2 Replies Latest reply on Sep 16, 2016 9:52 AM by Aaron Cripps

    GLO=true not triggering SAML LogoutRequest to the IdP

    Aaron Cripps Newbie

      Running Wildfly 8.2.0 and Picketlink 2.7.1-Final.

       

      Logging in via the IdP works beautifully, but for some reason hitting the SP with "?GLO=true" does not go through the SAML2LogoutHandler.

      Here's the picketlink.xml for our SP:

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
              <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
                      EntityID="sp-id"
                      LogOutPage="/saml-logout"
                      ErrorPage="/saml-error"
              ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="false">
              <IdentityURL>${idp.url::http://127.0.0.1:8080/idp/}</IdentityURL>
              <ServiceURL>${sp.url::http://127.0.0.1:8080/}</ServiceURL>
              </PicketLinkSP>
              <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
                  <Handler
                      class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
                  <Handler
                      class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
                  <Handler
                      class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
                  <Handler
                      class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
                  <Handler
                      class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
              </Handlers>
      </PicketLink>
      

       

      idp.url and sp.url are both specified in the domain.xml for our wildfly deployment.

       

      The logs when we try logging out with "?GLO=true" look like this:

      2016-09-15 13:35:21,456 TRACE [org.jboss.security] (default task-36) PBOX000205: End validateCache, result = true

      2016-09-15 13:35:21,456 TRACE [org.jboss.security] (default task-36) PBOX000201: End isValid, result = true

      2016-09-15 13:35:21,456 TRACE [org.jboss.security] (default task-37) PBOX000200: Begin isValid, principal: <username>, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@77a2603c

      2016-09-15 13:35:21,457 TRACE [org.jboss.security] (default task-37) PBOX000204: Begin validateCache, domainInfo: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@77a2603c, credential class: class java.lang.String

      2016-09-15 13:35:21,457 TRACE [org.jboss.security] (default task-37) PBOX000205: End validateCache, result = true

      2016-09-15 13:35:21,457 TRACE [org.jboss.security] (default task-37) PBOX000201: End isValid, result = true

      2016-09-15 13:35:21,458 TRACE [org.jboss.security] (default task-35) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:21,458 TRACE [org.jboss.security] (default task-34) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:21,461 TRACE [org.jboss.security] (default task-37) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:21,461 TRACE [org.jboss.security] (default task-36) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:33,875 TRACE [org.jboss.security] (default task-38) PBOX000200: Begin isValid, principal: <username>, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@77a2603c

      2016-09-15 13:35:33,875 TRACE [org.jboss.security] (default task-38) PBOX000204: Begin validateCache, domainInfo: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@77a2603c, credential class: class java.lang.String

      2016-09-15 13:35:33,876 TRACE [org.jboss.security] (default task-38) PBOX000205: End validateCache, result = true

      2016-09-15 13:35:33,876 TRACE [org.jboss.security] (default task-38) PBOX000201: End isValid, result = true

      2016-09-15 13:35:33,924 INFO  [stdout] (default task-38) 16-Sep-15 13:35:33 hostname.localnet REPORT [<internal_package1>] - {:username "<username>", :roles #{:read}} :logout

      2016-09-15 13:35:33,927 INFO  [stdout] (default task-38) 16-Sep-15 13:35:33 hostname.localnet INFO [<internal_package1>] - Logout:

      2016-09-15 13:35:33,937 TRACE [org.jboss.security] (default task-38) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:33,989 INFO  [stdout] (default task-39) 16-Sep-15 13:35:33 hostname.localnet REPORT [<internal_package2>] -  :logout

      2016-09-15 13:35:33,991 INFO  [stdout] (default task-39) 16-Sep-15 13:35:33 hostname.localnet INFO [<internal_package1>] - Logout:

      2016-09-15 13:35:33,992 TRACE [org.jboss.security] (default task-39) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:34,033 TRACE [org.picketlink.common] (default task-40) SAML Handlers are: [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1e7a4a4d, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@12b7c6b, org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler@4c6ec5c5, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler@71b72f04, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler@c5ed3e4]

      2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler

      2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler

      2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler

      2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) No document generated in the handler chain. Cannot generate signature

      2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler

      2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler

      2016-09-15 13:35:34,051 TRACE [org.jboss.security] (default task-40) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:34,131 TRACE [org.jboss.security] (default task-42) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:34,135 TRACE [org.jboss.security] (default task-41) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:34,190 TRACE [org.jboss.security] (default task-43) PBOX000354: Setting security roles ThreadLocal: null

      2016-09-15 13:35:34,239 TRACE [org.picketlink.common] (default task-44) SAML Handlers are: [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1e7a4a4d, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@12b7c6b, org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler@4c6ec5c5, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler@71b72f04, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler@c5ed3e4]

      2016-09-15 13:35:34,239 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler

      2016-09-15 13:35:34,241 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler

      2016-09-15 13:35:34,241 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler

      2016-09-15 13:35:34,241 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler

      2016-09-15 13:35:34,241 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler

      2016-09-15 13:35:34,241 TRACE [org.jboss.security.audit] (default task-44) REQUEST_TO_IDP [Info]

      data has been scrubbed: <username> is the actual username, <internal_packageN> is one of our packages with the old SSO implementation, and "hostname.localnet" is the actual host that Wildfly is running on. The last bit of the logs are where we redirect to the logout page, and request the identity from the IdP. As you can see, we are redirecting back to our old internal SSO method, but we actually *want* to use SAML to manage the SSO/GLO process. The end result of the above behaviour is that we can plug in the root of the SP in the URL bar and browse around without needing to reauthenticate.

       

      Are there any suggestions on how we can get to the bottom of this issue? Why isn't Picketlink passing the request through the SAML2LogOutHandler prior to routing to the old Log Off method?