[keycloak-user] Logout in broker mode doesn't propagate session's termination

Dmitry Korchemkin moon3854 at gmail.com
Tue Mar 7 06:33:34 EST 2017


I was testing single logout in broker mode and came around this logical,
but not exactly desirable behaviour, when session on the broker and session
on the external idp states are not linked between the idp's.

My setup is broker saml example provided with keycloak, but instead of an
actual application i log in to the broker using "/account" url. Should be
all the same, since it's just another web-app, protected by this realm.

The behaviour is as follows:
If i kill a session on the external keycloak idp, the user is not logged
out. I assume since local session is alive and well the token is not being
revoked.

If i kill a session on the broker keycloak, upon hitting f5 user is
redirected to the broker login page, but when i press external idp login
button, he's logged right back with no credentials asked. I guess since the
session between 2 idp's is still up, broker thinks this user is already
authenticated.

I tested both oidc and saml, tried different backchannel/frontchannel
toggles in the UI of both broker and external IDP, but this had no visible
effect.

Can you please clarify if the behaviour observed is expected and normal, or
did i miss some configuration steps?


More information about the keycloak-user mailing list