1:44 a.m.
Hi,
I've 2 applications installed with Picketlink SPFilter to authenticate with
keycloak 1.1.0 beta 2.
When i perform global logout, first application was logged out successfully
because SP/keycloak session and application http session are removed but
the problem is second
application SP/keycloak session is removed but application http session is
still remained. I've set admin url for these 2 applications in keycloak
admin console. Kindly share your ideas.
7:50 a.m.
I would try to upgrade to latest 1.2.0.Beta1 as it has some related
fixes AFAIK.
In this version, you have also possibility to setup either frontChannel
logout or backchannel logout for the application. It could be set in
Keycloak admin console. I think that at least one of them will work with
SP filter in latest version (if not both).
Marek
On 3.4.2015 01:44, Chen Keong Yap wrote:
Hi,
I've 2 applications installed with Picketlink SPFilter to authenticate
with keycloak 1.1.0 beta 2.
When i perform global logout, first application was logged out
successfully because SP/keycloak session and application http session
are removed but the problem is second
application SP/keycloak session is removed but application http
session is still remained. I've set admin url for these 2 applications
in keycloak admin console. Kindly share your ideas.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:28 a.m.
Hi Merek,
I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the same
issues, please refer to the settings shown in the screen shot.
Can you please advise how to test backchannel logout?
[image: Inline image 1]
On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
I would try to upgrade to latest 1.2.0.Beta1 as it has some related
fixes AFAIK.
In this version, you have also possibility to setup either frontChannel
logout or backchannel logout for the application. It could be set in
Keycloak admin console. I think that at least one of them will work with SP
filter in latest version (if not both).
Marek
On 3.4.2015 01:44, Chen Keong Yap wrote:
Hi,
I've 2 applications installed with Picketlink SPFilter to authenticate
with keycloak 1.1.0 beta 2.
When i perform global logout, first application was logged out
successfully because SP/keycloak session and application http session are
removed but the problem is second
application SP/keycloak session is removed but application http session is
still remained. I've set admin url for these 2 applications in keycloak
admin console. Kindly share your ideas.
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
9:36 a.m.
Switch the "Front channel logout" to off. In this case it should use
backchannel (not redirecting through browser, but sending logout
requests from Keycloak in background)
Marek
On 3.4.2015 08:28, Chen Keong Yap wrote:
Hi Merek,
I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the
same issues, please refer to the settings shown in the screen shot.
Can you please advise how to test backchannel logout?
Inline image 1
On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
I would try to upgrade to latest 1.2.0.Beta1 as it has some
related fixes AFAIK.
In this version, you have also possibility to setup either
frontChannel logout or backchannel logout for the application. It
could be set in Keycloak admin console. I think that at least one
of them will work with SP filter in latest version (if not both).
Marek
On 3.4.2015 01:44, Chen Keong Yap wrote:
> Hi,
>
> I've 2 applications installed with Picketlink SPFilter to
> authenticate with keycloak 1.1.0 beta 2.
>
> When i perform global logout, first application was logged out
> successfully because SP/keycloak session and application http
> session are removed but the problem is second
> application SP/keycloak session is removed but application http
> session is still remained. I've set admin url for these 2
> applications in keycloak admin console. Kindly share your ideas.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
9:47 a.m.
Hi Marek,
I've just tested backchannel logout and it's showing same issue. Both
applications are using PL SP Filter and the steps below are used for
testing.
1. Open https://localhost:8443/employee/ and http request is redirected to
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
2. Enter username and password into keycloak login page and redirected to
employee landing page
3. Open https://localhost:8443/sales-post/ and redirected to sales-post
landing page without login
4. Logon to keycloak admin console and noticed there are 2 active sessions
5. Perform global logout from employee landing page (
https://localhost:8443/employee/?GLO=true) and http request is redirected
to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
6. Logon to keycloak admin console and noticed all sessions are gone
7. Refresh sales-post landing page and it's not redirected to keycloak
login page. sales-post session still active.
Kindly advise why GLO is performed but the second application (sales-post)
session still active?
On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Switch the "Front channel logout" to off. In this case it
should use
backchannel (not redirecting through browser, but sending logout requests
from Keycloak in background)
Marek
On 3.4.2015 08:28, Chen Keong Yap wrote:
Hi Merek,
I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the
same issues, please refer to the settings shown in the screen shot.
Can you please advise how to test backchannel logout?
[image: Inline image 1]
On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
> I would try to upgrade to latest 1.2.0.Beta1 as it has some related
> fixes AFAIK.
>
> In this version, you have also possibility to setup either frontChannel
> logout or backchannel logout for the application. It could be set in
> Keycloak admin console. I think that at least one of them will work with SP
> filter in latest version (if not both).
>
> Marek
>
>
> On 3.4.2015 01:44, Chen Keong Yap wrote:
>
> Hi,
>
> I've 2 applications installed with Picketlink SPFilter to authenticate
> with keycloak 1.1.0 beta 2.
>
> When i perform global logout, first application was logged out
> successfully because SP/keycloak session and application http session are
> removed but the problem is second
> application SP/keycloak session is removed but application http session
> is still remained. I've set admin url for these 2 applications in keycloak
> admin console. Kindly share your ideas.
>
>
>
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
12:41 a.m.
Guys,
Can share your ideas why global logout is not working?
On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap(a)izeno.com> wrote:
Hi Marek,
I've just tested backchannel logout and it's showing same issue. Both
applications are using PL SP Filter and the steps below are used for
testing.
1. Open https://localhost:8443/employee/ and http request is redirected
to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
2. Enter username and password into keycloak login page and redirected to
employee landing page
3. Open https://localhost:8443/sales-post/ and redirected to sales-post
landing page without login
4. Logon to keycloak admin console and noticed there are 2 active sessions
5. Perform global logout from employee landing page (
https://localhost:8443/employee/?GLO=true) and http request is redirected
to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
6. Logon to keycloak admin console and noticed all sessions are gone
7. Refresh sales-post landing page and it's not redirected to keycloak
login page. sales-post session still active.
