Bug 1362295

Summary: [GSS] (6.4.8 patch) PicketLink rollup patch - BZ-1362293, BZ-1353333
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: PicketLinkAssignee: dhorton
Status: VERIFIED --- QA Contact: Pavel Slavicek <pslavice>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.8CC: bdawidow, bmaxwell, jawilson, psilva, pskopek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
To apply this individual patch, follow the steps outlined in How do I apply individual or cumulative patches in JBoss EAP 6.2 and beyond [1]? To rollback this individual patch if installation has unexpected consequences, follow the steps outlined in How do I rollback individual or cumulative patches in JBoss EAP 6.2 and beyond [2]? [1] https://access.redhat.com/site/solutions/625683 [2] https://access.redhat.com/site/solutions/639403
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Support Patch
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1353333, 1353338, 1362293    
Bug Blocks:    
Attachments:
Description Flags
BZ1362295.zip none

Description dhorton 2016-08-01 21:10:35 UTC 
Description of problem:

PicketLink rollup patch that includes:

PLINK-738
BZ-1353333
Comment 2 dhorton 2016-08-05 18:49:18 UTC 
Description of problem for BZ-1353333:

PicketLink does not return SessionIndex in LogoutRequest.

To reproduce:

- deploy idp.war and employee.war
- go to http://localhost:8080/employee
- login
- click logout link when redirected back to the employee app
- view the SAML logout request
  - there should be a SessionIndex
Comment 3 dhorton 2016-08-05 18:50:11 UTC 
Description of problem for BZ-1362295 (PLINK-738):


When the "LogOutResponseLocation" is configured, the SAML2LogoutHandler correctly uses this value as the Destination when the SP generates  a LogoutResponse.  However, the LogOutResponseLocation" is not getting used during the HTTP POST so that LogoutResponse is getting sent to the wrong IDP url.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Configure and deploy an idp, sales-post and employee applications
2.  Configure the "LogOutResponseLocation" in the employee.war/picketlink.xml
3.  Log into the sales-post application
4.  Hit the employee application
5.  Click on the GLO logout link in the sales-post



Expected results:

The employee.war should generate a LogoutResponse that has a "Destination" that matches the "LogOutResponseLocation".  This LogoutResponse should be sent to the same url that is specified in the LogOutResponseLocation". 


Actual results:

The LogoutResponse is not sent to the same url that is specified in the LogOutResponseLocation.
Comment 4 dhorton 2016-08-05 18:58:10 UTC 
Created attachment 1188002 [details]
BZ1362295.zip
Comment 6 hsvabek 2016-08-10 08:55:21 UTC 
- regression testing: OK
- patch format, instructions and (un)expected changes: OK
- reproduce the fix: OK

md5sum
9794f856c605032597fb5cb3e2df2429  BZ1362295.zip