[keycloak-user] Problems logging out using JEE to keycloak to SAML (ADFS) (better formatted)

Thu Jul 20 05:31:16 EDT 2017

What is the setup of the ADFS in keycloak? Can you check whether it
works with frontchannel logout? If you could inspect SAML interchange
between Keycloak and ADFS (e.g. by enabling debug logging in keycloak
as shown in the blog post [1]), you should be able to see the SAML
messages and how they are processed. It is possible that e.g. the
logout status from ADFS is unsuccessful, that might cause this type of
issue.

If you could file a JIRA and share the communication or even server
log there, together with you reproducer application, that would be
very helpful.

Thanks

--Hynek

On Mon, Jul 10, 2017 at 4:44 PM, Jason Spittel <jasonspittel at yahoo.com> wrote:
> Hi Hynek,
>
> My setup is exactly from that tutorial. And I found the problem with logging
> out, I'm not sure how to report the issue (not sure if it's really a KC
> issue at all), raise a Jira ticket?
>
> Setup:
> JEE app running JSF calling EJBs.
> JEE app using wildfly keycloak saml adapters to talk to Keycloak (KC)
> Keycloak setup to use ADFS as its IdP.
>
> Problem:
> JEE app needs to logout twice to logout. (That is, after first logout, you
> can still hit the protected resource on the JEE app without logging in
> again)
>
> Cause:
> 1) first logout:
> - JSF's redirects
> (externalContext.redirect(externalContext.getRequestContextPath() +
> "/?GLO=true" );) removes the jsessionId cookie, which causes an initial auth
> from JEE to KC when logout is hit.
> -rest of logout proceeds properly, Realm Session ID is removed from KC, ADFS
> logs use out.
> 2) second logout
> -JSF's redirect again removes the jsessionId cookie, tries to do an initial
> auth from JEE to KC, but KC doesn't have any sessions to auth user with, and
> user is kicked out, 'successfully' logging out.
>
> Solution:
> preserve the jsessionid on redirect, initial auth to KC doesn't occur on
> logout.
>
>    public void logout() throws IOException, ServletException
>    {
>       ExternalContext externalContext = _context.getExternalContext();
>
>       try
>       {
>          externalContext.invalidateSession();
>
>          _httpRequest.logout();
>       }
>       catch (Exception ex)
>       {
>          _logger.error(ex);
>       }
>       finally
>       {
>          // need to set the cookie for the jsessionid, or will re-auth with
> KC, and will require two logouts to logout completely
>          preserveJsessionidCookie(externalContext);
>
>          externalContext.redirect(externalContext.getRequestContextPath() +
> "/?GLO=true" );
>       }
>    }
>
>    private void preserveJsessionidCookie(ExternalContext externalContext)
>    {
>       for (Cookie cookie :
> ((HttpServletRequest)externalContext.getRequest()).getCookies())
>       {
>          if (cookie.getName().equalsIgnoreCase("jsessionid"))
>          {
>
> ((HttpServletResponse)externalContext.getResponse()).addCookie(cookie);
>             break;
>          }
>       }
>    }
>
> Cheers,
>
> Jason
> On Monday, July 10, 2017, 6:09:36 AM PDT, Hynek Mlnarik
> <hmlnarik at redhat.com> wrote:
>
>
> How are ADFS and Keycloak configured? If according to [1], the
> sessions should be cleared. Beware that ADFS also leaves ssoCookie in
> the browser so that it might just relogin the user behind the scenes,
> see discussion on [2] for further details.
>
> --Hynek
>
> [1]
> http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
> [2] https://issues.jboss.org/browse/KEYCLOAK-4398
>
> On Tue, Jul 4, 2017 at 11:51 PM, Jason Spittel <jasonspittel at yahoo.com>
> wrote:
>> Apparently my formatting was lost. So I'm reposting this in a more
>> readable format:
>>
>> Hello,
>>
>> I'm having difficulty completing a logout.
>> SETUP:
>> JEE webapp to keycloak to IdP (ADFS (SAML))
>>
>> WORKFLOW:
>> 1) On logout in the webapp
>> externalContext.redirect(externalContext.getRequestContextPath() +
>> "?GLO=true");
>>
>> 2) User is sent to ADFS letting them know they have successfully logged
>> out.
>>
>> 3) However, there is still a keycloak user session alive (seen in the
>> admin console)
>>
>> 4) Hitting a protected resource in the webapp lets user in without having
>> to log back in.
>>
>> Debugging the keycloak server, I found this bit of code in
>> AuthenticationManager.browserLogout() line 262:
>>
>> String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
>>
>> if (brokerId != null) {
>>    IdentityProvider identityProvider =
>> IdentityBrokerService.getIdentityProvider(session, realm, brokerId);
>>    Response response =
>> identityProvider.keycloakInitiatedBrowserLogout(session, userSession,
>> uriInfo, realm);
>>    if (response != null) return response;
>> }
>>
>> return finishBrowserLogout(session, realm, userSession, uriInfo,
>> connection, headers);
>>
>> I think, unless I'm misunderstanding it, that I need to hit the
>> finishBrowserLogout method, to clear the keycloak user session.
>> But the way this is written makes it so it never will. Is keycloak
>> expecting ADFS to clear its user session? Am I logging out incorrectly?
>> Thanks,
>> Jason
>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>

-- 

--Hynek