Kindly advise why GLO is performed but the second application (sales-post)
session still active?
On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
> Switch the "Front channel logout" to off. In this case it should use
> backchannel (not redirecting through browser, but sending logout requests
> from Keycloak in background)
>
> Marek
>
>
>
> On 3.4.2015 08:28, Chen Keong Yap wrote:
>
>
> Hi Merek,
>
> I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the
> same issues, please refer to the settings shown in the screen shot.
>
> Can you please advise how to test backchannel logout?
>
>
> [image: Inline image 1]
>
>
>
> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda <mposolda(a)redhat.com>
> wrote:
>
>> I would try to upgrade to latest 1.2.0.Beta1 as it has some related
>> fixes AFAIK.
>>
>> In this version, you have also possibility to setup either frontChannel
>> logout or backchannel logout for the application. It could be set in
>> Keycloak admin console. I think that at least one of them will work with SP
>> filter in latest version (if not both).
>>
>> Marek
>>
>>
>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>
>> Hi,
>>
>> I've 2 applications installed with Picketlink SPFilter to authenticate
>> with keycloak 1.1.0 beta 2.
>>
>> When i perform global logout, first application was logged out
>> successfully because SP/keycloak session and application http session are
>> removed but the problem is second
>> application SP/keycloak session is removed but application http session
>> is still remained. I've set admin url for these 2 applications in keycloak
>> admin console. Kindly share your ideas.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
>
>
>
>
12:47 p.m.
Hi bill,
Global logout only removed sp sessions but not web application sessions and
this created security loopholes.
Please advise
On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <chenkeong.yap(a)izeno.com>
wrote:
Guys,
Can share your ideas why global logout is not working?
On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap(a)izeno.com>
wrote:
> Hi Marek,
>
> I've just tested backchannel logout and it's showing same issue. Both
> applications are using PL SP Filter and the steps below are used for
> testing.
>
> 1. Open https://localhost:8443/employee/ and http request is redirected
> to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>
> 2. Enter username and password into keycloak login page and redirected to
> employee landing page
>
> 3. Open https://localhost:8443/sales-post/ and redirected to sales-post
> landing page without login
>
> 4. Logon to keycloak admin console and noticed there are 2 active sessions
>
> 5. Perform global logout from employee landing page (
> https://localhost:8443/employee/?GLO=true) and http request is
> redirected to
> https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>
> 6. Logon to keycloak admin console and noticed all sessions are gone
>
> 7. Refresh sales-post landing page and it's not redirected to keycloak
> login page. sales-post session still active.
>
> Kindly advise why GLO is performed but the second application
> (sales-post) session still active?
>
> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda <mposolda(a)redhat.com>
> wrote:
>
>> Switch the "Front channel logout" to off. In this case it should use
>> backchannel (not redirecting through browser, but sending logout requests
>> from Keycloak in background)
>>
>> Marek
>>
>>
>>
>> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>
>>
>> Hi Merek,
>>
>> I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the
>> same issues, please refer to the settings shown in the screen shot.
>>
>> Can you please advise how to test backchannel logout?
>>
>>
>> [image: Inline image 1]
>>
>>
>>
>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda <mposolda(a)redhat.com>
>> wrote:
>>
>>> I would try to upgrade to latest 1.2.0.Beta1 as it has some related
>>> fixes AFAIK.
>>>
>>> In this version, you have also possibility to setup either frontChannel
>>> logout or backchannel logout for the application. It could be set in
>>> Keycloak admin console. I think that at least one of them will work with SP
>>> filter in latest version (if not both).
>>>
>>> Marek
>>>
>>>
>>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>>
>>> Hi,
>>>
>>> I've 2 applications installed with Picketlink SPFilter to
>>> authenticate with keycloak 1.1.0 beta 2.
>>>
>>> When i perform global logout, first application was logged out
>>> successfully because SP/keycloak session and application http session are
>>> removed but the problem is second
>>> application SP/keycloak session is removed but application http session
>>> is still remained. I've set admin url for these 2 applications in
keycloak
>>> admin console. Kindly share your ideas.
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
3:01 p.m.
Hi bill,
Are you using 2 applications for testing?
If yes, need to know have you logged out the first application then
redirect to keycloak login page? After that refresh the second application
then redirect to keycloak login page?
Can i know which version of picketlink federation lib are you using?
On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
I tried out the saml demo app and logout works just fine, so I'm
guessing
this is a bug in the PL SP Filter.
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
> Hi bill,
>
> Global logout only removed sp sessions but not web application sessions
> and this created security loopholes.
>
> Please advise
>
> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <chenkeong.yap(a)izeno.com
> <mailto:chenkeong.yap@izeno.com>> wrote:
>
> Guys,
>
> Can share your ideas why global logout is not working?
>
> On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap(a)izeno.com
> <mailto:chenkeong.yap@izeno.com>> wrote:
>
> Hi Marek,
>
> I've just tested backchannel logout and it's showing same issue.
> Both applications are using PL SP Filter and the steps below are
> used for testing.
>
> 1. Open https://localhost:8443/employee/ and http request is
> redirected to
> https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>
> 2. Enter username and password into keycloak login page and
> redirected to employee landing page
>
> 3. Open https://localhost:8443/sales-post/ and redirected to
> sales-post landing page without login
>
> 4. Logon to keycloak admin console and noticed there are 2
> active sessions
>
> 5. Perform global logout from employee landing page
> (https://localhost:8443/employee/?GLO=true) and http request is
> redirected to
> https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>
> 6. Logon to keycloak admin console and noticed all sessions are
> gone
>
> 7. Refresh sales-post landing page and it's not redirected to
> keycloak login page. sales-post session still active.
>
> Kindly advise why GLO is performed but the second application
> (sales-post) session still active?
>
> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> Switch the "Front channel logout" to off. In this case it
> should use backchannel (not redirecting through browser, but
> sending logout requests from Keycloak in background)
>
> Marek
>
>
>
> On 3.4.2015 08:28, Chen Keong Yap wrote:
>
>>
>> Hi Merek,
>>
>> I've tried frontChannel logout in 1.2.0.Beta1 and it's
>> giving me the same issues, please refer to the settings
>> shown in the screen shot.
