[keycloak-user] SAML Identiy broker mode bypasses any authentication after logout

Hynek Mlnarik hmlnarik at redhat.com
Fri Sep 15 08:34:44 EDT 2017


Check why there is no LogoutResponse. This is a violation of SAML
protocol [1]. You would need to inspect SAML message exchange by using
either using browser extension like SAML Tracer, or increasing
keycloak log level for SAML.

--Hynek

[1] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf,
l. 2631-2636

On Fri, Sep 15, 2017 at 1:56 PM, Pieter Lukasse <pieter at thehyve.nl> wrote:
> Hi,
>
> I have a spring-security based application that connects to keycloak via
> SAML. Keycloak itself is configured to connect via SAML to another external
> identity provider (so Keycloak is just the identity broker in this case).
>
> When I logout from my web application by going to
> https://<app_url>/saml/logout?local=false,
> a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the
> external IDP. There is *no* LogoutResponse. Strangely, when I try to access
> my web application again, I am not asked to login and can access it as if
> the session is still valid. No AuthnRequest is seen in this case.
>
> What could be wrong? It seems that either the web application or the
> Keycloak is caching the session and not invalidating it upon a
> LogoutRequest. Maybe someone can help shed some light on this.
>
> Thanks,
>
> Pieter
>
>
>
> We empower scientists by building on open source software
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek


More information about the keycloak-user mailing list