Stian, I have upgraded to Keycloak 2.5.4 but unfortunately I still have the problem. I see in mod_auth_openidc logs the following: [Sun Mar 12 11:40:24 2017] [debug] src/mod_auth_openidc.c(1556): [client clientIP] oidc_save_in_session: session management disabled: session_state ((null)) and/or check_session_iframe (https://localhost/auth/ realms/comp-realm/protocol/openid-connect/login-status-iframe.html) is not provided, referer: https://server_ip/auth/realms/ comp-realm/protocol/openid-connect/auth?response_type= code&scope=openid&client_id=httpd_server_ip&state= 8DpklUhcfpymZa89Dj0s7KNG9Xo&redirect_uri=https%3A%2F% 2Fserver_ip%2Fprotected%2Fredirect_uri&nonce= YxVGddiIoSvZtfxftxgKUQzZICfDsU1x7T5hCLhPpPk On Mon, Feb 6, 2017 at 9:33 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: > It was fixed as part of https://issues.jboss.org/browse/KEYCLOAK-4338. > > On 3 February 2017 at 17:37, Known Michael <known.michael(a)gmail.com&gt; > wrote: > >> Stian, >> Do you have open issues? >> >> >> On Fri, Feb 3, 2017 at 10:47 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; >> wrote: >> >>> There's some fixes to the RP iframe coming in 2.5.4 which will be out >>> in a week or two. There was an issue with it expecting a "session_state" >>> value that wasn't equal to the value from the tokens. >>> >>> You can try building master if you'd like to try it out in advance. >>> >>> On 1 February 2017 at 16:59, Known Michael <known.michael(a)gmail.com&gt; >>> wrote: >>> >>>> Hey, >>>> >>>> I use mod_auth_openidc version "2.1.2", Keycloak version “2.4.0” >>>> >>>> I was not able to implement the session management using OP and RP >>>> frames >>>> as described here: >>>> >>>> https://github.com/pingidentity/mod_auth_openidc/wiki/Sessio >>>> n-Management >>>> >>>> I see in mod_auth_openidc logs the following: >>>> >>>> [Wed Feb 01 14:12:54 2017] [debug] src/mod_auth_openidc.c(1556): >>>> [client >>>> 192.168.111.33] oidc_save_in_session: session management disabled: >>>> session_state ((null)) and/or check_session_iframe ( >>>> https://localhost/auth/realms/realm/protocol/openid-connect/ >>>> login-status-iframe.html) >>>> is not provided, referer: >>>> https://192.168.110.2/auth/realms/realm/protocol/openid-conn >>>> ect/auth?response_type=code&scope=openid&client_id=httpd_192 >>>> .168.110.2&state=i1YQ39FbBLSCTRyIgEN-F9CdDH4&redirect_uri=ht >>>> tps%3A%2F%2F192.168.110.2%2Fprotected%2Fredirect_uri&nonce=0 >>>> VJ7AO-QBaxVaUBL9goen7muN4Oka1dP_1iPEQ43o-M >>>> >>>> It looks like the session management is disabled because the Provider >>>> did >>>> not return a session_state parameter in the authentication response >>>> (which >>>> in its turn can be verified via the referer URL in the same log entry) >>>> as >>>> the spec dictates: >>>> https://openid.net/specs/openid-connect-session-1_0.html#Cre >>>> atingUpdatingSessions >>>> >>>> How should I configure explicitly enable session management in >>>> Keycloak? >>>> It should starts returning session_state in the authentication >>>> responses. >>>> >>>> I see that it is implemented already >>>> https://issues.jboss.org/browse/KEYCLOAK-451 but probably I miss >>>> something. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> >