>>
>> Can you please advise how to test backchannel logout?
>>
>>
>> Inline image 1
>>
>>
>>
>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>>
wrote:
>>
>> I would try to upgrade to latest 1.2.0.Beta1 as it has
>> some related fixes AFAIK.
>>
>> In this version, you have also possibility to setup
>> either frontChannel logout or backchannel logout for
>> the application. It could be set in Keycloak admin
>> console. I think that at least one of them will work
>> with SP filter in latest version (if not both).
>>
>> Marek
>>
>>
>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>
>>> Hi,
>>>
>>> I've 2 applications installed with Picketlink
>>> SPFilter to authenticate with keycloak 1.1.0 beta 2.
>>>
>>> When i perform global logout, first application was
>>> logged out successfully because SP/keycloak session
>>> and application http session are removed but the
>>> problem is second
>>> application SP/keycloak session is removed but
>>> application http session is still remained. I've set
>>> admin url for these 2 applications in keycloak admin
>>> console. Kindly share your ideas.
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org <mailto:
>>> keycloak-user(a)lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:31 p.m.
I'll try out the demo example. One problem I did have with the
Picketlink SP adapter is that the session was invalidated, but the
principal was still available when redirecting back to the logout page.
Doesn't sound like this is your problem though.
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
Hi bill,
Global logout only removed sp sessions but not web application sessions
and this created security loopholes.
Please advise
On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>> wrote:
Guys,
Can share your ideas why global logout is not working?
On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>> wrote:
Hi Marek,
I've just tested backchannel logout and it's showing same issue.
Both applications are using PL SP Filter and the steps below are
used for testing.
1. Open https://localhost:8443/employee/ and http request is
redirected to
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
2. Enter username and password into keycloak login page and
redirected to employee landing page
3. Open https://localhost:8443/sales-post/ and redirected to
sales-post landing page without login
4. Logon to keycloak admin console and noticed there are 2
active sessions
5. Perform global logout from employee landing page
(https://localhost:8443/employee/?GLO=true) and http request is
redirected to
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
6. Logon to keycloak admin console and noticed all sessions are gone
7. Refresh sales-post landing page and it's not redirected to
keycloak login page. sales-post session still active.
Kindly advise why GLO is performed but the second application
(sales-post) session still active?
On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
<mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
Switch the "Front channel logout" to off. In this case it
should use backchannel (not redirecting through browser, but
sending logout requests from Keycloak in background)
Marek
On 3.4.2015 08:28, Chen Keong Yap wrote:
>
> Hi Merek,
>
> I've tried frontChannel logout in 1.2.0.Beta1 and it's
> giving me the same issues, please refer to the settings
> shown in the screen shot.
>
> Can you please advise how to test backchannel logout?
>
>
> Inline image 1
>
>
>
> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> I would try to upgrade to latest 1.2.0.Beta1 as it has
> some related fixes AFAIK.
>
> In this version, you have also possibility to setup
> either frontChannel logout or backchannel logout for
> the application. It could be set in Keycloak admin
> console. I think that at least one of them will work
> with SP filter in latest version (if not both).
>
> Marek
>
>
> On 3.4.2015 01:44, Chen Keong Yap wrote:
>> Hi,
>>
>> I've 2 applications installed with Picketlink
>> SPFilter to authenticate with keycloak 1.1.0 beta 2.
>>
>> When i perform global logout, first application was
>> logged out successfully because SP/keycloak session
>> and application http session are removed but the
>> problem is second
>> application SP/keycloak session is removed but
>> application http session is still remained. I've set
>> admin url for these 2 applications in keycloak admin
>> console. Kindly share your ideas.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:56 p.m.
I tried out the saml demo app and logout works just fine, so I'm
guessing this is a bug in the PL SP Filter.
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
Hi bill,
Global logout only removed sp sessions but not web application sessions
and this created security loopholes.
Please advise
On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>> wrote:
Guys,
Can share your ideas why global logout is not working?
On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>> wrote:
Hi Marek,
I've just tested backchannel logout and it's showing same issue.
Both applications are using PL SP Filter and the steps below are
used for testing.
1. Open https://localhost:8443/employee/ and http request is
redirected to
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
2. Enter username and password into keycloak login page and
redirected to employee landing page
3. Open https://localhost:8443/sales-post/ and redirected to
sales-post landing page without login
4. Logon to keycloak admin console and noticed there are 2
active sessions
5. Perform global logout from employee landing page
(https://localhost:8443/employee/?GLO=true) and http request is
redirected to
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
6. Logon to keycloak admin console and noticed all sessions are gone
7. Refresh sales-post landing page and it's not redirected to
keycloak login page. sales-post session still active.
Kindly advise why GLO is performed but the second application
(sales-post) session still active?
On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
<mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
Switch the "Front channel logout" to off. In this case it
should use backchannel (not redirecting through browser, but
sending logout requests from Keycloak in background)
Marek
On 3.4.2015 08:28, Chen Keong Yap wrote:
>
> Hi Merek,
>
> I've tried frontChannel logout in 1.2.0.Beta1 and it's
> giving me the same issues, please refer to the settings
> shown in the screen shot.
>
> Can you please advise how to test backchannel logout?
>
>
> Inline image 1
>
>
>
> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
>
> I would try to upgrade to latest 1.2.0.Beta1 as it has
> some related fixes AFAIK.
>
> In this version, you have also possibility to setup
> either frontChannel logout or backchannel logout for
> the application. It could be set in Keycloak admin
> console. I think that at least one of them will work
> with SP filter in latest version (if not both).
>
> Marek
>
>
> On 3.4.2015 01:44, Chen Keong Yap wrote:
>> Hi,
>>
>> I've 2 applications installed with Picketlink
>> SPFilter to authenticate with keycloak 1.1.0 beta 2.
