Re: [keycloak-user] Keycloak with Ping Identity OpenID Connect Provider

Hello Pedro, I don’t have any error logs to share but let me explain further. After configuring Ping as the OIDC provider, we would be routed to Ping for authentication. After successfully authenticating, we’d be sent back to the application (Keycloak) with the ID token and Access token. After decoding the JWT, we see that the issuer had changed to Keycloak. So not sure if Keycloak issues it’s own token after receiving the one from Ping. The other issue is around session management. When invoking logout at our OIDC provider, the session remains active (even after closing the browser). We see the logout happening at our OIDC provider (Ping) but when the user navigates back to the app (Keycloak), they are not challenged. Is there a setting for invalidating the session on logout in Keycloak? Thanks, Mitchell From: Pedro Igor Silva <psilva(a)redhat.com&gt; Sent: Monday, July 22, 2019 8:08 AM To: Mitchell S Bowers <Mitchell.S.Bowers(a)kp.org&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Keycloak with Ping Identity OpenID Connect Provider Caution: This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender. ________________________________ Hi, I have never configured PingIdentity as a broker before, but the configuration steps should be the same. Could you provide more details about the issues you are facing? Any specific error in logs? On Fri, Jul 19, 2019 at 8:14 PM Mitchell S Bowers <Mitchell.S.Bowers@kp.org<mailto:Mitchell.S.Bowers@kp.org>> wrote: Hello, Is there any documentation on configuring Keycloak to use Ping as an external OIDC provider? I've used the documentation provided for Okta, which should be essentially the same. However, we are experiencing issues (specifically token issuance and logout). Any info would be greatly appreciated. https://ultimatesecurity.pro/post/okta-oidc/<https://urldefense.proofp... Thanks - Mitchell NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefe... NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you.