[keycloak-user] ADFS SAML Logout

Hynek Mlnarik hmlnarik at redhat.com
Fri Aug 4 02:25:59 EDT 2017


It seems ADFS has not set the name format when logging in. Have you
configured output Name ID format in respective ADFS transform claim
rule?

--Hynek

On Fri, Aug 4, 2017 at 7:03 AM, Adam Keily <adam.keily at adelaide.edu.au> wrote:
> Hi,
>
> Can anyone shed any light on this. I have created a SAML IdP in keycloak for our ADFS server. Signin works fine, but when I try to logout, I get an internal server error 500.
>
> In the log I just see the below error. If I remove the value for Single Logout Service URL I am signed out of Keycloak but not ADFS. It seems if I have any value in that field, I get the exception below. Even if I put in a dummy https://test.com it breaks.
>
> I've tried recreating the IdP config. Tried different realms and keycloak instances. I'm currently testing using the Red Hat SSO 7.1. version.
>
> Help appreciated.
> Thanks
> Adam
>
> 14:28:10,276 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling request to /auth/realms/uofaidpproxy/protocol/openid-connect/logout: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: java.lang.NullPointerException
>         at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
>         at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
>         at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
>         at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>         at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>         at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>         at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>         at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>         at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>         at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>         at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>         at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>         at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>         at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>         at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>         at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
>         at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
>         at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>         at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
>         at io.undertow.server.Connectors.executeRootHandler(Connectors.java:246)
>         at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>         at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.RuntimeException: java.lang.NullPointerException
>         at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:189)
>         at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:266)
>         at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:135)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
>         ... 37 more
> Caused by: java.lang.NullPointerException
>         at java.net.URI$Parser.parse(URI.java:3042)
>         at java.net.URI.<init>(URI.java:588)
>         at java.net.URI.create(URI.java:850)
>         at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:99)
>         at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:88)
>         at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:187)
>         ... 51 more
>
> --
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek



More information about the keycloak-user mailing list