>>
>> When i perform global logout, first application was
>> logged out successfully because SP/keycloak session
>> and application http session are removed but the
>> problem is second
>> application SP/keycloak session is removed but
>> application http session is still remained. I've set
>> admin url for these 2 applications in keycloak admin
>> console. Kindly share your ideas.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:20 p.m.
Demos work fine for me, but I'm using the wildfly Picketlink SP adapter.
I am able to have an SSO session with all the examples, then I am able
to logout and have all sessions invalidated.
On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
Hi bill,
Are you using 2 applications for testing?
If yes, need to know have you logged out the first application then
redirect to keycloak login page? After that refresh the second
application then redirect to keycloak login page?
Can i know which version of picketlink federation lib are you using?
On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
I tried out the saml demo app and logout works just fine, so I'm
guessing this is a bug in the PL SP Filter.
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
Hi bill,
Global logout only removed sp sessions but not web application
sessions
and this created security loopholes.
Please advise
On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
<chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
<mailto:chenkeong.yap@izeno.__com
<mailto:chenkeong.yap@izeno.com>>> wrote:
Guys,
Can share your ideas why global logout is not working?
On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
<chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
<mailto:chenkeong.yap@izeno.__com
<mailto:chenkeong.yap@izeno.com>>> wrote:
Hi Marek,
I've just tested backchannel logout and it's showing
same issue.
Both applications are using PL SP Filter and the steps
below are
used for testing.
1. Open https://localhost:8443/__employee/
<https://localhost:8443/employee/> and http request is
redirected to
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
<https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
2. Enter username and password into keycloak login page and
redirected to employee landing page
3. Open https://localhost:8443/sales-__post/
<https://localhost:8443/sales-post/> and redirected to
sales-post landing page without login
4. Logon to keycloak admin console and noticed there are 2
active sessions
5. Perform global logout from employee landing page
(https://localhost:8443/__employee/?GLO=true
<https://localhost:8443/employee/?GLO=true>) and http request is
redirected to
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
<https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
6. Logon to keycloak admin console and noticed all
sessions are gone
7. Refresh sales-post landing page and it's not
redirected to
keycloak login page. sales-post session still active.
Kindly advise why GLO is performed but the second
application
(sales-post) session still active?
On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
<mposolda(a)redhat.com <mailto:mposolda@redhat.com>
<mailto:mposolda@redhat.com <mailto:mposolda@redhat.com>>> wrote:
Switch the "Front channel logout" to off. In this
case it
should use backchannel (not redirecting through
browser, but
sending logout requests from Keycloak in background)
Marek
On 3.4.2015 08:28, Chen Keong Yap wrote:
Hi Merek,
I've tried frontChannel logout in 1.2.0.Beta1
and it's
giving me the same issues, please refer to the
settings
shown in the screen shot.
Can you please advise how to test backchannel
logout?
Inline image 1
On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
<mposolda(a)redhat.com
<mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>> wrote:
I would try to upgrade to latest
1.2.0.Beta1 as it has
some related fixes AFAIK.
In this version, you have also possibility
to setup
either frontChannel logout or backchannel
logout for
the application. It could be set in
Keycloak admin
console. I think that at least one of them
will work
with SP filter in latest version (if not both).
Marek
On 3.4.2015 01:44, Chen Keong Yap wrote:
Hi,
I've 2 applications installed with
Picketlink
SPFilter to authenticate with keycloak
1.1.0 beta 2.
When i perform global logout, first
application was
logged out successfully because
SP/keycloak session
and application http session are
removed but the
problem is second
application SP/keycloak session is
removed but
application http session is still
remained. I've set
admin url for these 2 applications in
keycloak admin
console. Kindly share your ideas.
_________________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:37 a.m.
Hi bill,
Can you give me the link or path for the demo? Not sure if you are using
keycloak or picketlink demo for testing?
On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
Demos work fine for me, but I'm using the wildfly Picketlink SP
adapter.
I am able to have an SSO session with all the examples, then I am able to
logout and have all sessions invalidated.
On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
> Hi bill,
>
> Are you using 2 applications for testing?
>
> If yes, need to know have you logged out the first application then
> redirect to keycloak login page? After that refresh the second
> application then redirect to keycloak login page?
>
> Can i know which version of picketlink federation lib are you using?
>
> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> I tried out the saml demo app and logout works just fine, so I'm
> guessing this is a bug in the PL SP Filter.
>
> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>
> Hi bill,
>
> Global logout only removed sp sessions but not web application
> sessions
> and this created security loopholes.
>
> Please advise
>
> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
> <mailto:chenkeong.yap@izeno.__com
> <mailto:chenkeong.yap@izeno.com>>> wrote:
>
> Guys,
>
> Can share your ideas why global logout is not working?
>
> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
> <mailto:chenkeong.yap@izeno.__com
> <mailto:chenkeong.yap@izeno.com>>> wrote:
>
> Hi Marek,
>
> I've just tested backchannel logout and it's showing
> same issue.
> Both applications are using PL SP Filter and the steps
> below are
> used for testing.
>
> 1. Open https://localhost:8443/__employee/
> <https://localhost:8443/employee/> and http request is
> redirected to
> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 2. Enter username and password into keycloak login page
> and
> redirected to employee landing page
>
> 3. Open https://localhost:8443/sales-__post/
> <https://localhost:8443/sales-post/> and redirected to
> sales-post landing page without login
>
> 4. Logon to keycloak admin console and noticed there are
> 2
> active sessions
>
> 5. Perform global logout from employee landing page
> (https://localhost:8443/__employee/?GLO=true
> <https://localhost:8443/employee/?GLO=true>) and http request is
> redirected to
> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 6. Logon to keycloak admin console and noticed all
> sessions are gone
>
> 7. Refresh sales-post landing page and it's not
> redirected to
> keycloak login page. sales-post session still active.
>
> Kindly advise why GLO is performed but the second
> application
> (sales-post) session still active?
