0 Replies Latest reply on Feb 10, 2017 5:01 AM by Krishna Shiva

    Unable to logout after upgrading to JBoss-EAP-7.0

    Krishna Shiva Newbie

      Hello,

       

      We migrated from jboss-eap-6.2 to jboss-eap-7.0. Also updated Picketlink version from PicketLink v2.7.0.CR2  to PicketLink v2.7.1.

      After migration, login is working properly. But global logout is not happening. It is giving the following error.

       

      ERROR [org.picketlink.common] (default task-13) Exception in processing request:: org.picketlink.common.exceptions.ProcessingException: Invalid destination [https://xxxxx.my.salesforce.com/secur/logout.jsp]. Expected [http://localhost:8080/appIDP/].

            at org.picketlink.identity.federation.web.handlers.saml2.BaseSAML2Handler.checkDestination(BaseSAML2Handler.java:122)

            at org.picketlink.identity.federation.web.handlers.saml2.BaseSAML2Handler.checkDestination(BaseSAML2Handler.java:129)

            at org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler$IDPLogOutHandler.handleRequestType(SAML2LogOutHandler.java:236)

            at org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler.handleRequestType(SAML2LogOutHandler.java:97)

            at org.picketlink.identity.federation.web.filters.IDPFilter.processSAMLRequestMessage(IDPFilter.java:547)

            at org.picketlink.identity.federation.web.filters.IDPFilter.handleSAMLMessage(IDPFilter.java:320)

            at org.picketlink.identity.federation.web.filters.IDPFilter.doFilter(IDPFilter.java:236)

            at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)

            at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

            at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

            at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

            at io.undertow.jsp.JspFileHandler.handleRequest(JspFileHandler.java:32)

            at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

            at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

            at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)

            at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

            at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)

            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

            at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)

            at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

            at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

            at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)

            at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

            at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

            at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

            at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

            at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

            at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)

            at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)

            at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

            at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)

            at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)

            at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)

            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

            at java.lang.Thread.run(Thread.java:745)

       

       

      Also, we analyzed the SAML Logout Request in SAML TRACER. In Logout Request, the SessionIndex attribute is not populating.

       

      <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                           xmlns="urn:oasis:names:tc:SAML:2.0:assertion"

                           Destination="https://xxxxx.my.salesforce.com/secur/logout.jsp"

                           ID="ID_b35aabc3-656b-4afa-bacb-3832c85a5658"

                           IssueInstant="2016-12-12T10:15:35.041Z"

                           Version="2.0"

                           >

          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/app/web/Home.do</saml:Issuer>

          <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">admin</saml:NameID>

      </samlp:LogoutRequest>

       

      Can anyone suggest if I am doing anything wrong?

       

      Thanks,

      Krishna