Hi,
Unfortunately i cannot use picketlink binding adapters because my
application is running on websphere and we are not allowed to use keycloak
proxy. I guess the only way is to use SP Filter. Can someone advise the
alternative/solution to clear web application session after global logout
is performed?
On Tue, Apr 7, 2015 at 4:47 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Nope, it's using the proper picketlink binding adapters
(ServiceProviderAuthenticator valve on EAP6 and SPServletExtension on
Wildfly). If you have opportunity to use those instead of SPFilter, it may
be better though. I am not sure if Picketlink SPFilter is not deprecated
(or if it supports all the features like binding adapters). Maybe Bill or
Pedro knows more.
Marek
On 7.4.2015 10:41, Chen Keong Yap wrote:
<?xml version="1.0" encoding="ISO-8859-1"?>
Hi,
I cannot find the spfilter definition in web.xml of the sample demo.
Just wondering is the demo running on SP filter?
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
<filter>
<filter-name>SPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
<init-param>
<param-name>IGNORE_SIGNATURES</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ROLES</param-name>
<param-value>PRUONE</param-value>
</init-param>
<init-param>
<param-name>LOGOUT_PAGE</param-name>
<param-value>/logout1.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
> The demo is bundled in keycloak-appliance-dist ZIP in directory
> examples/saml .
>
> The demo sources are here:
>
https://github.com/keycloak/keycloak/tree/master/examples/saml
>
> Marek
>
>
> On 7.4.2015 02:37, Chen Keong Yap wrote:
>
> Hi bill,
>
> Can you give me the link or path for the demo? Not sure if you are using
> keycloak or picketlink demo for testing?
> On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
>
>> Demos work fine for me, but I'm using the wildfly Picketlink SP
>> adapter. I am able to have an SSO session with all the examples, then I am
>> able to logout and have all sessions invalidated.
>>
>> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>>
>>> Hi bill,
>>>
>>> Are you using 2 applications for testing?
>>>
>>> If yes, need to know have you logged out the first application then
>>> redirect to keycloak login page? After that refresh the second
>>> application then redirect to keycloak login page?
>>>
>>> Can i know which version of picketlink federation lib are you using?
>>>
>>> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke(a)redhat.com
>>> <mailto:bburke@redhat.com>> wrote:
>>>
>>> I tried out the saml demo app and logout works just fine, so I'm
>>> guessing this is a bug in the PL SP Filter.
>>>
>>> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>>>
>>> Hi bill,
>>>
>>> Global logout only removed sp sessions but not web application
>>> sessions
>>> and this created security loopholes.
>>>
>>> Please advise
>>>
>>> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
>>> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
>>> <mailto:chenkeong.yap@izeno.__com
>>> <mailto:chenkeong.yap@izeno.com>>> wrote:
>>>
>>> Guys,
>>>
>>> Can share your ideas why global logout is not working?
>>>
>>> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
>>> <chenkeong.yap(a)izeno.com <mailto:chenkeong.yap@izeno.com>
>>> <mailto:chenkeong.yap@izeno.__com
>>> <mailto:chenkeong.yap@izeno.com>>> wrote:
>>>
>>> Hi Marek,
>>>
>>> I've just tested backchannel logout and it's
showing
>>> same issue.
>>> Both applications are using PL SP Filter and the steps
>>> below are
>>> used for testing.
>>>
>>> 1. Open
https://localhost:8443/__employee/
>>> <
https://localhost:8443/employee/> and http request is
>>> redirected to
>>>
>>>
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>> <
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>>
>>> 2. Enter username and password into keycloak login
>>> page and
>>> redirected to employee landing page
>>>
>>> 3. Open
https://localhost:8443/sales-__post/
>>> <
https://localhost:8443/sales-post/> and redirected to
>>> sales-post landing page without login
>>>
>>> 4. Logon to keycloak admin console and noticed there
>>> are 2
>>> active sessions
>>>
>>> 5. Perform global logout from employee landing page
>>> (
https://localhost:8443/__employee/?GLO=true
>>> <
https://localhost:8443/employee/?GLO=true>) and http request
>>> is
>>> redirected to
>>>
>>>
https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>>> <
https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>>>
>>> 6. Logon to keycloak admin console and noticed all
>>> sessions are gone
>>>
>>> 7. Refresh sales-post landing page and it's not
>>> redirected to
>>> keycloak login page. sales-post session still active.
>>>
>>> Kindly advise why GLO is performed but the second
>>> application
>>> (sales-post) session still active?
>>>
>>> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
>>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>
>>> <mailto:mposolda@redhat.com
<mailto:mposolda@redhat.com>>>
>>> wrote:
>>>
>>> Switch the "Front channel logout" to off. In
this
>>> case it
>>> should use backchannel (not redirecting through
>>> browser, but
>>> sending logout requests from Keycloak in
>>> background)
>>>
>>> Marek
>>>
>>>
>>>
>>> On 3.4.2015 08:28, Chen Keong Yap wrote:
>>>
>>>
>>> Hi Merek,
>>>
>>> I've tried frontChannel logout in 1.2.0.Beta1
>>> and it's
>>> giving me the same issues, please refer to the
>>> settings
>>> shown in the screen shot.
>>>
>>> Can you please advise how to test backchannel
>>> logout?
>>>
>>>
>>> Inline image 1
>>>
>>>
>>>
>>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
>>> <mposolda(a)redhat.com
>>> <mailto:mposolda@redhat.com>
<mailto:mposolda@redhat.com
>>> <mailto:mposolda@redhat.com>>> wrote:
>>>
>>> I would try to upgrade to latest
>>> 1.2.0.Beta1 as it has
>>> some related fixes AFAIK.
>>>
>>> In this version, you have also possibility
>>> to setup
>>> either frontChannel logout or backchannel
>>> logout for
>>> the application. It could be set in
>>> Keycloak admin
>>> console. I think that at least one of them
>>> will work
>>> with SP filter in latest version (if not
>>> both).
>>>
>>> Marek
>>>
>>>
>>> On 3.4.2015 01:44, Chen Keong Yap wrote:
>>>
>>> Hi,
>>>
>>> I've 2 applications installed with
>>> Picketlink
>>> SPFilter to authenticate with keycloak
>>> 1.1.0 beta 2.
>>>
>>> When i perform global logout, first
>>> application was
>>> logged out successfully because
>>> SP/keycloak session
>>> and application http session are
>>> removed but the
>>> problem is second
>>> application SP/keycloak session is
>>> removed but
>>> application http session is still
>>> remained. I've set
>>> admin url for these 2 applications in
>>> keycloak admin
>>> console. Kindly share your ideas.
>>>
>>>
>>>
>>>
>>> _________________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> <mailto:keycloak-user@lists.__jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>>
>>>
>>>
https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>> <
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>>
http://bill.burkecentral.com
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>>
>
>