[keycloak-dev] Session SPI for adapters

Marek Posolda mposolda at redhat.com
Tue Oct 7 03:38:07 EDT 2014 

On 7.10.2014 08:13, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 6 October, 2014 8:38:01 PM
>> Subject: Re: [keycloak-dev] Session SPI for adapters
>>
>>
>>
>> On 10/6/2014 10:28 AM, Bill Burke wrote:
>>>
>>> On 10/6/2014 9:58 AM, Marek Posolda wrote:
>>>> On 6.10.2014 15:26, Bill Burke wrote:
>>>>>
>>>>> A few more things:
>>>>>
>>>>> Stian made a good point that any extensions we do have to be
>>>>> compatible with non keycloak pure oidc adapters.  The thing is though,
>>>>> OIDC doesn't have a logout request like SAML does.  I'll ping pedro to
>>>>> see if session information can be extracted from a logout request.
>>>>>
>>>> AFAIR SAML single-sign out is based on chain of browser redirections to
>>>> all apps where you are logged. No "out-of-bound" requests . At least
>>>> that's how picketlink is doing afaik (not 100% sure and not sure about
>>>> SAML specs). So in this case logout request is browser-based and have
>>>> access to JSESSIONID cookie. Hence there is no need to maintain
>>>> sessionId in keycloak or any state on adapters as well. I am not 100%
>>>> sure (will try to doublecheck..)
>>>>
>>> SAML has out-of-band logout requests too.  At least thats what I think
>>> Pedro told me.
>>>
>> For Picketlink SAML SPs, you either do a browse redirect protocol to
>> each SP for Single Log out, or you do an out of band logout request to
>> the SP.  PL SAML SP adapter currently has the same problem as us in a
>> cluster.  They keep an in-memory map between username and http session.
> Would it make sense to add redirect logout as well? Then you can set in the admin console which logout mechanism you want (none, redirect or out-of-band request?)
For me it makes sense. Regarding SAML I looked briefly that specs 
supports both redirect and out-of-band . Redirect seems to be preferred 
according to SAML-Profiles-2.0, section 4.4.3.1:

"The identity provider SHOULD then propagate any required logout 
messages to additional session participants as required using either a 
synchronous or asynchronous binding. The use of an asynchronous binding 
for the original request is preferred because it gives the identity 
provider the best chance of successfully propagating the logout to the 
other session participants during step 3."

By asynchronous binding it's meant to propagate request through browser.

It seems that supporting redirect will be good. Even if picketlink SP 
has some possible solution for out-of-band (which is not cluster-aware), 
for interoperability with other 3rd party SAML SPs redirect might be the 
only possibility.

Marek
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list