Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3997

(7.0.z) Single Logout does not fully work on distributed PicketLink Identity Provider

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.0.5.CR2, 7.0.5.GA
    • 7.0.0.ER7
    • Security
    • None
    • Release Notes
    • Hide
      Single Logout (Global Logout, GLO) does not fully work on distributed PicketLink Identity Provider under certain circumstances, in case user uses (or is forced to use) different nodes with Identity Provider for logging in and/or logging out to/from Service Providers (e.g. no sticky sessions, or a node failure), user can remain logged in at several Service Providers after GLO, because the list of GLO participants is limited to the Identity Provider where the GLO request was sent to.
      Show
      Single Logout (Global Logout, GLO) does not fully work on distributed PicketLink Identity Provider under certain circumstances, in case user uses (or is forced to use) different nodes with Identity Provider for logging in and/or logging out to/from Service Providers (e.g. no sticky sessions, or a node failure), user can remain logged in at several Service Providers after GLO, because the list of GLO participants is limited to the Identity Provider where the GLO request was sent to.
    • Documented as Known Issue
    • Hide

      Given:

      • EAP instance EAP1 with PicketLink SP1
      • EAP instance EAP2 with PicketLink SP2
      • EAP instance EAP3 with distributable PicketLink IdP
      • EAP instance EAP4 with distributable PicketLink IdP
      • no load balancer to simplify the test case
      • SP1 targets IdP @ EAP3 (set in picketlink.xml config)
      • SP2 targets IdP @ EAP4 (set in picketlink.xml config)

      Procedure:
      When user requests SP1, then user should be redirected to IdP @ EAP3, and IdP shoud prompt user to log in. [OK]
      When user logs in to IdP @ EAP3, then IdP should redirect user back to SP1, and SP1 should return index page (user should be logged in to SP1). [OK]
      When user requests SP2, then user should be redirected to IdP @ EAP4, and then user should be redirected back to SP2, and SP2 should return index page (user should be logged in to SP2). [OK]
      When user user requests Global Logout on SP1, then user should be logged out from SP1, SP2, and IdP. [FAILURE]

      • user is logged out from SP1 and IdP (@ both EAP3 and EAP4), but not from SP2 – GLO workflow miss SP2
      Show
      Given: EAP instance EAP1 with PicketLink SP1 EAP instance EAP2 with PicketLink SP2 EAP instance EAP3 with distributable PicketLink IdP EAP instance EAP4 with distributable PicketLink IdP no load balancer to simplify the test case SP1 targets IdP @ EAP3 (set in picketlink.xml config) SP2 targets IdP @ EAP4 (set in picketlink.xml config) Procedure: When user requests SP1, then user should be redirected to IdP @ EAP3, and IdP shoud prompt user to log in. [OK] When user logs in to IdP @ EAP3, then IdP should redirect user back to SP1, and SP1 should return index page (user should be logged in to SP1). [OK] When user requests SP2, then user should be redirected to IdP @ EAP4, and then user should be redirected back to SP2, and SP2 should return index page (user should be logged in to SP2). [OK] When user user requests Global Logout on SP1, then user should be logged out from SP1, SP2, and IdP. [FAILURE] user is logged out from SP1 and IdP (@ both EAP3 and EAP4), but not from SP2 – GLO workflow miss SP2
    • EAP 7.0.5

      Single Logout (Global Logout, GLO) does not fully work on distributable PicketLink IdP under certain circumstances – in case user uses (or is forced to use) different nodes with IdP for logging in and/or logging out to/from SPs (e.g. no sticky sessions, or a node failure), user can remain logged in at several service providers.

      The issue may cause instability to a PL deployment where IdPs are distributed across different nodes/instances.

      SAML2LogOutHandler uses IdentityServer structure stored in ServletContext – IdentityServer is not replicated/shared between instances. Thus, the list of participants is limited to the IdP where the logout was sent to.

            psilva@redhat.com Pedro Igor Craveiro
            okotek@redhat.com Ondrej Kotek
            Ivo Hradek Ivo Hradek (Inactive)
            Ivo Hradek Ivo Hradek (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: