[keycloak-user] Logout in broker mode doesn't propagate session's termination

Dmitry Korchemkin moon3854 at gmail.com
Thu Mar 9 04:39:43 EST 2017 

I'm killing sessions using keycloak's admin console GUI, namely Session
tab, where i can either kill a session or send a Revocation message.

I've tried setting up Single Log Out URL's the way examples suggest, i.e.
for SAML it is set to "
http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml", as
specified in xml descriptor. Same with backchannel logout, switching it on
or off seems to do nothing in this case.

2017-03-07 21:51 GMT+03:00 <keycloak-user-request at lists.jboss.org>:

>
> Date: Tue, 7 Mar 2017 08:57:04 -0500
> From: Bill Burke <bburke at redhat.com>
> Subject: Re: [keycloak-user] Logout in broker mode doesn't propagate
>         session's termination
> To: keycloak-user at lists.jboss.org
> Message-ID: <dabc3430-e5ed-e834-6f87-dd711b341117 at redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> How exactly are you killing sessions?  Through the admin console?  Can
> you specify exactly what operations you are performing.
>
> For SAML and OIDC there is a logout URL you have to specify. There's
> also a "Backchannel Logout" supported switch that has to be true.
>
>
> On 3/7/17 6:33 AM, Dmitry Korchemkin wrote:
> > I was testing single logout in broker mode and came around this logical,
> > but not exactly desirable behaviour, when session on the broker and
> session
> > on the external idp states are not linked between the idp's.
> >
> > My setup is broker saml example provided with keycloak, but instead of an
> > actual application i log in to the broker using "/account" url. Should be
> > all the same, since it's just another web-app, protected by this realm.
> >
> > The behaviour is as follows:
> > If i kill a session on the external keycloak idp, the user is not logged
> > out. I assume since local session is alive and well the token is not
> being
> > revoked.
> >
> > If i kill a session on the broker keycloak, upon hitting f5 user is
> > redirected to the broker login page, but when i press external idp login
> > button, he's logged right back with no credentials asked. I guess since
> the
> > session between 2 idp's is still up, broker thinks this user is already
> > authenticated.
> >
> > I tested both oidc and saml, tried different backchannel/frontchannel
> > toggles in the UI of both broker and external IDP, but this had no
> visible
> > effect.
> >
> > Can you please clarify if the behaviour observed is expected and normal,
> or
> > did i miss some configuration steps?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list