undertow slash redirect problem

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2PostBindingResponseBuilder.java

@@ -1,25 +1,4 @@
 package org.keycloak.protocol.saml;
-/*
- * JBoss, Home of Professional Open Source.
- * Copyright 2008, Red Hat Middleware LLC, and individual contributors
- * as indicated by the @author tags. See the copyright.txt file in the
- * distribution for a full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
 
 import org.picketlink.common.PicketLinkLogger;
 import org.picketlink.common.PicketLinkLoggerFactory;
@@ -62,6 +41,7 @@ import static org.picketlink.common.util.StringUtil.isNotNull;
  * Configuration Options:
  *
  * @author Anil.Saldhana@redhat.com
+ * @author bburke@redhat.com
 */
 public class SAML2PostBindingResponseBuilder {
     protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlLogin.java

@@ -35,6 +35,7 @@ import org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler;
 import org.picketlink.identity.federation.web.util.PostBindingUtil;
 import org.w3c.dom.Document;
 
+import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 import java.io.IOException;
@@ -195,10 +196,22 @@ public class SamlLogin implements LoginProtocol {
             ClientResponse response = null;
             try {
                 response = request.post();
+                response.releaseConnection();
+                // Undertow will redirect root urls not ending in "/" to root url + "/".  Test for this weird behavior
+                if (response.getStatus() == 302  && !adminUrl.endsWith("/")) {
+                    String redirect = (String)response.getHeaders().getFirst(HttpHeaders.LOCATION);
+                    String withSlash = adminUrl + "/";
+                    if (withSlash.equals(redirect)) {
+                        request = executor.createRequest(withSlash);
+                        request.formParameter(GeneralConstants.SAML_REQUEST_KEY, logoutRequestString);
+                        request.formParameter(SAML2LogOutHandler.BACK_CHANNEL_LOGOUT, SAML2LogOutHandler.BACK_CHANNEL_LOGOUT);
+                        response = request.post();
+                        response.releaseConnection();
+                    }
+                }
             } catch (Exception e) {
                 logger.warn("failed to send saml logout", e);
             }
-            response.releaseConnection();
 
         } finally {
             executor.getHttpClient().getConnectionManager().shutdown();

testsuite/integration/src/test/resources/testsaml.json

@@ -32,8 +32,8 @@
             "name": "http://localhost:8080/sales-post/",
             "enabled": true,
             "fullScopeAllowed": true,
-            "baseUrl": "http://localhost:8080/sales-post/",
-            "adminUrl": "http://localhost:8080/sales-post/",
+            "baseUrl": "http://localhost:8080/sales-post",
+            "adminUrl": "http://localhost:8080/sales-post",
             "redirectUris": [
                 "http://localhost:8080/sales-post/*"
             ]