>
> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>
> <mailto:mposolda@redhat.com <mailto:mposolda@redhat.com>>>
wrote:
>
> Switch the "Front channel logout" to off. In this
> case it
> should use backchannel (not redirecting through
> browser, but
> sending logout requests from Keycloak in background)
>
> Marek
>
>
>
> On 3.4.2015 08:28, Chen Keong Yap wrote:
>
>
> Hi Merek,
>
> I've tried frontChannel logout in 1.2.0.Beta1
> and it's
> giving me the same issues, please refer to the
> settings
> shown in the screen shot.
>
> Can you please advise how to test backchannel
> logout?
>
>
> Inline image 1
>
>
>
> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
> <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>>> wrote:
>
> I would try to upgrade to latest
> 1.2.0.Beta1 as it has
> some related fixes AFAIK.
>
> In this version, you have also possibility
> to setup
> either frontChannel logout or backchannel
> logout for
> the application. It could be set in
> Keycloak admin
> console. I think that at least one of them
> will work
> with SP filter in latest version (if not
> both).
>
> Marek
>
>
> On 3.4.2015 01:44, Chen Keong Yap wrote:
>
> Hi,
>
> I've 2 applications installed with
> Picketlink
> SPFilter to authenticate with keycloak
> 1.1.0 beta 2.
>
> When i perform global logout, first
> application was
> logged out successfully because
> SP/keycloak session
> and application http session are
> removed but the
> problem is second
> application SP/keycloak session is
> removed but
> application http session is still
> remained. I've set
> admin url for these 2 applications in
> keycloak admin
> console. Kindly share your ideas.
>
>
>
>
> _________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:20 a.m.
The demo is bundled in keycloak-appliance-dist ZIP in directory
examples/saml .
The demo sources are here:
https://github.com/keycloak/keycloak/tree/master/examples/saml
Marek
On 7.4.2015 02:37, Chen Keong Yap wrote:
Hi bill,
Can you give me the link or path for the demo? Not sure if you are
using keycloak or picketlink demo for testing?
On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
Demos work fine for me, but I'm using the wildfly Picketlink SP
adapter. I am able to have an SSO session with all the examples,
then I am able to logout and have all sessions invalidated.
On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
Hi bill,
Are you using 2 applications for testing?
If yes, need to know have you logged out the first application
then
redirect to keycloak login page? After that refresh the second
application then redirect to keycloak login page?
Can i know which version of picketlink federation lib are you
using?
On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
I tried out the saml demo app and logout works just fine,
so I'm
guessing this is a bug in the PL SP Filter.
On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
Hi bill,
Global logout only removed sp sessions but not web
application
sessions
and this created security loopholes.
Please advise
On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
<chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>
<mailto:chenkeong.yap@izeno.com <mailto:chenkeong.yap@izeno.com>>
<mailto:chenkeong.yap@izeno.
<mailto:chenkeong.yap@izeno.>__com
<mailto:chenkeong.yap@izeno.com
<mailto:chenkeong.yap@izeno.com>>>> wrote:
Guys,
Can share your ideas why global logout is not
working?
On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
<chenkeong.yap(a)izeno.com
<mailto:chenkeong.yap@izeno.com>
<mailto:chenkeong.yap@izeno.com <mailto:chenkeong.yap@izeno.com>>
<mailto:chenkeong.yap@izeno.
<mailto:chenkeong.yap@izeno.>__com
<mailto:chenkeong.yap@izeno.com
<mailto:chenkeong.yap@izeno.com>>>> wrote:
Hi Marek,
I've just tested backchannel logout and it's
showing
same issue.
Both applications are using PL SP Filter and
the steps
below are
used for testing.
1. Open https://localhost:8443/__employee/
<https://localhost:8443/employee/> and http request is
redirected to
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
<https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
2. Enter username and password into keycloak
login page and
redirected to employee landing page
3. Open https://localhost:8443/sales-__post/
<https://localhost:8443/sales-post/> and redirected to
sales-post landing page without login
4. Logon to keycloak admin console and
noticed there are 2
active sessions
5. Perform global logout from employee
landing page
(https://localhost:8443/__employee/?GLO=true
<https://localhost:8443/employee/?GLO=true>) and http
request is
redirected to
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
<https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
6. Logon to keycloak admin console and
noticed all
sessions are gone
7. Refresh sales-post landing page and it's not
redirected to
keycloak login page. sales-post session still
active.
Kindly advise why GLO is performed but the second
application
(sales-post) session still active?
On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
<mposolda(a)redhat.com
<mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>
<mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>>> wrote:
Switch the "Front channel logout" to off.
In this
case it
should use backchannel (not redirecting
through
browser, but
sending logout requests from Keycloak in
background)
Marek
On 3.4.2015 08:28, Chen Keong Yap wrote:
Hi Merek,
I've tried frontChannel logout in
1.2.0.Beta1
and it's
giving me the same issues, please
refer to the
settings
shown in the screen shot.
Can you please advise how to test
backchannel
logout?
Inline image 1
On Fri, Apr 3, 2015 at 1:50 PM, Marek
Posolda
<mposolda(a)redhat.com
<mailto:mposolda@redhat.com>
<mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>
<mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>>> wrote:
I would try to upgrade to latest
1.2.0.Beta1 as it has
some related fixes AFAIK.
In this version, you have also
possibility
to setup
either frontChannel logout or
backchannel
logout for
the application. It could be set in
Keycloak admin
console. I think that at least
one of them
will work
with SP filter in latest version
(if not both).
Marek
On 3.4.2015 01:44, Chen Keong Yap
wrote:
Hi,
I've 2 applications installed
with
Picketlink
SPFilter to authenticate with
keycloak
1.1.0 beta 2.
When i perform global logout,
first
application was
logged out successfully because
SP/keycloak session
and application http session are
removed but the
problem is second
application SP/keycloak
session is
removed but
application http session is still
remained. I've set
admin url for these 2
applications in
keycloak admin
console. Kindly share your ideas.
_________________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
<mailto:keycloak-user@lists.
<mailto:keycloak-user@lists.>__jboss.org <http://jboss.org>
<mailto:keycloak-user@lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>>
https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:41 a.m.
