Awesome. Thanks for your help guys. Hynek, you were correct, I’d been able to get ADFS
brokered sign on working using the ‘unspecified’ Name ID format. Unfortunately, it looks
like this breaks sign out.
Once I configured ADFS to send NameID in email address format. It would indeed pass the
signout request to ADFS. This post was useful too
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html. I’d read it
before but obviously not well enough. For me I just preferred using email address
(actually UPN), rather than the Windows qualified domain name.
I also had “Want AuthnRequests Signed” set to off in keycloak which is required for
successful signout along with setting the SAML signature key name to CERT_SUBJECT. Once I
did all that, single logout now works.
Incidentally, I wanted to keep the username in keycloak as the sAMAccountName value so I
configured ADFS to send the sAMAccountName as the Common Name claim and then configured a
username template importer mapper with
${ATTRIBUTE.http://schemas.xmlsoap.org/claims/CommonName}.
Thanks for the help.
Adam
From: Jason Spittel [mailto:jasonspittel@yahoo.com]
Sent: Friday, 4 August 2017 11:17 PM
To: Hynek Mlnarik <hmlnarik(a)redhat.com>; Adam Keily
<adam.keily(a)adelaide.edu.au>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] ADFS SAML Logout
Hi Adam,
I had this exact same issue. If you are running a JEE stack with JSF on the Service
Provider (SP), the issue has to do with how a logout is initiated on SP side.
Generally, you just set a GLO parameter and have the Keycloak adapter on the SP side
logout:
externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true"
);
But setting that parameter results in the jsessionid on the SP side being killed, which
results in the SP trying to log in before logging out.
My work around was to preserve the jsessionid before setting the GLO parameter:
private void preserveJsessionidCookie(ExternalContext externalContext)
{
for (Cookie cookie :
((HttpServletRequest)externalContext.getRequest()).getCookies())
{
if (cookie.getName().equalsIgnoreCase("jsessionid"))
{
((HttpServletResponse)externalContext.getResponse()).addCookie(cookie);
break;
}
}
}
Hope this helps,
Jason
On Thursday, August 3, 2017, 11:29:11 PM PDT, Hynek Mlnarik
<hmlnarik@redhat.com<mailto:hmlnarik@redhat.com>> wrote:
It seems ADFS has not set the name format when logging in. Have you
configured output Name ID format in respective ADFS transform claim
rule?
--Hynek
On Fri, Aug 4, 2017 at 7:03 AM, Adam Keily
<adam.keily@adelaide.edu.au<mailto:adam.keily@adelaide.edu.au>> wrote:
Hi,
Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS
server. Signin works fine, but when I try to logout, I get an internal server error 500.
In the log I just see the below error. If I remove the value for Single Logout Service
URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field,
I get the exception below. Even if I put in a dummy
https://test.com
<
https://test.com%20> it breaks.
I've tried recreating the IdP config. Tried different realms and keycloak instances.
I'm currently testing using the Red Hat SSO 7.1. version.
Help appreciated.
Thanks
Adam
14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling
request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
java.lang.NullPointerException
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
at
org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189)
at
org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266)
at
org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
... 37 more
Caused by: java.lang.NullPointerException
at java.net.URI$Parser.parse(URI.java:3042)
at java.net.URI.<init>(URI.java:588)
at java.net.URI.create(URI.java:850)
at
org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99)
at
org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88)
at
org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187)
... 51 more
--
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user