[keycloak-user] Problems logging out using JEE to keycloak to SAML (ADFS)

[Jason Spittel]

Hello,
I'm having difficulty completing a logout. 
SETUP: JEE webapp to keycloak to IdP (ADFS (SAML))
WORKFLOW: 1) On logout in the webapp externalContext.redirect(externalContext.getRequestContextPath() + "?GLO=true");
 2) User is sent to ADFS letting them know they have successfully logged out.
 3) However, there is still a keycloak user session alive (seen in the admin console)
 4) Hitting a protected resource in the webapp lets user in without having to log back in.
Debugging the keycloak server, I found this bit of code in AuthenticationManager.browserLogout() line 262
 String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER); if (brokerId != null) {     IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);     Response response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);     if (response != null) return response; } return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers);
I think, unless I'm misunderstanding it, that I need to hit the finishBrowserLogout method, to clear the keycloak user session. But the way this is written makes it so it never will. Is keycloak expecting ADFS to clear its user session? Am I logging out incorrectly?
Thanks, 
Jason