5:33 a.m.
I was testing single logout in broker mode and came around this logical,
but not exactly desirable behaviour, when session on the broker and session
on the external idp states are not linked between the idp's.
My setup is broker saml example provided with keycloak, but instead of an
actual application i log in to the broker using "/account" url. Should be
all the same, since it's just another web-app, protected by this realm.
The behaviour is as follows:
If i kill a session on the external keycloak idp, the user is not logged
out. I assume since local session is alive and well the token is not being
revoked.
If i kill a session on the broker keycloak, upon hitting f5 user is
redirected to the broker login page, but when i press external idp login
button, he's logged right back with no credentials asked. I guess since the
session between 2 idp's is still up, broker thinks this user is already
authenticated.
I tested both oidc and saml, tried different backchannel/frontchannel
toggles in the UI of both broker and external IDP, but this had no visible
effect.
Can you please clarify if the behaviour observed is expected and normal, or
did i miss some configuration steps?
7:57 a.m.
How exactly are you killing sessions? Through the admin console? Can
you specify exactly what operations you are performing.
For SAML and OIDC there is a logout URL you have to specify. There's
also a "Backchannel Logout" supported switch that has to be true.
On 3/7/17 6:33 AM, Dmitry Korchemkin wrote:
I was testing single logout in broker mode and came around this
logical,
but not exactly desirable behaviour, when session on the broker and session
on the external idp states are not linked between the idp's.
My setup is broker saml example provided with keycloak, but instead of an
actual application i log in to the broker using "/account" url. Should be
all the same, since it's just another web-app, protected by this realm.
The behaviour is as follows:
If i kill a session on the external keycloak idp, the user is not logged
out. I assume since local session is alive and well the token is not being
revoked.
If i kill a session on the broker keycloak, upon hitting f5 user is
redirected to the broker login page, but when i press external idp login
button, he's logged right back with no credentials asked. I guess since the
session between 2 idp's is still up, broker thinks this user is already
authenticated.
I tested both oidc and saml, tried different backchannel/frontchannel
toggles in the UI of both broker and external IDP, but this had no visible
effect.
Can you please clarify if the behaviour observed is expected and normal, or
did i miss some configuration steps?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2837
days inactive
2837
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Dmitry Korchemkin