[keycloak-user] SAML Identiy broker mode bypasses any authentication after logout
java_os
java at neposoft.com
Mon Sep 18 09:17:12 EDT 2017
I saw this while brokering with ADFS - the logout request goes nowhere,
and dies with NPE in keycloak.
Seems as the sso cookie still active and not invalidated on logout request.
I've asked the group but no answer - so you need to close the browser if
your flow is browser sso.
Your best path a Jira ticket.
> Hi,
>
> I have a spring-security based application that connects to keycloak via
> SAML. Keycloak itself is configured to connect via SAML to another
> external
> identity provider (so Keycloak is just the identity broker in this case).
>
> When I logout from my web application by going to
> https://<app_url>/saml/logout?local=false,
> a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the
> external IDP. There is *no* LogoutResponse. Strangely, when I try to
> access
> my web application again, I am not asked to login and can access it as if
> the session is still valid. No AuthnRequest is seen in this case.
>
> What could be wrong? It seems that either the web application or the
> Keycloak is caching the session and not invalidating it upon a
> LogoutRequest. Maybe someone can help shed some light on this.
>
> Thanks,
>
> Pieter
>
>
>
> We empower scientists by building on open source software
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list