Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3997

(7.0.z) Single Logout does not fully work on distributed PicketLink Identity Provider

    XMLWordPrintable

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      Given:

      • EAP instance EAP1 with PicketLink SP1
      • EAP instance EAP2 with PicketLink SP2
      • EAP instance EAP3 with distributable PicketLink IdP
      • EAP instance EAP4 with distributable PicketLink IdP
      • no load balancer to simplify the test case
      • SP1 targets IdP @ EAP3 (set in picketlink.xml config)
      • SP2 targets IdP @ EAP4 (set in picketlink.xml config)

      Procedure:
      When user requests SP1, then user should be redirected to IdP @ EAP3, and IdP shoud prompt user to log in. [OK]
      When user logs in to IdP @ EAP3, then IdP should redirect user back to SP1, and SP1 should return index page (user should be logged in to SP1). [OK]
      When user requests SP2, then user should be redirected to IdP @ EAP4, and then user should be redirected back to SP2, and SP2 should return index page (user should be logged in to SP2). [OK]
      When user user requests Global Logout on SP1, then user should be logged out from SP1, SP2, and IdP. [FAILURE]

      • user is logged out from SP1 and IdP (@ both EAP3 and EAP4), but not from SP2 – GLO workflow miss SP2
      Show
      Given: EAP instance EAP1 with PicketLink SP1 EAP instance EAP2 with PicketLink SP2 EAP instance EAP3 with distributable PicketLink IdP EAP instance EAP4 with distributable PicketLink IdP no load balancer to simplify the test case SP1 targets IdP @ EAP3 (set in picketlink.xml config) SP2 targets IdP @ EAP4 (set in picketlink.xml config) Procedure: When user requests SP1, then user should be redirected to IdP @ EAP3, and IdP shoud prompt user to log in. [OK] When user logs in to IdP @ EAP3, then IdP should redirect user back to SP1, and SP1 should return index page (user should be logged in to SP1). [OK] When user requests SP2, then user should be redirected to IdP @ EAP4, and then user should be redirected back to SP2, and SP2 should return index page (user should be logged in to SP2). [OK] When user user requests Global Logout on SP1, then user should be logged out from SP1, SP2, and IdP. [FAILURE] user is logged out from SP1 and IdP (@ both EAP3 and EAP4), but not from SP2 – GLO workflow miss SP2
    • Git Pull Request:
    • Affects:
      Release Notes
    • Release Notes Docs Status:
      Documented as Known Issue
    • Release Notes Text:
      Hide
      Single Logout (Global Logout, GLO) does not fully work on distributed PicketLink Identity Provider under certain circumstances, in case user uses (or is forced to use) different nodes with Identity Provider for logging in and/or logging out to/from Service Providers (e.g. no sticky sessions, or a node failure), user can remain logged in at several Service Providers after GLO, because the list of GLO participants is limited to the Identity Provider where the GLO request was sent to.
      Show
      Single Logout (Global Logout, GLO) does not fully work on distributed PicketLink Identity Provider under certain circumstances, in case user uses (or is forced to use) different nodes with Identity Provider for logging in and/or logging out to/from Service Providers (e.g. no sticky sessions, or a node failure), user can remain logged in at several Service Providers after GLO, because the list of GLO participants is limited to the Identity Provider where the GLO request was sent to.
    • Bugzilla References:
    • Bugzilla Update:
      Perform
    • Sprint:
      EAP 7.0.5

      Description

      Single Logout (Global Logout, GLO) does not fully work on distributable PicketLink IdP under certain circumstances – in case user uses (or is forced to use) different nodes with IdP for logging in and/or logging out to/from SPs (e.g. no sticky sessions, or a node failure), user can remain logged in at several service providers.

      The issue may cause instability to a PL deployment where IdPs are distributed across different nodes/instances.

      SAML2LogOutHandler uses IdentityServer structure stored in ServletContext – IdentityServer is not replicated/shared between instances. Thus, the list of participants is limited to the IdP where the logout was sent to.

        Gliffy Diagrams

          Attachments

            Issue Links

            cloned to

            Bug - A problem which impairs or prevents the functions of the product. JBEAP-6207 Single Logout does not fully work on distributed PicketLink Identity Provider

            • Critical - An upcoming version that is affected by this issue cannot be released until it's addressed. A critical bug is one that crashes the application, causes loss of data or severe memory leak.
            • Verified
            is incorporated by

            Component Upgrade - A task tracking an update to a bundled component JBEAP-8819 [GSS](7.0.z) Upgrade picketlink 2.5.5.SP5 to 2.5.5.SP6

            • Major - A request that should be considered seriously but is not a show stopper.
            • Verified

              Activity

                People

                • Assignee:
                  pcraveiro Pedro Igor
                  Reporter:
                  okotek Ondrej Kotek
                  Tester:
                  Ivo Hrádek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: