diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java index 77446a7c050..d53d1e546c6 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java @@ -29,7 +29,9 @@ import org.keycloak.connections.httpclient.HttpClientProvider; import org.keycloak.dom.saml.v2.assertion.AssertionType; import org.keycloak.dom.saml.v2.assertion.AttributeStatementType; import org.keycloak.dom.saml.v2.protocol.ResponseType; +import org.keycloak.events.Details; import org.keycloak.events.EventBuilder; +import org.keycloak.events.EventType; import org.keycloak.models.AuthenticatedClientSessionModel; import org.keycloak.models.ClientModel; import org.keycloak.models.KeyManager; @@ -40,7 +42,6 @@ import org.keycloak.models.UserModel; import org.keycloak.models.UserSessionModel; import org.keycloak.protocol.LoginProtocol; import org.keycloak.protocol.ProtocolMapper; -import org.keycloak.protocol.RestartLoginCookie; import org.keycloak.protocol.saml.mappers.SAMLAttributeStatementMapper; import org.keycloak.protocol.saml.mappers.SAMLLoginResponseMapper; import org.keycloak.protocol.saml.mappers.SAMLRoleListMapper; @@ -597,16 +598,25 @@ public class SamlProtocol implements LoginProtocol { builder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName)); } } - + Response response; try { - return buildLogoutResponse(userSession, logoutBindingUri, builder, binding); - } catch (ConfigurationException e) { - throw new RuntimeException(e); - } catch (ProcessingException e) { - throw new RuntimeException(e); - } catch (IOException e) { + response = buildLogoutResponse(userSession, logoutBindingUri, builder, binding); + } catch (ConfigurationException | ProcessingException | IOException e) { throw new RuntimeException(e); } + if (logoutBindingUri != null) { + event.detail(Details.REDIRECT_URI, logoutBindingUri); + } + event.event(EventType.LOGOUT) + .detail(Details.AUTH_METHOD, userSession.getAuthMethod()) + .client(session.getContext().getClient()) + .user(userSession.getUser()) + .session(userSession) + .detail(Details.USERNAME, userSession.getLoginUsername()) + .detail(Details.RESPONSE_MODE, postBinding ? SamlProtocol.SAML_POST_BINDING : SamlProtocol.SAML_REDIRECT_BINDING) + .detail(SamlProtocol.SAML_LOGOUT_REQUEST_ID, userSession.getNote(SAML_LOGOUT_REQUEST_ID)) + .success(); + return response; } protected Response buildLogoutResponse(UserSessionModel userSession, String logoutBindingUri, SAML2LogoutResponseBuilder builder, JaxrsSAML2BindingBuilder binding) throws ConfigurationException, ProcessingException, IOException { diff --git a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java index 55a5a21c44b..640c2e50c12 100755 --- a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java +++ b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java @@ -169,6 +169,15 @@ public class SamlService extends AuthorizationEndpointBase { event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE); return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST); } + String issuer = statusResponse.getIssuer().getValue(); + ClientModel client = realm.getClientByClientId(issuer); + if (client == null) { + event.event(EventType.LOGOUT); + event.client(issuer); + event.error(Errors.CLIENT_NOT_FOUND); + return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND); + } + session.getContext().setClient(client); logger.debug("logout response"); Response response = authManager.browserLogout(session, realm, userSession, uriInfo, clientConnection, headers); event.success();