Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1845

SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes [GHI#32084]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      adapter/jee-saml

      Describe the bug

      In the SAML elytron adapter the IdMapperUpdaterSessionListener is not executed by default. There are two differences with the old undertow adapter:

      1. In undertow adapter the listener is added always (see here) but in the elytron adapter it is not added by default (here). In the elytron adapter the updater is only added if keycloak.sessionIdMapperUpdater.classes init parameter is added to the context. This is not expected and the documentation just comments about this parameter to change the updater (doc).
      2. The second difference is the undertow adapter updates the mapping when session ID changes (here) but the elytron counter part does not implement HttpSessionIdListener and therefore if the session ID is modified the mapping is lost and the user needs to login (no user interaction) again.

      Both are bugs that should be fixed.

      Version

      25.0.2

      Regression

      [ ] The issue is a regression

      Expected behavior

      When the session ID changes the class IdMapperUpdaterSessionListener updates the session mapping OK and the session is not lost and the user is not enforced to do the login dance again.

      Actual behavior

      The session is lost in the mapper and the user should go to the login page to silently login again.

      How to Reproduce?

      Deploy the SAML adapter via galleon layers in wildfly. Create a sample application that calls the request. changeSessionId() method to change the session ID in the app. The next user interaction performs the login again, creating the saml request, esponse and so on and so forth. As commented the session in keycloak is OK so the user needs no interaction (cookie) for the login.

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: