[keycloak-dev] backchannel logout for SAML SP
Bill Burke
bburke at redhat.com
Tue Sep 15 08:58:50 EDT 2015
We can do anything we want on the server side, the problem is that our
client adapters, SAML and OIDC, should be able to work with non-Keycloak
IdPs.
On 9/15/2015 7:25 AM, Stian Thorgersen wrote:
> Could we store the mapping on the Keycloak side? client-id + http
> session id --> KC session id?
>
> On 14 September 2015 at 22:41, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>
>
> On 9/14/2015 4:20 PM, Marek Posolda wrote:
> > On 14/09/15 21:46, Bill Burke wrote:
> >> The SAML IdP is not required to send back that id. That ID is just
> >> the ID of the request.
> > The SAML IdP doesn't need to send anything back. I meant that
> > HttpSessionID will be send in the ID of SAMLRequest from SAML SP to
> > auth-server . I don't know if there is any better attribute/element of
> > AuthnRequest, which can be used to transmit such "custom" data.
> >
>
> SAML logout requests to the SP client contain the principal name and/or
> possibly one *or more* SSO IDs (session indexes). New OIDC spec will
> work similarly.
>
> >>
> >> A hack I'm thinking of is to create an HttpSession that is shared by
> >> everybody and store this SSO id/username -> to -> HttpSession id map
> >> there.
> > That's good, we can avoid dependency on infinispan.
>
> Ugh, unfortunately, you can't provide our own session id with Undertow's
> or Jetty's sessionmanager interface. :( So no way to hack this except
> for Tomcat and JbossWeb.
>
> > But still, we will
> > need the stuff like periodic cleaner thread, which will remove expired
> > items from this HttpSession map. And this solution requires HttpSession
> > replication if I understand correctly?
> >
>
> Replication would be required, but all these servlet containers contain
> session lifecycle listener SPIs, so there is no need for reaper threads.
> But, can't do it anyways...
>
> > As of now, we don't require HttpSession replication for OIDC. Qe support
> > the deployments when the application is deployed on more "cluster" nodes
> > behind loadbalancer, but application cluster nodes don't communicate
> > with each other. In other words, there is no "distributable" in web.xml
> > . For this case, we have CLIENT_SESSION_HOST note, so the OIDC
> > backchannel request is sent to same cluster node from which was
> > code-to-token request sent earlier.
> >
>
> Again, not something we can implement in a standard/portable way.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list