<?xml version="1.0" encoding="ISO-8859-1"?>
Hi,
I cannot find the spfilter definition in web.xml of the sample demo. Just
wondering is the demo running on SP filter?
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<filter>
<filter-name>SPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
<init-param>
<param-name>IGNORE_SIGNATURES</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ROLES</param-name>
<param-value>PRUONE</param-value>
</init-param>
<init-param>
<param-name>LOGOUT_PAGE</param-name>
<param-value>/logout1.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
The demo is bundled in keycloak-appliance-dist ZIP in directory
examples/saml .
The demo sources are here:
https://github.com/keycloak/keycloak/tree/master/examples/saml
Marek
On 7.4.2015 02:37, Chen Keong Yap wrote:
Hi bill,
Can you give me the link or path for the demo? Not sure if you are using
keycloak or picketlink demo for testing?
On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
> Demos work fine for me, but I'm using the wildfly Picketlink SP adapter.
> I am able to have an SSO session with all the examples, then I am able to
> logout and have all sessions invalidated.
>
> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>
>> Hi bill,
>>
>> Are you using 2 applications for testing?
>>
>> If yes, need to know have you logged out the first application then
>> redirect to keycloak login page? After that refresh the second
>> application then redirect to keycloak login page?
>>
>> Can i know which version of picketlink federation lib are you using?
>>
>> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
>> <mailto:bburke@redhat.com>> wrote:
>>
>> I tried out the saml demo app and logout works just fine, so I'm
>> guessing this is a bug in the PL SP Filter.
>>
>> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>>
>> Hi bill,
>>
>> Global logout only removed sp sessions but not web application
>> sessions
>> and this created security loopholes.
>>
>> Please advise
>>
>> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
>> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
>> <mailto:chenkeong.yap@izeno.__com
>> <mailto:chenkeong.yap@izeno.com>>> wrote:
>>
>> Guys,
>>
>> Can share your ideas why global logout is not working?
>>
>> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
>> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
>> <mailto:chenkeong.yap@izeno.__com
>> <mailto:chenkeong.yap@izeno.com>>> wrote:
>>
>> Hi Marek,
>>
>> I've just tested backchannel logout and it's showing
>> same issue.
>> Both applications are using PL SP Filter and the steps
>> below are
>> used for testing.
>>
>> 1. Open https://localhost:8443/__employee/
>> <https://localhost:8443/employee/> and http request is
>> redirected to
>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>
>> 2. Enter username and password into keycloak login page
>> and
>> redirected to employee landing page
>>
>> 3. Open https://localhost:8443/sales-__post/
>> <https://localhost:8443/sales-post/> and redirected to
>> sales-post landing page without login
>>
>> 4. Logon to keycloak admin console and noticed there
>> are 2
>> active sessions
>>
>> 5. Perform global logout from employee landing page
>> (https://localhost:8443/__employee/?GLO=true
>> <https://localhost:8443/employee/?GLO=true>) and http request is
>> redirected to
>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>
>> 6. Logon to keycloak admin console and noticed all
>> sessions are gone
>>
>> 7. Refresh sales-post landing page and it's not
>> redirected to
>> keycloak login page. sales-post session still active.
>>
>> Kindly advise why GLO is performed but the second
>> application
>> (sales-post) session still active?
>>
>> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>
>> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>>
>> wrote:
>>
>> Switch the "Front channel logout" to off. In this
>> case it
>> should use backchannel (not redirecting through
>> browser, but
>> sending logout requests from Keycloak in background)
>>
>> Marek
>>
>>
>>
>> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>
>>
>> Hi Merek,
>>
>> I've tried frontChannel logout in 1.2.0.Beta1
>> and it's
>> giving me the same issues, please refer to the
>> settings
>> shown in the screen shot.
>>
>> Can you please advise how to test backchannel
>> logout?
>>
>>
>> Inline image 1
>>
>>
>>
>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
>> <mposolda(a)redhat.com
>> <mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
>> <mailto:mposolda@redhat.com>>> wrote:
>>
>> I would try to upgrade to latest
>> 1.2.0.Beta1 as it has
>> some related fixes AFAIK.
>>
>> In this version, you have also possibility
>> to setup
>> either frontChannel logout or backchannel
>> logout for
>> the application. It could be set in
>> Keycloak admin
>> console. I think that at least one of them
>> will work
>> with SP filter in latest version (if not
>> both).
>>
>> Marek
>>
>>
>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>
>> Hi,
>>
>> I've 2 applications installed with
>> Picketlink
>> SPFilter to authenticate with keycloak
>> 1.1.0 beta 2.
>>
>> When i perform global logout, first
>> application was
>> logged out successfully because
>> SP/keycloak session
>> and application http session are
>> removed but the
>> problem is second
>> application SP/keycloak session is
>> removed but
>> application http session is still
>> remained. I've set
>> admin url for these 2 applications in
>> keycloak admin
>> console. Kindly share your ideas.
>>
>>
>>
>>
>> _________________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> <mailto:keycloak-user@lists.__jboss.org
>> <mailto:keycloak-user@lists.jboss.org>>
>> https://lists.jboss.org/__mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
10:47 a.m.
Nope, it's using the proper picketlink binding adapters
(ServiceProviderAuthenticator valve on EAP6 and SPServletExtension on
Wildfly). If you have opportunity to use those instead of SPFilter, it
may be better though. I am not sure if Picketlink SPFilter is not
deprecated (or if it supports all the features like binding adapters).
Maybe Bill or Pedro knows more.
Marek
On 7.4.2015 10:41, Chen Keong Yap wrote:
<?xml version="1.0" encoding="ISO-8859-1"?>
Hi,
I cannot find the spfilter definition in web.xml of the sample demo.
Just wondering is the demo running on SP filter?
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<filter>
<filter-name>SPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
<init-param>
<param-name>IGNORE_SIGNATURES</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ROLES</param-name>
<param-value>PRUONE</param-value>
</init-param>
<init-param>
<param-name>LOGOUT_PAGE</param-name>
<param-value>/logout1.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
The demo is bundled in keycloak-appliance-dist ZIP in directory
examples/saml .
