3 Replies Latest reply on Nov 15, 2017 2:05 AM by erskhan

    How to configure SP logout page using PicketLink


      Hi all,


      I have the following working environment:

      1. PicketLink as an idP (v 2.6.0.Final)
      2. Liferay as an SP. I created PicketLink metadata and share it with Liferay.

      The SSO feature works well and now I want to configure SLO. But I faced with the problem how to setup logout page for each SP.

      PicketLink always sends SLO Response to Service Provider's ACS URL and I cannot change it.

      I looked through SAML2LogOutHandler that is responsible for SLO and it seems to me that it is not configurable.

      I also found the following instruction Picketlink as IDP, Salesforce as SP - PicketLink - Project Documentation Editor, where in section Single Logout

      author adds SLO logout for IDP. But It is not working for me.

      Can anybody confirm it? May be there are other solutions to solve the issue ?

      Thank you for advance.

        • 1. Re: How to configure SP logout page using PicketLink

          Hi Pavel,


              In this case, the IdP will always use the SP ACS URL to send responses.



          • 2. Re: How to configure SP logout page using PicketLink

            Hello Pedro,


            Thanks for your participation !


            I found the way how PicketLink determines logout page for SP. It can be configured using metadata file.

            During initialization phase PicketLink parses all SP's metadata and put it into spSSOMetadataMap variable :


            public abstract class AbstractIDPValve extends ValveBase  {


            protected void initIDPConfiguration() {


                        // Read SP Metadata if provided

                        List<EntityDescriptorType> entityDescriptors = CoreConfigUtil.getMetadataConfiguration(idpConfiguration,


                        if (entityDescriptors != null) {

                            for (EntityDescriptorType entityDescriptorType : entityDescriptors) {

                                SPSSODescriptorType spSSODescriptor = CoreConfigUtil.getSPDescriptor(entityDescriptorType);

                                if (spSSODescriptor != null) {

                                    spSSOMetadataMap.put(entityDescriptorType.getEntityID(), spSSODescriptor);







            After that this SP metadata is used when SP initiates Single Sign On. The PicketLink idP creates session for the participant with SP logout page information. This information is used by idP for SLO phase.It is OK.


            To use it you need to define metadata provider element inside PicketLinkIDP configuration :

            <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

            <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" SupportsSignatures="true" EnableAudit="true">


                     <MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">

                       <Option Key="FileName" Value="/WEB-INF/classes/idp-metadata.xml"/>






            The reason why it didn't work before it is because I configured metadata configuration provider using param for valve in jboss-web.xml.xml :










            In this case entity descriptors list in the code snippet below  (from initialization phase described above) :

            List<EntityDescriptorType> entityDescriptors = CoreConfigUtil.getMetadataConfiguration(idpConfiguration,



            returns null.


            It seems to me that this is not correct implementation of IDPMetadataConfigurationProvider -> getIDPConfiguration() method.

            From my point of view it should set correct metadata provider type for created IDPType. Something like that :


            public IDPType getIDPConfiguration() throws ProcessingException {

                    IDPType idpType = null;

                    try {

                        EntitiesDescriptorType entities = parseMDFile();

                        if(entities == null){

                            throw logger.nullValueError("entities");


                        IDPSSODescriptorType idpSSO = CoreConfigUtil.getIDPDescriptor(entities);



                        if (idpSSO != null) {

                            idpType = CoreConfigUtil.getIDPType(idpSSO);




                        configureTrustedDomainsFromMetadata(idpType, entities);

                    } catch (ParsingException e) {

                        throw logger.processingError(e);




                    if (configParsedIDPType != null) {




                     // Define correct metadata provider type

                    MetadataProviderType metadataProviderType = new MetadataProviderType();

                    KeyValueType keyValueType = new KeyValueType();








                    return idpType;



            Any Idea related to this point ?


            Another point I want to discuss it is how to separate picket link configuration files from application.

            PL makes me put configuration files into WAR application  because it use servletContext.getResourceAsStream.

            I can not correct way to solve it except patch PL source code

            • 3. Re: How to configure SP logout page using PicketLink

              Hi Pavel


              As you said you have configured PicketLink as an IDP and liferay as an SP.


              Can you please let me know the steps how did you do this?


              Please check my question here How to configure Liferay as SP and PicketLink as IP