[keycloak-dev] Session SPI for adapters
Bill Burke
bburke at redhat.com
Mon Oct 6 10:28:53 EDT 2014
On 10/6/2014 9:58 AM, Marek Posolda wrote:
> On 6.10.2014 15:26, Bill Burke wrote:
>>
>>
>> A few more things:
>>
>> Stian made a good point that any extensions we do have to be
>> compatible with non keycloak pure oidc adapters. The thing is though,
>> OIDC doesn't have a logout request like SAML does. I'll ping pedro to
>> see if session information can be extracted from a logout request.
>>
> AFAIR SAML single-sign out is based on chain of browser redirections to
> all apps where you are logged. No "out-of-bound" requests . At least
> that's how picketlink is doing afaik (not 100% sure and not sure about
> SAML specs). So in this case logout request is browser-based and have
> access to JSESSIONID cookie. Hence there is no need to maintain
> sessionId in keycloak or any state on adapters as well. I am not 100%
> sure (will try to doublecheck..)
>
SAML has out-of-band logout requests too. At least thats what I think
Pedro told me.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list