Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

adapter/jee-saml

Describe the bug

In the SAML elytron adapter the IdMapperUpdaterSessionListener is not executed by default. There are two differences with the old undertow adapter:

1. In undertow adapter the listener is added always (see here) but in the elytron adapter it is not added by default (here). In the elytron adapter the updater is only added if keycloak.sessionIdMapperUpdater.classes init parameter is added to the context. This is not expected and the documentation just comments about this parameter to change the updater (doc).
2. The second difference is the undertow adapter updates the mapping when session ID changes (here) but the elytron counter part does not implement HttpSessionIdListener and therefore if the session ID is modified the mapping is lost and the user needs to login (no user interaction) again.

Both are bugs that should be fixed.

Version

25.0.2

Regression

• The issue is a regression

Expected behavior

When the session ID changes the class IdMapperUpdaterSessionListener updates the session mapping OK and the session is not lost and the user is not enforced to do the login dance again.

Actual behavior

The session is lost in the mapper and the user should go to the login page to silently login again.

How to Reproduce?

Deploy the SAML adapter via galleon layers in wildfly. Create a sample application that calls the request. changeSessionId() method to change the session ID in the app. The next user interaction performs the login again, creating the saml request, esponse and so on and so forth. As commented the session in keycloak is OK so the user needs no interaction (cookie) for the login.

Anything else?

No response