1) Most likely keycloak cannot execute 3'd party log-out without browser
interaction when the 3'd party Idp is not supporting backchannel logout,
right?
so HttpServletRequest.logout() documentation should be extended to mention
this limitation
That's why redirect solution works
3) why is Spring Security adapter exposing '/sso/logout' endpoint as a
logout handler? is it a third 'unofficial' way to log-out?
it looks like it does a little bit less than HttpServletRequest.logout()
because HttpServletRequest.logout() also
invokes SecurityContextLogoutHandler after KeycloakLogoutHandler
(while /sso/logout directly invokes KeycloakLogoutHandler)
On Fri, May 17, 2019 at 10:46 AM Leonid Rozenblyum <lrozenblyum(a)gmail.com>
wrote:
Hello!
I'm working on Single Logout in Identity broker mode.
App -> Keycloak (OpenIdConnect)
Keycloak -> 3'd party (SAML)
Documentation to keycloak states that there are 2 ways to execute logout.
1) HttpServletRequest.logout().
2) redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou...
If I execute 2) it indeed causes Keycloak send SAML Logout request to the
3'd party Idp.
However if I execute 1) SAML logout request is not sent thus 3'd party
session is still valid.
(I see that by enabling trace logging in keycloak and by fact that user is
still logged in)
Is it something by design/misconfiguration at my side or a bug?