Hi, I have never configured PingIdentity as a broker before, but the configuration steps should be the same. Could you provide more details about the issues you are facing? Any specific error in logs? On Fri, Jul 19, 2019 at 8:14 PM Mitchell S Bowers <Mitchell.S.Bowers(a)kp.org&gt; wrote:

On Mon, Jul 22, 2019 at 1:19 PM Mitchell S Bowers <Mitchell.S.Bowers(a)kp.org&gt; wrote: It does. But you should still be able to obtain the original tokens as per https://www.keycloak.org/docs/latest/server_admin/#retrieving-external-id... . IIRC, If the logout is starting at the brokered IdP, it should send a logout request to Keycloak including the initiating_idp parameter. I would check if the brokered IdP is at least sending a request to Keycloak. Regards.

Hello Pedro, When configuring Keycloak to use an external IDP, I’m not finding any documentation regarding logout. Logout is happening at our IDP, however the session and token generated by Keycloak is remaining active. We’ve also manually terminated the session (Logout all) and revoked all (Revocation tab) but session is still active. Thanks, Mitchell From: Mitchell S Bowers Sent: Monday, July 22, 2019 11:15 AM To: Pedro Igor Silva <psilva(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: RE: [keycloak-user] Keycloak with Ping Identity OpenID Connect Provider Hello Pedro, Thank you for the prompt response. As for your statement below: IIRC, If the logout is starting at the brokered IdP, it should send a logout request to Keycloak including the initiating_idp parameter. I would check if the brokered IdP is at least sending a request to Keycloak We’ve configured the logout URL (from our brokered IdP) with our Keycloak client. When tracing the request on logout, it’s making a POST call to Keycloak for a refresh token (not sure why). Then doing a GET logout call to Keycloak (https://keycloak.sandbox.adf.kp.org/auth/realms/master/protocol/openid-co... , then making a GET call to brokered IdP (Ping). Thanks From: Pedro Igor Silva <psilva@redhat.com<mailto:psilva@redhat.com>> Sent: Monday, July 22, 2019 9:48 AM To: Mitchell S Bowers <Mitchell.S.Bowers@kp.org<mailto:Mitchell.S.Bowers@kp.org>> Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Keycloak with Ping Identity OpenID Connect Provider On Mon, Jul 22, 2019 at 1:19 PM Mitchell S Bowers <Mitchell.S.Bowers@kp.org<mailto:Mitchell.S.Bowers@kp.org>> wrote: Hello Pedro, I don’t have any error logs to share but let me explain further. After configuring Ping as the OIDC provider, we would be routed to Ping for authentication. After successfully authenticating, we’d be sent back to the application (Keycloak) with the ID token and Access token. After decoding the JWT, we see that the issuer had changed to Keycloak. So not sure if Keycloak issues it’s own token after receiving the one from Ping. It does. But you should still be able to obtain the original tokens as per https://www.keycloak.org/docs/latest/server_admin/#retrieving-external-id...;. The other issue is around session management. When invoking logout at our OIDC provider, the session remains active (even after closing the browser). We see the logout happening at our OIDC provider (Ping) but when the user navigates back to the app (Keycloak), they are not challenged. Is there a setting for invalidating the session on logout in Keycloak? IIRC, If the logout is starting at the brokered IdP, it should send a logout request to Keycloak including the initiating_idp parameter. I would check if the brokered IdP is at least sending a request to Keycloak. Regards. Thanks, Mitchell From: Pedro Igor Silva <psilva@redhat.com<mailto:psilva@redhat.com>> Sent: Monday, July 22, 2019 8:08 AM To: Mitchell S Bowers <Mitchell.S.Bowers@kp.org<mailto:Mitchell.S.Bowers@kp.org>> Cc: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: Re: [keycloak-user] Keycloak with Ping Identity OpenID Connect Provider Caution: This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender. ________________________________ Hi, I have never configured PingIdentity as a broker before, but the configuration steps should be the same. Could you provide more details about the issues you are facing? Any specific error in logs? On Fri, Jul 19, 2019 at 8:14 PM Mitchell S Bowers <Mitchell.S.Bowers@kp.org<mailto:Mitchell.S.Bowers@kp.org>> wrote: Hello, Is there any documentation on configuring Keycloak to use Ping as an external OIDC provider? I've used the documentation provided for Okta, which should be essentially the same. However, we are experiencing issues (specifically token issuance and logout). Any info would be greatly appreciated. https://ultimatesecurity.pro/post/okta-oidc/<https://urldefense.proofp... Thanks - Mitchell NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefe... NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you. NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you.