The demo sources are here:
https://github.com/keycloak/keycloak/tree/master/examples/saml
Marek
On 7.4.2015 02:37, Chen Keong Yap wrote:
>
> Hi bill,
>
> Can you give me the link or path for the demo? Not sure if you
> are using keycloak or picketlink demo for testing?
>
> On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> Demos work fine for me, but I'm using the wildfly Picketlink
> SP adapter. I am able to have an SSO session with all the
> examples, then I am able to logout and have all sessions
> invalidated.
>
> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>
> Hi bill,
>
> Are you using 2 applications for testing?
>
> If yes, need to know have you logged out the first
> application then
> redirect to keycloak login page? After that refresh the
> second
> application then redirect to keycloak login page?
>
> Can i know which version of picketlink federation lib are
> you using?
>
> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>
wrote:
>
> I tried out the saml demo app and logout works just
> fine, so I'm
> guessing this is a bug in the PL SP Filter.
>
> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>
> Hi bill,
>
> Global logout only removed sp sessions but not
> web application
> sessions
> and this created security loopholes.
>
> Please advise
>
> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
> <chenkeong.yap(a)izeno.com
> <mailto:chenkeong.yap@izeno.com>
> <mailto:chenkeong.yap@izeno.com
> <mailto:chenkeong.yap@izeno.com>>
> <mailto:chenkeong.yap@izeno.
> <mailto:chenkeong.yap@izeno.>__com
> <mailto:chenkeong.yap@izeno.com
> <mailto:chenkeong.yap@izeno.com>>>> wrote:
>
> Guys,
>
> Can share your ideas why global logout is
> not working?
>
> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
> <chenkeong.yap(a)izeno.com
> <mailto:chenkeong.yap@izeno.com>
> <mailto:chenkeong.yap@izeno.com
> <mailto:chenkeong.yap@izeno.com>>
> <mailto:chenkeong.yap@izeno.
> <mailto:chenkeong.yap@izeno.>__com
> <mailto:chenkeong.yap@izeno.com
> <mailto:chenkeong.yap@izeno.com>>>> wrote:
>
> Hi Marek,
>
> I've just tested backchannel logout and
> it's showing
> same issue.
> Both applications are using PL SP Filter
> and the steps
> below are
> used for testing.
>
> 1. Open https://localhost:8443/__employee/
> <https://localhost:8443/employee/> and http
> request is
> redirected to
> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>
> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 2. Enter username and password into
> keycloak login page and
> redirected to employee landing page
>
> 3. Open https://localhost:8443/sales-__post/
> <https://localhost:8443/sales-post/> and
> redirected to
> sales-post landing page without login
>
> 4. Logon to keycloak admin console and
> noticed there are 2
> active sessions
>
> 5. Perform global logout from employee
> landing page
> (https://localhost:8443/__employee/?GLO=true
> <https://localhost:8443/employee/?GLO=true>) and
> http request is
> redirected to
> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>
> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 6. Logon to keycloak admin console and
> noticed all
> sessions are gone
>
> 7. Refresh sales-post landing page and
> it's not
> redirected to
> keycloak login page. sales-post session
> still active.
>
> Kindly advise why GLO is performed but
> the second
> application
> (sales-post) session still active?
>
> On Fri, Apr 3, 2015 at 3:36 PM, Marek
> Posolda
> <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>>
> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>>>> wrote:
>
> Switch the "Front channel logout" to
> off. In this
> case it
> should use backchannel (not
> redirecting through
> browser, but
> sending logout requests from
> Keycloak in background)
>
> Marek
>
>
>
> On 3.4.2015 08:28, Chen Keong Yap wrote:
>
>
> Hi Merek,
>
> I've tried frontChannel logout
> in 1.2.0.Beta1
> and it's
> giving me the same issues,
> please refer to the
> settings
> shown in the screen shot.
>
> Can you please advise how to
> test backchannel
> logout?
>
>
> Inline image 1
>
>
>
> On Fri, Apr 3, 2015 at 1:50 PM,
> Marek Posolda
> <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>
> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>
> <mailto:mposolda@redhat.com
> <mailto:mposolda@redhat.com>>>> wrote:
>
> I would try to upgrade to latest
> 1.2.0.Beta1 as it has
> some related fixes AFAIK.
>
> In this version, you have
> also possibility
> to setup
> either frontChannel logout
> or backchannel
> logout for
> the application. It could be
> set in
> Keycloak admin
> console. I think that at
> least one of them
> will work
> with SP filter in latest
> version (if not both).
>
> Marek
>
>
> On 3.4.2015 01:44, Chen
> Keong Yap wrote:
>
> Hi,
>
> I've 2 applications
> installed with
> Picketlink
> SPFilter to authenticate
> with keycloak
> 1.1.0 beta 2.
>
> When i perform global
> logout, first
> application was
> logged out successfully
> because
> SP/keycloak session
> and application http
> session are
> removed but the
> problem is second
> application SP/keycloak
> session is
> removed but
> application http session
> is still
> remained. I've set
> admin url for these 2
> applications in
> keycloak admin
> console. Kindly share
> your ideas.
>
>
>
>
> _________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> <mailto:keycloak-user@lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> <mailto:keycloak-user@lists.
> <mailto:keycloak-user@lists.>__jboss.org <http://jboss.org>
> <mailto:keycloak-user@lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>>>
> https://lists.jboss.org/__mailman/listinfo/keycloak-user
>
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
10:52 a.m.
Hi,
Unfortunately i cannot use picketlink binding adapters because my
application is running on websphere and we are not allowed to use keycloak
proxy. I guess the only way is to use SP Filter. Can someone advise the
alternative/solution to clear web application session after global logout
is performed?
On Tue, Apr 7, 2015 at 4:47 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Nope, it's using the proper picketlink binding adapters
(ServiceProviderAuthenticator valve on EAP6 and SPServletExtension on
Wildfly). If you have opportunity to use those instead of SPFilter, it may
be better though. I am not sure if Picketlink SPFilter is not deprecated
(or if it supports all the features like binding adapters). Maybe Bill or
Pedro knows more.
