[keycloak-user] SAML Identiy broker mode bypasses any authentication after logout

Pieter Lukasse pieter at thehyve.nl
Fri Sep 15 07:56:25 EDT 2017


Hi,

I have a spring-security based application that connects to keycloak via
SAML. Keycloak itself is configured to connect via SAML to another external
identity provider (so Keycloak is just the identity broker in this case).

When I logout from my web application by going to
https://<app_url>/saml/logout?local=false,
a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the
external IDP. There is *no* LogoutResponse. Strangely, when I try to access
my web application again, I am not asked to login and can access it as if
the session is still valid. No AuthnRequest is seen in this case.

What could be wrong? It seems that either the web application or the
Keycloak is caching the session and not invalidating it upon a
LogoutRequest. Maybe someone can help shed some light on this.

Thanks,

Pieter



We empower scientists by building on open source software


More information about the keycloak-user mailing list