Description of problem: Single Logout (Global Logout, GLO) does not fully work on distributable PicketLink IdP under certain circumstances – in case user uses (or is forced to use) different nodes with IdP for logging in and/or logging out to/from SPs (e.g. no sticky sessions, or a node failure), user can remain logged in at several service providers. The issue may cause instability to a PL deployment where IdPs are distributed across different nodes/instances. SAML2LogOutHandler uses IdentityServer structure stored in ServletContext – IdentityServer is not replicated/shared between instances. Thus, the list of participants is limited to the IdP where the logout was sent to. Version-Release number of selected component (if applicable): 2.5.4.SP7-redhat-1 How reproducible: Given: * EAP instance EAP0 with PicketLink SPs: SP1, SP2 * EAP instance EAP1 with distributable PicketLink IdP * EAP instance EAP2 with distributable PicketLink IdP * no load balancer to simplify the test case * SP1 targets IdP @ EAP1 (set in picketlink.xml config) * SP2 targets IdP @ EAP2 (set in picketlink.xml config) Procedure: When user requests SP1, then user should be redirected to IdP @ EAP1, and IdP shoud prompt user to log in. [OK] When user logs in to IdP @ EAP1, then IdP should redirect user back to SP1, and SP1 should return index page (user should be logged in to SP1). [OK] When user requests SP2, then user should be redirected to IdP @ EAP2, and then user should be redirected back to SP2, and SP2 should return index page (user should be logged in to SP2). [OK] When user user requests Global Logout on SP1, then user should be logged out from SP1, SP2, and IdP. [FAILURE] Actual results: User is logged out from SP1 and IdP (@ both EAP1 and EAP2), but not from SP2 -- GLO workflow miss SP2. Expected results: User should be logged out from SP1, SP2, and IdP.
Verification failed with EAP-6.4.17-CP.CR4;
Released on 2017-09-05 as part of the EAP 6.4.17 release.