[keycloak-user] Http Session is not invalidated

Marek Posolda mposolda at redhat.com
Tue Apr 7 03:20:57 EDT 2015


The demo is bundled in keycloak-appliance-dist ZIP in directory 
examples/saml .

The demo sources are here: 
https://github.com/keycloak/keycloak/tree/master/examples/saml

Marek

On 7.4.2015 02:37, Chen Keong Yap wrote:
>
> Hi bill,
>
> Can you give me the link or path for the demo? Not sure if you are 
> using keycloak or picketlink demo for testing?
>
> On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     Demos work fine for me, but I'm using the wildfly Picketlink SP
>     adapter. I am able to have an SSO session with all the examples,
>     then I am able to logout and have all sessions invalidated.
>
>     On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>
>         Hi bill,
>
>         Are you using 2 applications for testing?
>
>         If yes, need to know have you logged out the first application
>         then
>         redirect to keycloak login page? After that refresh the second
>         application then redirect to keycloak login page?
>
>         Can i know which version of picketlink federation lib are you
>         using?
>
>         On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>             I tried out the saml demo app and logout works just fine,
>         so I'm
>             guessing this is a bug in the PL SP Filter.
>
>             On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>
>                 Hi bill,
>
>                 Global logout only removed sp sessions but not web
>         application
>                 sessions
>                 and this created security loopholes.
>
>                 Please advise
>
>                 On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
>                 <chenkeong.yap at izeno.com
>         <mailto:chenkeong.yap at izeno.com>
>         <mailto:chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>>
>                 <mailto:chenkeong.yap at izeno.
>         <mailto:chenkeong.yap at izeno.>__com
>                 <mailto:chenkeong.yap at izeno.com
>         <mailto:chenkeong.yap at izeno.com>>>> wrote:
>
>                      Guys,
>
>                      Can share your ideas why global logout is not
>         working?
>
>                      On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
>                 <chenkeong.yap at izeno.com
>         <mailto:chenkeong.yap at izeno.com>
>         <mailto:chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>>
>                      <mailto:chenkeong.yap at izeno.
>         <mailto:chenkeong.yap at izeno.>__com
>                 <mailto:chenkeong.yap at izeno.com
>         <mailto:chenkeong.yap at izeno.com>>>> wrote:
>
>                          Hi Marek,
>
>                          I've just tested backchannel logout and it's
>         showing
>                 same issue.
>                          Both applications are using PL SP Filter and
>         the steps
>                 below are
>                          used for testing.
>
>                          1. Open https://localhost:8443/__employee/
>                 <https://localhost:8443/employee/> and http request is
>                          redirected to
>         https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>                
>         <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
>                          2. Enter username and password into keycloak
>         login page and
>                          redirected to employee landing page
>
>                          3. Open https://localhost:8443/sales-__post/
>                 <https://localhost:8443/sales-post/> and redirected to
>                          sales-post landing page without login
>
>                          4. Logon to keycloak admin console and
>         noticed there are 2
>                          active sessions
>
>                          5. Perform global logout from employee
>         landing page
>                          (https://localhost:8443/__employee/?GLO=true
>                 <https://localhost:8443/employee/?GLO=true>) and http
>         request is
>                          redirected to
>         https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>                
>         <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
>                          6. Logon to keycloak admin console and
>         noticed all
>                 sessions are gone
>
>                          7. Refresh sales-post landing page and it's not
>                 redirected to
>                          keycloak login page. sales-post session still
>         active.
>
>                          Kindly advise why GLO is performed but the second
>                 application
>                          (sales-post) session still active?
>
>                          On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
>                          <mposolda at redhat.com
>         <mailto:mposolda at redhat.com> <mailto:mposolda at redhat.com
>         <mailto:mposolda at redhat.com>>
>                 <mailto:mposolda at redhat.com
>         <mailto:mposolda at redhat.com> <mailto:mposolda at redhat.com
>         <mailto:mposolda at redhat.com>>>> wrote:
>
>                              Switch the "Front channel logout" to off.
>         In this
>                 case it
>                              should use backchannel (not redirecting
>         through
>                 browser, but
>                              sending logout requests from Keycloak in
>         background)
>
>                              Marek
>
>
>
>                              On 3.4.2015 08:28, Chen Keong Yap wrote:
>
>
>                                  Hi Merek,
>
>                                  I've tried frontChannel logout in
>         1.2.0.Beta1
>                     and it's
>                                  giving me the same issues, please
>         refer to the
>                     settings
>                                  shown in the screen shot.
>
>                                  Can you please advise how to test
>         backchannel
>                     logout?
>
>
>                                  Inline image 1
>
>
>
>                                  On Fri, Apr 3, 2015 at 1:50 PM, Marek
>         Posolda
>                                  <mposolda at redhat.com
>         <mailto:mposolda at redhat.com>
>                     <mailto:mposolda at redhat.com
>         <mailto:mposolda at redhat.com>> <mailto:mposolda at redhat.com
>         <mailto:mposolda at redhat.com>
>                     <mailto:mposolda at redhat.com
>         <mailto:mposolda at redhat.com>>>> wrote:
>
>                                      I would try to upgrade to latest
>                     1.2.0.Beta1 as it has
>                                      some related fixes AFAIK.
>
>                                      In this version, you have also
>         possibility
>                     to setup
>                                      either frontChannel logout or
>         backchannel
>                     logout for
>                                      the application. It could be set in
>                     Keycloak admin
>                                      console. I think that at least
>         one of them
>                     will work
>                                      with SP filter in latest version
>         (if not both).
>
>                                      Marek
>
>
>                                      On 3.4.2015 01:44, Chen Keong Yap
>         wrote:
>
>                                          Hi,
>
>                                          I've 2 applications installed
>         with
>                         Picketlink
>                                          SPFilter to authenticate with
>         keycloak
>                         1.1.0 beta 2.
>
>                                          When i perform global logout,
>         first
>                         application was
>                                          logged out successfully because
>                         SP/keycloak session
>                                          and application http session are
>                         removed but the
>                                          problem is second
>                                          application SP/keycloak
>         session is
>                         removed but
>                                          application http session is still
>                         remained. I've set
>                                          admin url for these 2
>         applications in
>                         keycloak admin
>                                          console. Kindly share your ideas.
>
>
>
>
>                         _________________________________________________
>                                          keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>                         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>                         <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>__jboss.org <http://jboss.org>
>                         <mailto:keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>                        
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>             --
>             Bill Burke
>             JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>
>
>     -- 
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/85cb004d/attachment-0001.html 


More information about the keycloak-user mailing list