Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3997

(7.0.z) Single Logout does not fully work on distributed PicketLink Identity Provider

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      Given:

      • EAP instance EAP1 with PicketLink SP1
      • EAP instance EAP2 with PicketLink SP2
      • EAP instance EAP3 with distributable PicketLink IdP
      • EAP instance EAP4 with distributable PicketLink IdP
      • no load balancer to simplify the test case
      • SP1 targets IdP @ EAP3 (set in picketlink.xml config)
      • SP2 targets IdP @ EAP4 (set in picketlink.xml config)

      Procedure:
      When user requests SP1, then user should be redirected to IdP @ EAP3, and IdP shoud prompt user to log in. [OK]
      When user logs in to IdP @ EAP3, then IdP should redirect user back to SP1, and SP1 should return index page (user should be logged in to SP1). [OK]
      When user requests SP2, then user should be redirected to IdP @ EAP4, and then user should be redirected back to SP2, and SP2 should return index page (user should be logged in to SP2). [OK]
      When user user requests Global Logout on SP1, then user should be logged out from SP1, SP2, and IdP. [FAILURE]

      • user is logged out from SP1 and IdP (@ both EAP3 and EAP4), but not from SP2 – GLO workflow miss SP2
      Show
      Given: EAP instance EAP1 with PicketLink SP1 EAP instance EAP2 with PicketLink SP2 EAP instance EAP3 with distributable PicketLink IdP EAP instance EAP4 with distributable PicketLink IdP no load balancer to simplify the test case SP1 targets IdP @ EAP3 (set in picketlink.xml config) SP2 targets IdP @ EAP4 (set in picketlink.xml config) Procedure: When user requests SP1, then user should be redirected to IdP @ EAP3, and IdP shoud prompt user to log in. [OK] When user logs in to IdP @ EAP3, then IdP should redirect user back to SP1, and SP1 should return index page (user should be logged in to SP1). [OK] When user requests SP2, then user should be redirected to IdP @ EAP4, and then user should be redirected back to SP2, and SP2 should return index page (user should be logged in to SP2). [OK] When user user requests Global Logout on SP1, then user should be logged out from SP1, SP2, and IdP. [FAILURE] user is logged out from SP1 and IdP (@ both EAP3 and EAP4), but not from SP2 – GLO workflow miss SP2
    • Affects:
      Release Notes
    • Release Notes Docs Status:
      Documented as Known Issue
    • Release Notes Text:
      Hide
      Single Logout (Global Logout, GLO) does not fully work on distributed PicketLink Identity Provider under certain circumstances, in case user uses (or is forced to use) different nodes with Identity Provider for logging in and/or logging out to/from Service Providers (e.g. no sticky sessions, or a node failure), user can remain logged in at several Service Providers after GLO, because the list of GLO participants is limited to the Identity Provider where the GLO request was sent to.
      Show
      Single Logout (Global Logout, GLO) does not fully work on distributed PicketLink Identity Provider under certain circumstances, in case user uses (or is forced to use) different nodes with Identity Provider for logging in and/or logging out to/from Service Providers (e.g. no sticky sessions, or a node failure), user can remain logged in at several Service Providers after GLO, because the list of GLO participants is limited to the Identity Provider where the GLO request was sent to.
    • Sprint:
      EAP 7.0.5

      Description

      Single Logout (Global Logout, GLO) does not fully work on distributable PicketLink IdP under certain circumstances – in case user uses (or is forced to use) different nodes with IdP for logging in and/or logging out to/from SPs (e.g. no sticky sessions, or a node failure), user can remain logged in at several service providers.

      The issue may cause instability to a PL deployment where IdPs are distributed across different nodes/instances.

      SAML2LogOutHandler uses IdentityServer structure stored in ServletContext – IdentityServer is not replicated/shared between instances. Thus, the list of participants is limited to the IdP where the logout was sent to.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pcraveiro Pedro Igor Silva
                  Reporter:
                  okotek Ondrej Kotek
                  Tester:
                  Ivo Hrádek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: