Bug 1322414

Description of problem:
Single Logout (Global Logout, GLO) does not fully work on distributable PicketLink IdP under certain circumstances – in case user uses (or is forced to use) different nodes with IdP for logging in and/or logging out to/from SPs (e.g. no sticky sessions, or a node failure), user can remain logged in at several service providers.

The issue may cause instability to a PL deployment where IdPs are distributed across different nodes/instances.

SAML2LogOutHandler uses IdentityServer structure stored in ServletContext – IdentityServer is not replicated/shared between instances. Thus, the list of participants is limited to the IdP where the logout was sent to.


Version-Release number of selected component (if applicable):
2.5.4.SP7-redhat-1


How reproducible:
Given:
* EAP instance EAP0 with PicketLink SPs: SP1, SP2
* EAP instance EAP1 with distributable PicketLink IdP
* EAP instance EAP2 with distributable PicketLink IdP
* no load balancer to simplify the test case
  * SP1 targets IdP @ EAP1 (set in picketlink.xml config)
  * SP2 targets IdP @ EAP2 (set in picketlink.xml config)

Procedure:
When user requests SP1, then user should be redirected to IdP @ EAP1, and IdP shoud prompt user to log in. [OK]
When user logs in to IdP @ EAP1, then IdP should redirect user back to SP1, and SP1 should return index page (user should be logged in to SP1). [OK]
When user requests SP2, then user should be redirected to IdP @ EAP2, and then user should be redirected back to SP2, and SP2 should return index page (user should be logged in to SP2). [OK]
When user user requests Global Logout on SP1, then user should be logged out from SP1, SP2, and IdP. [FAILURE]


Actual results:
User is logged out from SP1 and IdP (@ both EAP1 and EAP2), but not from SP2 -- GLO workflow miss SP2.


Expected results:
User should be logged out from SP1, SP2, and IdP.