[keycloak-dev] mod_auth_mellon

Bill Burke bburke at redhat.com
Fri Jan 15 09:02:17 EST 2016


Looks like its on the auth mellon side as I don't see any request after:
/mellon/logout?ReturnTo=/



On 1/15/2016 3:57 AM, Michal Hajas wrote:
> I can't see anything even in console log.
>
> I enclosed whole proccess of login and logout in network tab.
>
> ----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Michal Hajas" <mhajas at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, January 14, 2016 5:01:30 PM
> Subject: Re: [keycloak-dev] mod_auth_mellon
>
> You can probably see a trace in your browser console?
>
> On 1/14/2016 10:21 AM, Michal Hajas wrote:
>> Actually, I am not sure but it looks like not. There is nothing in both keycloak server log and events in admin console.
>>
>> Michal.
>>
>> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Thursday, January 14, 2016 3:28:36 PM
>> Subject: Re: [keycloak-dev] mod_auth_mellon
>>
>> Is mellon actually sending a logout request to Keycloak?
>> Do you see any error message on the keycloak server side? We definitely support POST binding for logout.
>> On 1/14/2016 8:34 AM, Michal Hajas wrote:
>>
>>
>>
>> Hi,
>>
>> I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider.
>>
>> Steps:
>> 1. Install apache and mod_auth_mellon module
>> 2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to /mellon directory
>> 3. Download idp_metadata.xml from keycloak/auth/realm/{REALM}/protocol/saml/descriptor and copy it to /mellon directory
>> 4. Configure auth_mod_mellon with enclosed file auth_mellon.conf
>> 5. Create client in keycloak from xml file generated in step 2 (There must be enabled Sign Documents, Sign Assertions signing and Force POST Binding)
>>
>> Login works, when I access /auth, mellon redirect me to keycloak and after successful login it redirect me back to protected resource.
>>
>> Problem:
>> I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it doesn't destroy session in keycloak and in apache's error log there is:
>> Current identity provider does not support single logout. Destroying local session only.
>>
>> Only way I was able to log out is change
>>
>> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location= "http://localhost:8080/auth/realms/mellon-test/protocol/saml" />
>>
>> to
>>
>> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location= "http://localhost:8080/auth/realms/mellon-test/protocol/saml" />
>>
>> POST -> Redirect
>>
>> in idp_metadata.xml and set "Logout Service Redirect Binding URL" to http://localhost/mellon/logout in admin console.
>>
>> Is it correct or it should work with POST binding too?
>>
>> Thank you,
>> Michal.
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list keycloak-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160115/0347b5b1/attachment-0001.html 


More information about the keycloak-dev mailing list