[keycloak-user] Logout in broker mode doesn't propagate session's termination

Bill Burke bburke at redhat.com
Tue Mar 7 08:57:04 EST 2017


How exactly are you killing sessions?  Through the admin console?  Can 
you specify exactly what operations you are performing.

For SAML and OIDC there is a logout URL you have to specify. There's 
also a "Backchannel Logout" supported switch that has to be true.


On 3/7/17 6:33 AM, Dmitry Korchemkin wrote:
> I was testing single logout in broker mode and came around this logical,
> but not exactly desirable behaviour, when session on the broker and session
> on the external idp states are not linked between the idp's.
>
> My setup is broker saml example provided with keycloak, but instead of an
> actual application i log in to the broker using "/account" url. Should be
> all the same, since it's just another web-app, protected by this realm.
>
> The behaviour is as follows:
> If i kill a session on the external keycloak idp, the user is not logged
> out. I assume since local session is alive and well the token is not being
> revoked.
>
> If i kill a session on the broker keycloak, upon hitting f5 user is
> redirected to the broker login page, but when i press external idp login
> button, he's logged right back with no credentials asked. I guess since the
> session between 2 idp's is still up, broker thinks this user is already
> authenticated.
>
> I tested both oidc and saml, tried different backchannel/frontchannel
> toggles in the UI of both broker and external IDP, but this had no visible
> effect.
>
> Can you please clarify if the behaviour observed is expected and normal, or
> did i miss some configuration steps?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list