[keycloak-dev] Session SPI for adapters
Bill Burke
bburke at redhat.com
Mon Oct 6 14:38:01 EDT 2014
On 10/6/2014 10:28 AM, Bill Burke wrote:
>
>
> On 10/6/2014 9:58 AM, Marek Posolda wrote:
>> On 6.10.2014 15:26, Bill Burke wrote:
>>>
>>>
>>> A few more things:
>>>
>>> Stian made a good point that any extensions we do have to be
>>> compatible with non keycloak pure oidc adapters. The thing is though,
>>> OIDC doesn't have a logout request like SAML does. I'll ping pedro to
>>> see if session information can be extracted from a logout request.
>>>
>> AFAIR SAML single-sign out is based on chain of browser redirections to
>> all apps where you are logged. No "out-of-bound" requests . At least
>> that's how picketlink is doing afaik (not 100% sure and not sure about
>> SAML specs). So in this case logout request is browser-based and have
>> access to JSESSIONID cookie. Hence there is no need to maintain
>> sessionId in keycloak or any state on adapters as well. I am not 100%
>> sure (will try to doublecheck..)
>>
>
> SAML has out-of-band logout requests too. At least thats what I think
> Pedro told me.
>
For Picketlink SAML SPs, you either do a browse redirect protocol to
each SP for Single Log out, or you do an out of band logout request to
the SP. PL SAML SP adapter currently has the same problem as us in a
cluster. They keep an in-memory map between username and http session.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list