From adamdong at vidder.com Wed Dec 3 19:26:37 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 4 Dec 2014 00:26:37 +0000 Subject: [security-dev] SP-initiated Single Log Out Message-ID: Hi, If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ? Thanks, Adam From psilva at redhat.com Wed Dec 3 20:03:11 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 3 Dec 2014 20:03:11 -0500 (EST) Subject: [security-dev] SP-initiated Single Log Out In-Reply-To: References: Message-ID: <447475616.24209730.1417654991110.JavaMail.zimbra@redhat.com> Using front-channel SLO you need browser redirects. So you must send ?GLO=true to your SP from a browser. But, if you are using back-channel SLO, I think you can invoke the IdP once with a ?GLO=true (using some http library) and it will invoke each SP to invalidate the session for the user. In this case, you need to pass the JSESSIONID from IdP, so it can restore user session and know the participants (SPs). There is no API for that. ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, December 3, 2014 10:26:37 PM Subject: [security-dev] SP-initiated Single Log Out Hi, If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Thu Dec 4 13:46:43 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 4 Dec 2014 18:46:43 +0000 Subject: [security-dev] SP-initiated Single Log Out In-Reply-To: <447475616.24209730.1417654991110.JavaMail.zimbra@redhat.com> References: <447475616.24209730.1417654991110.JavaMail.zimbra@redhat.com> Message-ID: Pedro, Thanks a lot for the reply. I should have mentioned I need to use front channel. A follow-up question: After I send ?GLO=true to my SP from a browser, ServiceProviderAuthenticator code would need to know IDP's SLO url to send SLO request, how to configure that (i.e., to let ServiceProviderAuthenticator to know IDP SLO url) ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, December 03, 2014 5:03 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SP-initiated Single Log Out Using front-channel SLO you need browser redirects. So you must send ?GLO=true to your SP from a browser. But, if you are using back-channel SLO, I think you can invoke the IdP once with a ?GLO=true (using some http library) and it will invoke each SP to invalidate the session for the user. In this case, you need to pass the JSESSIONID from IdP, so it can restore user session and know the participants (SPs). There is no API for that. ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, December 3, 2014 10:26:37 PM Subject: [security-dev] SP-initiated Single Log Out Hi, If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Thu Dec 4 15:14:56 2014 From: adamdong at vidder.com (Adam Dong) Date: Thu, 4 Dec 2014 20:14:56 +0000 Subject: [security-dev] SP-initiated Single Log Out References: <447475616.24209730.1417654991110.JavaMail.zimbra@redhat.com> Message-ID: Is the configuration in pinketlink.xml ? But picketlink.xml only has which is the SSO url, not SLO url, right ? -----Original Message----- From: Adam Dong Sent: Thursday, December 04, 2014 10:46 AM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] SP-initiated Single Log Out Pedro, Thanks a lot for the reply. I should have mentioned I need to use front channel. A follow-up question: After I send ?GLO=true to my SP from a browser, ServiceProviderAuthenticator code would need to know IDP's SLO url to send SLO request, how to configure that (i.e., to let ServiceProviderAuthenticator to know IDP SLO url) ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, December 03, 2014 5:03 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SP-initiated Single Log Out Using front-channel SLO you need browser redirects. So you must send ?GLO=true to your SP from a browser. But, if you are using back-channel SLO, I think you can invoke the IdP once with a ?GLO=true (using some http library) and it will invoke each SP to invalidate the session for the user. In this case, you need to pass the JSESSIONID from IdP, so it can restore user session and know the participants (SPs). There is no API for that. ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, December 3, 2014 10:26:37 PM Subject: [security-dev] SP-initiated Single Log Out Hi, If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From psilva at redhat.com Thu Dec 4 15:34:19 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 4 Dec 2014 15:34:19 -0500 (EST) Subject: [security-dev] SP-initiated Single Log Out In-Reply-To: References: <447475616.24209730.1417654991110.JavaMail.zimbra@redhat.com> Message-ID: <291792546.24908660.1417725259366.JavaMail.zimbra@redhat.com> Hi Adam, You can use the LogOutUrl attribute in PicketLinkSP [1]. By default, the logout url is the same as specified in IdentityURL. PicketLink also picks the SingleLogoutService from idp descriptor, if you are using metadata. Regards. [1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, December 4, 2014 6:14:56 PM Subject: RE: [security-dev] SP-initiated Single Log Out Is the configuration in pinketlink.xml ? But picketlink.xml only has which is the SSO url, not SLO url, right ? -----Original Message----- From: Adam Dong Sent: Thursday, December 04, 2014 10:46 AM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] SP-initiated Single Log Out Pedro, Thanks a lot for the reply. I should have mentioned I need to use front channel. A follow-up question: After I send ?GLO=true to my SP from a browser, ServiceProviderAuthenticator code would need to know IDP's SLO url to send SLO request, how to configure that (i.e., to let ServiceProviderAuthenticator to know IDP SLO url) ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, December 03, 2014 5:03 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SP-initiated Single Log Out Using front-channel SLO you need browser redirects. So you must send ?GLO=true to your SP from a browser. But, if you are using back-channel SLO, I think you can invoke the IdP once with a ?GLO=true (using some http library) and it will invoke each SP to invalidate the session for the user. In this case, you need to pass the JSESSIONID from IdP, so it can restore user session and know the participants (SPs). There is no API for that. ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, December 3, 2014 10:26:37 PM Subject: [security-dev] SP-initiated Single Log Out Hi, If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From adamdong at vidder.com Fri Dec 5 00:09:27 2014 From: adamdong at vidder.com (Adam Dong) Date: Fri, 5 Dec 2014 05:09:27 +0000 Subject: [security-dev] SP-initiated Single Log Out In-Reply-To: <291792546.24908660.1417725259366.JavaMail.zimbra@redhat.com> References: <447475616.24209730.1417654991110.JavaMail.zimbra@redhat.com> <291792546.24908660.1417725259366.JavaMail.zimbra@redhat.com> Message-ID: Thanks for the pointers. One last follow-up question, after all the SLO related processing, if I want the browser to settle on a certain page, how do I do that ? It is a matter of configuration somewhere on the SP side ? Or is it something I need to set in the original SLO request ? -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, December 04, 2014 12:34 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SP-initiated Single Log Out Hi Adam, You can use the LogOutUrl attribute in PicketLinkSP [1]. By default, the logout url is the same as specified in IdentityURL. PicketLink also picks the SingleLogoutService from idp descriptor, if you are using metadata. Regards. [1] https://docs.jboss.org/author/display/PLINK/Service+Provider+Configuration ----- Original Message ----- From: "Adam Dong" To: "Pedro Igor Silva" Cc: security-dev at lists.jboss.org Sent: Thursday, December 4, 2014 6:14:56 PM Subject: RE: [security-dev] SP-initiated Single Log Out Is the configuration in pinketlink.xml ? But picketlink.xml only has which is the SSO url, not SLO url, right ? -----Original Message----- From: Adam Dong Sent: Thursday, December 04, 2014 10:46 AM To: 'Pedro Igor Silva' Cc: security-dev at lists.jboss.org Subject: RE: [security-dev] SP-initiated Single Log Out Pedro, Thanks a lot for the reply. I should have mentioned I need to use front channel. A follow-up question: After I send ?GLO=true to my SP from a browser, ServiceProviderAuthenticator code would need to know IDP's SLO url to send SLO request, how to configure that (i.e., to let ServiceProviderAuthenticator to know IDP SLO url) ? Thanks, Adam -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Wednesday, December 03, 2014 5:03 PM To: Adam Dong Cc: security-dev at lists.jboss.org Subject: Re: [security-dev] SP-initiated Single Log Out Using front-channel SLO you need browser redirects. So you must send ?GLO=true to your SP from a browser. But, if you are using back-channel SLO, I think you can invoke the IdP once with a ?GLO=true (using some http library) and it will invoke each SP to invalidate the session for the user. In this case, you need to pass the JSESSIONID from IdP, so it can restore user session and know the participants (SPs). There is no API for that. ----- Original Message ----- From: "Adam Dong" To: security-dev at lists.jboss.org Sent: Wednesday, December 3, 2014 10:26:37 PM Subject: [security-dev] SP-initiated Single Log Out Hi, If I'd like to, from SP-side. initiate the SLO (single log out) programmatically (suppose it is the code behind a GUI "Logout" button), how to do that (which class and which method to call) ? Thanks, Adam _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From lionelve at gmail.com Tue Dec 16 07:25:58 2014 From: lionelve at gmail.com (Lionel Orellana) Date: Tue, 16 Dec 2014 23:25:58 +1100 Subject: [security-dev] IDP-initiated logout leaves SAMLResponse in the session Message-ID: Hello, I would love to hear if anyone has any thoughts on what I've described here: https://developer.jboss.org/thread/250974 Essentially I found a SAMLResponse hanging around longer than I was expecting. I believe this will eventually cause some dramas. Cheers, Lionel. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20141216/f2c697e9/attachment.html From psilva at redhat.com Tue Dec 16 07:39:40 2014 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 16 Dec 2014 07:39:40 -0500 (EST) Subject: [security-dev] IDP-initiated logout leaves SAMLResponse in the session In-Reply-To: References: Message-ID: <1302025327.31578165.1418733580449.JavaMail.zimbra@redhat.com> Hey Lionel, I've pushed a comment to your thread. Regards. ----- Original Message ----- From: "Lionel Orellana" To: security-dev at lists.jboss.org Sent: Tuesday, December 16, 2014 10:25:58 AM Subject: [security-dev] IDP-initiated logout leaves SAMLResponse in the session Hello, I would love to hear if anyone has any thoughts on what I've described here: https://developer.jboss.org/thread/250974 Essentially I found a SAMLResponse hanging around longer than I was expecting. I believe this will eventually cause some dramas. Cheers, Lionel. _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev