[keycloak-user] saml logout
John Bartko
john.bartko at drillinginfo.com
Wed Jul 5 19:37:00 EDT 2017
This GitLab issue [1] seems relevant. It may be the case that GitLab does not support SAML SP-initiated global logout at this time.
You mentioned that GitLab can redirect users to a URI after performing its own logout procedure. This problem then seems to be another instance of KEYCLOAK-3476 [2], i.e. GitLab may be a SAML SP that cannot process LogoutRequest messages but does offer arbitrary redirection. In theory, GitLab can redirect to the OIDC Logout Endpoint [3] which would destroy the Keycloak IdP session that was initially started by a SAML client.
Here's a *major* catch -- In my experience with Keycloak v1.9.8.Final, once an invalid configuration has be placed in the "Logout Service POST Binding URL" field for SAML clients lacking LogoutRequest support, that client is now "polluted" and must be deleted and recreated before GLO will work! Subsequently blanking the field would result in Keycloak throwing NPEs. I cannot speak to whether this behaviour is present in more recent versions of Keycloak.
Hope that helps,
-John Bartko
[1] https://gitlab.com/gitlab-org/gitlab-ce/issues/25854
[2] https://issues.jboss.org/browse/KEYCLOAK-3476
[3] <https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc-generic.html> https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc-generic.html#_logout_endpoint
________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Сергей Галюзин <galserg at gmail.com>
Sent: Wednesday, July 5, 2017 11:17:43 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] saml logout
hi all!
i try use Keycloak as IDP for gitlab via SAML protocol.
autentification is work well.
but i can't configure integration with logout service
gillab can redirect user after logout to customizable url
if it redirect to main SAML entry point ( root/realms/{realm}/protocol/saml/)
i see error "invalid request"
if i try type anybody to field "Logout Service POST Binding URL" and
redirect to this url - i see error 404 or blank screen.
In the documentation this service is practically not described.
Is there a standard entry point for logout servise (like standart SSO point
root/realms/{realm}/protocol/saml/clients/{url name}) ?
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://lists.jboss.org/mailman/listinfo/keycloak-user>
More information about the keycloak-user
mailing list