Hello!
I'm using pac4j + Spring Security + keycloak as an Idp + SAML as an SSO
protocol.
I have a question about how to handle session timeout correctly for session
timeout scenario.
SCENARIO:
Let's have 2 web applications (WebApp1, WebApp2)
Let WebApp2 have some small session timeout (for easiness of testing, e.g.
1 minute)
Log-in into WebApp1
Open WebApp2 in another tab of the same browser (so the user will be
authenticated automatically through keycloak)
Close the tab with WebApp2
Wait till the session of WebApp2 expires
Try to log-out from WebApp1
EXPECTED:
Single Logout works
ACTUALLY:
We're relogined to WebApp1
Reason:
We got redirected to Idp, then to WebApp2, inside WebApp2
Security library cannot cannot load the SSO-related information because it
doesn't longer exist in the session (the session has been expired).
So the single Logout procedure fails and we are still logged-in.
Does keycloak have some support for this kind of scenario? Any workarounds
can be applied? It looks to be a not very rare situation when the user
closes the browser tab.
Thanks in advance for help!
Show replies by date