso.
Your best path a Jira ticket.
Hi,
I have a spring-security based application that connects to keycloak via
SAML. Keycloak itself is configured to connect via SAML to another
external
identity provider (so Keycloak is just the identity broker in this case).
When I logout from my web application by going to
https://<app_url>/saml/logout?local=false,
a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the
external IDP. There is *no* LogoutResponse. Strangely, when I try to
access
my web application again, I am not asked to login and can access it as if
the session is still valid. No AuthnRequest is seen in this case.
What could be wrong? It seems that either the web application or the
Keycloak is caching the session and not invalidating it upon a
LogoutRequest. Maybe someone can help shed some light on this.
Thanks,
Pieter
We empower scientists by building on open source software
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2439
days inactive
2442
days old
2 comments
3 participants
participants (3)
-
Hynek Mlnarik -
java_os -
Pieter Lukasse