[keycloak-user] Http Session is not invalidated
Marek Posolda
mposolda at redhat.com
Tue Apr 7 03:20:57 EDT 2015
The demo is bundled in keycloak-appliance-dist ZIP in directory
examples/saml .
The demo sources are here:
https://github.com/keycloak/keycloak/tree/master/examples/saml
Marek
On 7.4.2015 02:37, Chen Keong Yap wrote:
>
> Hi bill,
>
> Can you give me the link or path for the demo? Not sure if you are
> using keycloak or picketlink demo for testing?
>
> On Apr 6, 2015 9:20 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> Demos work fine for me, but I'm using the wildfly Picketlink SP
> adapter. I am able to have an SSO session with all the examples,
> then I am able to logout and have all sessions invalidated.
>
> On 4/6/2015 9:01 AM, Chen Keong Yap wrote:
>
> Hi bill,
>
> Are you using 2 applications for testing?
>
> If yes, need to know have you logged out the first application
> then
> redirect to keycloak login page? After that refresh the second
> application then redirect to keycloak login page?
>
> Can i know which version of picketlink federation lib are you
> using?
>
> On Apr 6, 2015 8:56 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
> I tried out the saml demo app and logout works just fine,
> so I'm
> guessing this is a bug in the PL SP Filter.
>
> On 4/6/2015 6:47 AM, Chen Keong Yap wrote:
>
> Hi bill,
>
> Global logout only removed sp sessions but not web
> application
> sessions
> and this created security loopholes.
>
> Please advise
>
> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap
> <chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>
> <mailto:chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>>
> <mailto:chenkeong.yap at izeno.
> <mailto:chenkeong.yap at izeno.>__com
> <mailto:chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>>>> wrote:
>
> Guys,
>
> Can share your ideas why global logout is not
> working?
>
> On Apr 3, 2015 3:47 PM, "Chen Keong Yap"
> <chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>
> <mailto:chenkeong.yap at izeno.com <mailto:chenkeong.yap at izeno.com>>
> <mailto:chenkeong.yap at izeno.
> <mailto:chenkeong.yap at izeno.>__com
> <mailto:chenkeong.yap at izeno.com
> <mailto:chenkeong.yap at izeno.com>>>> wrote:
>
> Hi Marek,
>
> I've just tested backchannel logout and it's
> showing
> same issue.
> Both applications are using PL SP Filter and
> the steps
> below are
> used for testing.
>
> 1. Open https://localhost:8443/__employee/
> <https://localhost:8443/employee/> and http request is
> redirected to
> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>
> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 2. Enter username and password into keycloak
> login page and
> redirected to employee landing page
>
> 3. Open https://localhost:8443/sales-__post/
> <https://localhost:8443/sales-post/> and redirected to
> sales-post landing page without login
>
> 4. Logon to keycloak admin console and
> noticed there are 2
> active sessions
>
> 5. Perform global logout from employee
> landing page
> (https://localhost:8443/__employee/?GLO=true
> <https://localhost:8443/employee/?GLO=true>) and http
> request is
> redirected to
> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml
>
> <https://localhost:8443/auth/realms/saml-demo-1/protocol/saml>
>
> 6. Logon to keycloak admin console and
> noticed all
> sessions are gone
>
> 7. Refresh sales-post landing page and it's not
> redirected to
> keycloak login page. sales-post session still
> active.
>
> Kindly advise why GLO is performed but the second
> application
> (sales-post) session still active?
>
> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda
> <mposolda at redhat.com
> <mailto:mposolda at redhat.com> <mailto:mposolda at redhat.com
> <mailto:mposolda at redhat.com>>
> <mailto:mposolda at redhat.com
> <mailto:mposolda at redhat.com> <mailto:mposolda at redhat.com
> <mailto:mposolda at redhat.com>>>> wrote:
>
> Switch the "Front channel logout" to off.
> In this
> case it
> should use backchannel (not redirecting
> through
> browser, but
> sending logout requests from Keycloak in
> background)
>
> Marek
>
>
>
> On 3.4.2015 08:28, Chen Keong Yap wrote:
>
>
> Hi Merek,
>
> I've tried frontChannel logout in
> 1.2.0.Beta1
> and it's
> giving me the same issues, please
> refer to the
> settings
> shown in the screen shot.
>
> Can you please advise how to test
> backchannel
> logout?
>
>
> Inline image 1
>
>
>
> On Fri, Apr 3, 2015 at 1:50 PM, Marek
> Posolda
> <mposolda at redhat.com
> <mailto:mposolda at redhat.com>
> <mailto:mposolda at redhat.com
> <mailto:mposolda at redhat.com>> <mailto:mposolda at redhat.com
> <mailto:mposolda at redhat.com>
> <mailto:mposolda at redhat.com
> <mailto:mposolda at redhat.com>>>> wrote:
>
> I would try to upgrade to latest
> 1.2.0.Beta1 as it has
> some related fixes AFAIK.
>
> In this version, you have also
> possibility
> to setup
> either frontChannel logout or
> backchannel
> logout for
> the application. It could be set in
> Keycloak admin
> console. I think that at least
> one of them
> will work
> with SP filter in latest version
> (if not both).
>
> Marek
>
>
> On 3.4.2015 01:44, Chen Keong Yap
> wrote:
>
> Hi,
>
> I've 2 applications installed
> with
> Picketlink
> SPFilter to authenticate with
> keycloak
> 1.1.0 beta 2.
>
> When i perform global logout,
> first
> application was
> logged out successfully because
> SP/keycloak session
> and application http session are
> removed but the
> problem is second
> application SP/keycloak
> session is
> removed but
> application http session is still
> remained. I've set
> admin url for these 2
> applications in
> keycloak admin
> console. Kindly share your ideas.
>
>
>
>
> _________________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> <mailto:keycloak-user at lists.
> <mailto:keycloak-user at lists.>__jboss.org <http://jboss.org>
> <mailto:keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>>
> https://lists.jboss.org/__mailman/listinfo/keycloak-user
>
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/85cb004d/attachment-0001.html
More information about the keycloak-user
mailing list