Marek
On 7.4.2015 10:41, Chen Keong Yap wrote:
<?xml version="1.0" encoding="ISO-8859-1"?>
Hi,
I cannot find the spfilter definition in web.xml of the sample demo.
Just wondering is the demo running on SP filter?
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<filter>
<filter-name>SPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
<init-param>
<param-name>IGNORE_SIGNATURES</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ROLES</param-name>
<param-value>PRUONE</param-value>
</init-param>
<init-param>
<param-name>LOGOUT_PAGE</param-name>
<param-value>/logout1.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
> The demo is bundled in keycloak-appliance-dist ZIP in directory
> examples/saml .
>
> The demo sources are here:
> https://github.com/keycloak/keycloak/tree/master/examples/saml
>
> Marek
>
>
> On 7.4.2015 02:37, Chen Keong Yap wrote:
>
> Hi bill,
>
> Can you give me the link or path for the demo? Not sure if you are using
> keycloak or picketlink demo for testing?
> On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
>
>> Demos work fine for me, but I'm using the wildfly Picketlink SP
>> adapter. I am able to have an SSO session with all the examples, then I am
>> able to logout and have all sessions invalidated.
>>
>> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>>
>>> Hi bill,
>>>
>>> Are you using 2 applications for testing?
>>>
>>> If yes, need to know have you logged out the first application then
>>> redirect to keycloak login page? After that refresh the second
>>> application then redirect to keycloak login page?
>>>
>>> Can i know which version of picketlink federation lib are you using?
>>>
>>> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
>>> <mailto:bburke@redhat.com>> wrote:
>>>
>>> I tried out the saml demo app and logout works just fine, so I'm
>>> guessing this is a bug in the PL SP Filter.
>>>
>>> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>>>
>>> Hi bill,
>>>
>>> Global logout only removed sp sessions but not web application
>>> sessions
>>> and this created security loopholes.
>>>
>>> Please advise
>>>
>>> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
>>> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
>>> <mailto:chenkeong.yap@izeno.__com
>>> <mailto:chenkeong.yap@izeno.com>>> wrote:
>>>
>>> Guys,
>>>
>>> Can share your ideas why global logout is not working?
>>>
>>> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
>>> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
>>> <mailto:chenkeong.yap@izeno.__com
>>> <mailto:chenkeong.yap@izeno.com>>> wrote:
>>>
>>> Hi Marek,
>>>
>>> I've just tested backchannel logout and it's
showing
>>> same issue.
>>> Both applications are using PL SP Filter and the steps
>>> below are
>>> used for testing.
>>>
>>> 1. Open https://localhost:8443/__employee/
>>> <https://localhost:8443/employee/> and http request is
>>> redirected to
>>>
>>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>>
>>> 2. Enter username and password into keycloak login
>>> page and
>>> redirected to employee landing page
>>>
>>> 3. Open https://localhost:8443/sales-__post/
>>> <https://localhost:8443/sales-post/> and redirected to
>>> sales-post landing page without login
>>>
>>> 4. Logon to keycloak admin console and noticed there
>>> are 2
>>> active sessions
>>>
>>> 5. Perform global logout from employee landing page
>>> (https://localhost:8443/__employee/?GLO=true
>>> <https://localhost:8443/employee/?GLO=true>) and http request
>>> is
>>> redirected to
>>>
>>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>>
>>> 6. Logon to keycloak admin console and noticed all
>>> sessions are gone
>>>
>>> 7. Refresh sales-post landing page and it's not
>>> redirected to
>>> keycloak login page. sales-post session still active.
>>>
>>> Kindly advise why GLO is performed but the second
>>> application
>>> (sales-post) session still active?
>>>
>>> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
>>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>
>>> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>>
>>> wrote:
>>>
>>> Switch the "Front channel logout" to off. In
this
>>> case it
>>> should use backchannel (not redirecting through
>>> browser, but
>>> sending logout requests from Keycloak in
>>> background)
>>>
>>> Marek
>>>
>>>
>>>
>>> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>>
>>>
>>> Hi Merek,
>>>
>>> I've tried frontChannel logout in 1.2.0.Beta1
>>> and it's
>>> giving me the same issues, please refer to the
>>> settings
>>> shown in the screen shot.
>>>
>>> Can you please advise how to test backchannel
>>> logout?
>>>
>>>
>>> Inline image 1
>>>
>>>
>>>
>>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
>>> <mposolda(a)redhat.com
>>> <mailto:mposolda@redhat.com>
<mailto:mposolda@redhat.com
>>> <mailto:mposolda@redhat.com>>> wrote:
>>>
>>> I would try to upgrade to latest
>>> 1.2.0.Beta1 as it has
>>> some related fixes AFAIK.
>>>
>>> In this version, you have also possibility
>>> to setup
>>> either frontChannel logout or backchannel
>>> logout for
>>> the application. It could be set in
>>> Keycloak admin
>>> console. I think that at least one of them
>>> will work
>>> with SP filter in latest version (if not
>>> both).
>>>
>>> Marek
>>>
>>>
>>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>>
>>> Hi,
>>>
>>> I've 2 applications installed with
>>> Picketlink
>>> SPFilter to authenticate with keycloak
>>> 1.1.0 beta 2.
>>>
>>> When i perform global logout, first
>>> application was
>>> logged out successfully because
>>> SP/keycloak session
>>> and application http session are
>>> removed but the
>>> problem is second
>>> application SP/keycloak session is
>>> removed but
>>> application http session is still
>>> remained. I've set
>>> admin url for these 2 applications in
>>> keycloak admin
>>> console. Kindly share your ideas.
>>>
>>>
>>>
>>>
>>> _________________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> <mailto:keycloak-user@lists.__jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>>
>>>
>>> https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
3313
days inactive
3318
days old
15 comments
3 participants
participants (3)
-
Bill Burke -
Chen Keong Yap -
Marek Posolda