[keycloak-dev] mod_auth_mellon

Hi, I'm trying to run apache + mod_auth_mellon with keycloak as indentity provider. Steps: 1. Install apache and mod_auth_mellon module 2. Generate .key, .cert, .xml files with mellon_create_metadata.sh and copy them to /mellon directory 3. Download idp_metadata.xml from keycloak/auth/realm/{REALM}/protocol/saml/descriptor and copy it to /mellon directory 4. Configure auth_mod_mellon with enclosed file auth_mellon.conf 5. Create client in keycloak from xml file generated in step 2 (There must be enabled Sign Documents, Sign Assertions signing and Force POST Binding) Login works, when I access /auth, mellon redirect me to keycloak and after successful login it redirect me back to protected resource. Problem: I'm not able to logout. When I access localhost/mellon/logout?ReturnTo=/, it doesn't destroy session in keycloak and in apache's error log there is: Current identity provider does not support single logout. Destroying local session only. Only way I was able to log out is change <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/auth/realms/mellon-test/protocol/saml"/> to <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/auth/realms/mellon-test/protocol/saml"/> POST -> Redirect in idp_metadata.xml and set "Logout Service Redirect Binding URL" to http://localhost/mellon/logout in admin console. Is it correct or it should work with POST binding too? Thank you, Michal.