[keycloak-user] KEYCLOAK SAML logout not working as documented

Manuel Waltschek manuel.waltschek at prisma-solutions.at
Tue Jun 18 04:52:09 EDT 2019


Hello,

somehow a call to /myApp?GLO=true now seems to do the trick and behaves as expected: sending a logout request to the kc-idp.
I must have messed up any other configuration back when I tried it only with this setup. (I used to call HttpServletRequest.logout() and resp.sendRedirect(contextPath + "?GLO=true") since only redirecting to contextPath + "?GLO=true" did not work back then ) .

There STILL is something I have not figured out. I am STILL getting a 403 Forbidden when the browser posts the logoutresponse with 

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

Back to the /saml endpoint in my application and I get redirected to a page with the content

<html><head><title>Error</title></head><body>Forbidden</body></html>

Isn't the client handling LogoutResponses? What can I do about it?

Regards,

Manuel Waltschek


-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Manuel Waltschek
Gesendet: Dienstag, 18. Juni 2019 09:32
An: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] KEYCLOAK SAML logout not working as documented

Hello,

since the doc says : " For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO",

could it be, that I need to point the browser to a protected ressource that is not only protected, but also not accessible for the current role?
I guess org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler.handleRequest() is only called, if the ressource needs authentication, but when I am logged in already with the security constraint

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>The protected resources</web-resource-name>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>

		<auth-constraint>
			<role-name>*</role-name>
		</auth-constraint>

		<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

it is not triggered and therefore there is no call to org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler.globalLogout()

Regards,

Manuel Waltschek

-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Manuel Waltschek
Gesendet: Dienstag, 18. Juni 2019 08:59
An: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] KEYCLOAK SAML logout not working as documented

Hello and thank you Bjoern for your answer, unfortunately…

… it also behaves like this when I implement it in a logout servlet.
What does „being marked as logged out“ actually mean?

Please help me resolve this issue,

thank you in advance and best regards,


[Logo]

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt


Von: Björn Sonntag <bjoern.sonntag at t-online.de>
Gesendet: Montag, 17. Juni 2019 23:26
An: Manuel Waltschek <manuel.waltschek at prisma-solutions.at>
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] KEYCLOAK SAML logout not working as documented

Hello Manuel,

please refer the documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter. When you work within a servlet filter it will act as the same.

In case of a java servlet filter client adapter the backchannel logout work different! Instead of invalidating the session, you will be marked as logged out.

In your case, implement the logout inside your code which is in the application server like the web application and NOT in an external filter.

With best regards,

Bjoern







Am 17.06.2019 um 18:56 schrieb Manuel Waltschek <manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>>:

Hello KC Community,

I am still trying to find out how to properly logout from keycloak using the kc adapter on wildfly10.
Documentation says

3.1.8. Logout

There are multiple ways you can logout from a web application. For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO, i.e. http://myapp?GLO=true<http://myapp/?GLO=true>. This will log you out if you have an SSO session with your browser.
As HttpServletRequest.logout() in Undertows implementation io.undertow.servlet.spec.HttpServletRequestImpl checks isInvalidateSessionOnLogout returns false in my case it does not much.

   @Override
   public void logout() throws ServletException {
       SecurityContext sc = exchange.getSecurityContext();
       sc.logout();
       if(servletContext.getDeployment().getDeploymentInfo().isInvalidateSessionOnLogout()) {
           HttpSession session = getSession(false);
           if(session != null) {
               session.invalidate();
           }
       }
   }

Im calling HttpServletRequest.logout() in a ServletFilter implementation, but it does not  end the keycloak session and I can still reach protected ressources. There is no backchannel request as I would expect.
When I do the following:

 private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp)
     throws ServletException, IOException {
   String contextPath = req.getContextPath();
   req.logout();
   resp.sendRedirect(contextPath + "?GLO=true");

it somehow works, but sends another AuthnRequest before sending the LogoutRequest. Then the LogoutResponse ist posted to myapp/saml again which leads to http Status code 403 forbidden.

Please also see:

https://issues.jboss.org/browse/KEYCLOAK-2191

and https://lists.jboss.org/pipermail/keycloak-user/2017-July/011207.html


Regards,


[Logo]to m

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at><mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt <image001.png>_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list