How can I configure a PicketLink based SP to use different login and logout URLs?

Solution Unverified - Updated -

Issue

We are integrating a PicketLink based SP (Service Provider) with a IDP (Identity Provider) that uses two different urls for login and logout. This is compliant with the saml v2 standard, as you could see in the metadata file.

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://idphostname.com/nidp/saml2/slo" ResponseLocation="http://idphostname.com/nidp/saml2/slo_return"/>

I noticed that picketlink doesn't care about that, and uses the entityId instead of singleLogoutservice. This is the code snnippet where the request is processed (class is AbstractSPFormAuthenticator):

private boolean generalUserRequest(Request request, Response response, LoginConfig loginConfig) throws IOException {
        Session session = request.getSessionInternal(true);
        boolean willSendRequest = false;
        HTTPContext httpContext = new HTTPContext(request, response, context.getServletContext());
        Set<SAML2Handler> handlers = chain.handlers();

        boolean postBinding = spConfiguration.getBindingType().equals("POST");

        // Neither saml request nor response from IDP
        // So this is a user request
        SAML2HandlerResponse saml2HandlerResponse = null;
        try {
            ServiceProviderBaseProcessor baseProcessor = new ServiceProviderBaseProcessor(postBinding, serviceURL);
            if (issuerID != null)
                baseProcessor.setIssuer(issuerID);

            baseProcessor.setIdentityURL(identityURL);
            baseProcessor.setAuditHelper(auditHelper);
            baseProcessor.setConfiguration(this.spConfiguration);

            saml2HandlerResponse = baseProcessor.process(httpContext, handlers, chainLock);
        } catch (ProcessingException pe) {
            logger.samlSPHandleRequestError(pe);
            throw new RuntimeException(pe);
        } catch (ParsingException pe) {
            logger.samlSPHandleRequestError(pe);
            throw new RuntimeException(pe);
        } catch (ConfigurationException pe) {
            logger.samlSPHandleRequestError(pe);
            throw new RuntimeException(pe);
        }

        willSendRequest = saml2HandlerResponse.getSendRequest();

This code id common to all the requests, login and logout, and it uses always the same identity url, which is set to login url.

Is there a configuration to use different urls? As an alternative, could you, or engineers, fix this issue?

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.1.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.