Bug 1362293

Summary: [GSS] (6.4.z) SAML2LogoutHandler is not handling PicketLinkSP/LogOutResponseLocation attribute properly
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: PicketLinkAssignee: Peter Palaga <ppalaga>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.4.8CC: anmiller, bdawidow, bmaxwell, ihradek, jtruhlar, msochure, ppalaga, psilva, pskopek
Target Milestone: CR1   
Target Release: EAP 6.4.11   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 13:13:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1361648, 1362250, 1362295    
Attachments:
Description Flags
employee.war
none
sales-post.war
none
idp.war none

Description dhorton 2016-08-01 20:36:38 UTC 
Description of problem:

When the "LogOutResponseLocation" is configured, the SAML2LogoutHandler correctly uses this value as the Destination when the SP generates  a LogoutResponse.  However, the LogOutResponseLocation" is not getting used during the HTTP POST so that LogoutResponse is getting sent to the wrong IDP url.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Configure and deploy an idp, sales-post and employee applications
2.  Configure the "LogOutResponseLocation" in the employee.war/picketlink.xml
3.  Log into the sales-post application
4.  Hit the employee application
5.  Click on the GLO logout link in the sales-post



Expected results:

The employee.war should generate a LogoutResponse that has a "Destination" that matches the "LogOutResponseLocation".  This LogoutResponse should be sent to the same url that is specified in the LogOutResponseLocation". 


Actual results:

The LogoutResponse is not sent to the same url that is specified in the LogOutResponseLocation.


Additional info:
Comment 1 dhorton 2016-08-01 20:48:18 UTC 
Created attachment 1186537 [details]
employee.war
Comment 2 dhorton 2016-08-01 20:49:02 UTC 
Created attachment 1186538 [details]
sales-post.war
Comment 3 dhorton 2016-08-01 20:50:03 UTC 
Created attachment 1186539 [details]
idp.war
Comment 4 dhorton 2016-08-01 20:51:31 UTC 
Attached applications required to reproduce the issue.

Here is the required security-domain configuration:

                <security-domain name="idp" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="sp" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
                    </authentication>
                </security-domain>
Comment 8 Ivo Hradek 2016-10-06 10:53:01 UTC 
Verified with EAP 6.4.11.CP.CR1;
Comment 9 Petr Penicka 2017-01-17 13:13:57 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.
Comment 10 Petr Penicka 2017-01-17 13:15:22 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.