Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-1878

Logout event not generated in case of SAML BackChannelLogout with Identity Brokering

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • RH-SSO-7.5.1
    • Protocol - SAML
    • None
    • False
    • False

       

      This Jira is a follow up Jira of up https://issues.redhat.com/browse/KEYCLOAK-17037

      as we are using RH-SSO Jira now instead.

       

       

       

      LOGOUT event is not displayed in case of a SAML backchannel logout from a brokered IDP.  The user has been correctly logged out, and user session destroyed.

      Steps to reproduce:

      • Configure RH-SSO with identity brokering to an idp with backchannel logout configured.
      • A logout is performed on another SP.  The IDP, after reception of the logout request inform all SPs by sending a POST logout request to each session participant including RH-SSO.
      • Each participant (SP and brokered IDP) will run the backchannel logout request action, by destroying the corresponding user session.
      • Only the LOGIN event is tracked. In the audit log, there is no way to know that user session expired.

      As comparison, in case of normal logout from the SP, LOGIN/LOGOUT events appear within the event/audit log.

      Example 1) simple login/logout from RH-SSO SP

      grep "LOGIN|LOGOUT|backchannel" server.log

      021-02-04 11:31:28,721 TRACE [org.keycloak.events] threadId="default task-20", type=LOGIN, realmId=, clientId=, userId=, ipAddress=, identity_provider=, consent=no_consent_required, identity_provider_identity='', code_id=, username=, authSessionParentId=, authSessionTabId=, requestUri=,
      ...
      ...

      2021-02-04 11:31:35,767 TRACE [org.keycloak.events] threadId="default task-34", type=LOGOUT, realmId=, clientId=, userId=, ipAddress=, authSessionParentId=, authSessionTabId=eM3k809T7S8, requestUri=
      ...

      Example 2) backhannel logout

      a) Login is done via RH-SSO SP
      b) User session gets destroyed by backchannle logout

      grep "LOGIN|LOGOUT|backchannel" server.log

      2021-02-04 11:32:12,302 TRACE [org.keycloak.events] threadId="default task-34", type=LOGIN, realmId=, clientId=, userId=, ipAddress=, identity_provider=, consent=no_consent_required, identity_provider_identity='', code_id=, username=, authSessionParentId=, authSessionTabId=, requestUri=,

      2021-02-04 11:32:38,567 DEBUG [org.keycloak.services.managers.AuthenticationManager] threadId="default task-34", backchannel logout to:

      Only the LOGIN event is tracked. In the audit log, there is no way to know that user session expired.

       

      Diving in the code

      -------------------------

      backchannelLogoutClientSession (./services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java) is the method called on RH-SSO to destroy the user session, when there is an IDP backchannel logout POST.
      It looks like that event logout should be added in this method.

            Unassigned Unassigned
            rhn-support-orivat Olivier Rivat
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: