3:39 a.m.
I'm killing sessions using keycloak's admin console GUI, namely Session
tab, where i can either kill a session or send a Revocation message.
I've tried setting up Single Log Out URL's the way examples suggest, i.e.
for SAML it is set to "
http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml";, as
specified in xml descriptor. Same with backchannel logout, switching it on
or off seems to do nothing in this case.
2017-03-07 21:51 GMT+03:00 <keycloak-user-request(a)lists.jboss.org>:
Date: Tue, 7 Mar 2017 08:57:04 -0500
From: Bill Burke <bburke(a)redhat.com>
Subject: Re: [keycloak-user] Logout in broker mode doesn't propagate
session's termination
To: keycloak-user(a)lists.jboss.org
Message-ID: <dabc3430-e5ed-e834-6f87-dd711b341117(a)redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
How exactly are you killing sessions? Through the admin console? Can
you specify exactly what operations you are performing.
For SAML and OIDC there is a logout URL you have to specify. There's
also a "Backchannel Logout" supported switch that has to be true.
On 3/7/17 6:33 AM, Dmitry Korchemkin wrote:
> I was testing single logout in broker mode and came around this logical,
> but not exactly desirable behaviour, when session on the broker and
session
> on the external idp states are not linked between the idp's.
>
> My setup is broker saml example provided with keycloak, but instead of an
> actual application i log in to the broker using "/account" url. Should be
> all the same, since it's just another web-app, protected by this realm.
>
> The behaviour is as follows:
> If i kill a session on the external keycloak idp, the user is not logged
> out. I assume since local session is alive and well the token is not
being
> revoked.
>
> If i kill a session on the broker keycloak, upon hitting f5 user is
> redirected to the broker login page, but when i press external idp login
> button, he's logged right back with no credentials asked. I guess since
the
> session between 2 idp's is still up, broker thinks this user is already
> authenticated.
>
> I tested both oidc and saml, tried different backchannel/frontchannel
> toggles in the UI of both broker and external IDP, but this had no
visible
> effect.
>
> Can you please clarify if the behaviour observed is expected and normal,
or
> did i miss some configuration steps?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user