2 Replies Latest reply on Sep 16, 2016 9:52 AM by aaron.cripps

GLO=true not triggering SAML LogoutRequest to the IdP

aaron.cripps Sep 15, 2016 12:51 PM

Running Wildfly 8.2.0 and Picketlink 2.7.1-Final.

Logging in via the IdP works beautifully, but for some reason hitting the SP with "?GLO=true" does not go through the SAML2LogoutHandler.

Here's the picketlink.xml for our SP:

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
        <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
                EntityID="sp-id"
                LogOutPage="/saml-logout"
                ErrorPage="/saml-error"
        ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="false">
        <IdentityURL>${idp.url::http://127.0.0.1:8080/idp/}</IdentityURL>
        <ServiceURL>${sp.url::http://127.0.0.1:8080/}</ServiceURL>
        </PicketLinkSP>
        <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
            <Handler
                class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
            <Handler
                class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
            <Handler
                class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
            <Handler
                class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
            <Handler
                class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
        </Handlers>
</PicketLink>

idp.url and sp.url are both specified in the domain.xml for our wildfly deployment.

The logs when we try logging out with "?GLO=true" look like this:

2016-09-15 13:35:21,456 TRACE [org.jboss.security] (default task-36) PBOX000205: End validateCache, result = true
2016-09-15 13:35:21,456 TRACE [org.jboss.security] (default task-36) PBOX000201: End isValid, result = true
2016-09-15 13:35:21,456 TRACE [org.jboss.security] (default task-37) PBOX000200: Begin isValid, principal: <username>, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@77a2603c
2016-09-15 13:35:21,457 TRACE [org.jboss.security] (default task-37) PBOX000204: Begin validateCache, domainInfo: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@77a2603c, credential class: class java.lang.String
2016-09-15 13:35:21,457 TRACE [org.jboss.security] (default task-37) PBOX000205: End validateCache, result = true
2016-09-15 13:35:21,457 TRACE [org.jboss.security] (default task-37) PBOX000201: End isValid, result = true
2016-09-15 13:35:21,458 TRACE [org.jboss.security] (default task-35) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:21,458 TRACE [org.jboss.security] (default task-34) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:21,461 TRACE [org.jboss.security] (default task-37) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:21,461 TRACE [org.jboss.security] (default task-36) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:33,875 TRACE [org.jboss.security] (default task-38) PBOX000200: Begin isValid, principal: <username>, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@77a2603c
2016-09-15 13:35:33,875 TRACE [org.jboss.security] (default task-38) PBOX000204: Begin validateCache, domainInfo: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@77a2603c, credential class: class java.lang.String
2016-09-15 13:35:33,876 TRACE [org.jboss.security] (default task-38) PBOX000205: End validateCache, result = true
2016-09-15 13:35:33,876 TRACE [org.jboss.security] (default task-38) PBOX000201: End isValid, result = true
2016-09-15 13:35:33,924 INFO [stdout] (default task-38) 16-Sep-15 13:35:33 hostname.localnet REPORT [<internal_package1>] - {:username "<username>", :roles #{:read}} :logout
2016-09-15 13:35:33,927 INFO [stdout] (default task-38) 16-Sep-15 13:35:33 hostname.localnet INFO [<internal_package1>] - Logout:
2016-09-15 13:35:33,937 TRACE [org.jboss.security] (default task-38) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:33,989 INFO [stdout] (default task-39) 16-Sep-15 13:35:33 hostname.localnet REPORT [<internal_package2>] - :logout
2016-09-15 13:35:33,991 INFO [stdout] (default task-39) 16-Sep-15 13:35:33 hostname.localnet INFO [<internal_package1>] - Logout:
2016-09-15 13:35:33,992 TRACE [org.jboss.security] (default task-39) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:34,033 TRACE [org.picketlink.common] (default task-40) SAML Handlers are: [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1e7a4a4d, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@12b7c6b, org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler@4c6ec5c5, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler@71b72f04, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler@c5ed3e4]
2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler
2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler
2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler
2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) No document generated in the handler chain. Cannot generate signature
2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler
2016-09-15 13:35:34,034 TRACE [org.picketlink.common] (default task-40) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler
2016-09-15 13:35:34,051 TRACE [org.jboss.security] (default task-40) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:34,131 TRACE [org.jboss.security] (default task-42) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:34,135 TRACE [org.jboss.security] (default task-41) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:34,190 TRACE [org.jboss.security] (default task-43) PBOX000354: Setting security roles ThreadLocal: null
2016-09-15 13:35:34,239 TRACE [org.picketlink.common] (default task-44) SAML Handlers are: [org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler@1e7a4a4d, org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler@12b7c6b, org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler@4c6ec5c5, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler@71b72f04, org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler@c5ed3e4]
2016-09-15 13:35:34,239 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler
2016-09-15 13:35:34,241 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler
2016-09-15 13:35:34,241 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler
2016-09-15 13:35:34,241 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler
2016-09-15 13:35:34,241 TRACE [org.picketlink.common] (default task-44) Finished Processing handler: org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler
2016-09-15 13:35:34,241 TRACE [org.jboss.security.audit] (default task-44) REQUEST_TO_IDP [Info]

data has been scrubbed: <username> is the actual username, <internal_packageN> is one of our packages with the old SSO implementation, and "hostname.localnet" is the actual host that Wildfly is running on. The last bit of the logs are where we redirect to the logout page, and request the identity from the IdP. As you can see, we are redirecting back to our old internal SSO method, but we actually *want* to use SAML to manage the SSO/GLO process. The end result of the above behaviour is that we can plug in the root of the SP in the URL bar and browse around without needing to reauthenticate.

Are there any suggestions on how we can get to the bottom of this issue? Why isn't Picketlink passing the request through the SAML2LogOutHandler prior to routing to the old Log Off method?

1. Re: GLO=true not triggering SAML LogoutRequest to the IdP

aaron.cripps Sep 15, 2016 4:19 PM (in response to aaron.cripps)

further details are available: We can get this to work with a standalone.xml modified for our deployments, but when running in domain mode the logout request is not being intercepted by picketlink.
Actions
2. Re: GLO=true not triggering SAML LogoutRequest to the IdP

aaron.cripps Sep 16, 2016 9:52 AM (in response to aaron.cripps)

Solution has been found. We had <single-sign-on> still configured in the domain.xml, which was preventing PicketLink from intercepting the logout requests. When we removed those tags the Logout Requests were correctly handled by the SAML2LogoutHandler.
Actions

Go to original post