[keycloak-user] Http Session is not invalidated

Bill Burke bburke at redhat.com
Mon Apr 6 09:31:59 EDT 2015


I'll try out the demo example.  One problem I did have with the 
Picketlink SP adapter is that the session was invalidated, but the 
principal was still available when redirecting back to the logout page. 
  Doesn't sound like this is your problem though.

On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
> Hi bill,
>
> Global logout only removed sp sessions but not web application sessions
> and this created security loopholes.
>
> Please advise
>
> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap <chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>> wrote:
>
>     Guys,
>
>     Can share your ideas why global logout is not working?
>
>     On Apr 3, 2015 3:47 PM, "Chen Keong Yap" <chenkeong.yap at izeno.com
>     <mailto:chenkeong.yap at izeno.com>> wrote:
>
>         Hi Marek,
>
>         I've just tested backchannel logout and it's showing same issue.
>         Both applications are using PL SP Filter and the steps below are
>         used for testing.
>
>         1. Open https://localhost:8443/employee/ and http request is
>         redirected to
>         https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>
>         2. Enter username and password into keycloak login page and
>         redirected to employee landing page
>
>         3. Open https://localhost:8443/sales-post/ and redirected to
>         sales-post landing page without login
>
>         4. Logon to keycloak admin console and noticed there are 2
>         active sessions
>
>         5. Perform global logout from employee landing page
>         (https://localhost:8443/employee/?GLO=true) and http request is
>         redirected to
>         https://localhost:8443/auth/realms/saml-demo-1/protocol/saml
>
>         6. Logon to keycloak admin console and noticed all sessions are gone
>
>         7. Refresh sales-post landing page and it's not redirected to
>         keycloak login page. sales-post session still active.
>
>         Kindly advise why GLO is performed but the second application
>         (sales-post) session still active?
>
>         On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
>         <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>
>             Switch the "Front channel logout" to off. In this case it
>             should use backchannel (not redirecting through browser, but
>             sending logout requests from Keycloak in background)
>
>             Marek
>
>
>
>             On 3.4.2015 08:28, Chen Keong Yap wrote:
>>
>>             Hi Merek,
>>
>>             I've tried frontChannel logout in 1.2.0.Beta1 and it's
>>             giving me the same issues, please refer to the settings
>>             shown in the screen shot.
>>
>>             Can you please advise how to test  backchannel logout?
>>
>>
>>             Inline image 1
>>
>>
>>
>>             On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda
>>             <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>                 I would try to upgrade to latest 1.2.0.Beta1 as it has
>>                 some related fixes AFAIK.
>>
>>                 In this version, you have also possibility to setup
>>                 either frontChannel logout or backchannel logout for
>>                 the application. It could be set in Keycloak admin
>>                 console. I think that at least one of them will work
>>                 with SP filter in latest version (if not both).
>>
>>                 Marek
>>
>>
>>                 On 3.4.2015 01:44, Chen Keong Yap wrote:
>>>                 Hi,
>>>
>>>                 I've 2 applications installed with Picketlink
>>>                 SPFilter to authenticate with keycloak 1.1.0 beta 2.
>>>
>>>                 When i perform global logout, first application was
>>>                 logged out successfully because SP/keycloak session
>>>                 and application http session are removed but the
>>>                 problem is second
>>>                 application SP/keycloak session is removed but
>>>                 application http session is still remained. I've set
>>>                 admin url for these 2 applications in keycloak admin
>>>                 console. Kindly share your ideas.
>>>
>>>
>>>
>>>                 _______________________________________________
>>>                 keycloak-user mailing list
>>>                 keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list