[keycloak-user] Logout from identity provider is not propagated to Keycload clients
SauliK
sauli.ketola at outlook.com
Thu Aug 8 05:46:44 EDT 2019
Hi,
I have set up Keycloak with a SAML2 Identity Provider and I have a client
application configured to authenticate against Keycloak using SAML2.
If I logout from the application, the logout happens correctly using browser
redirects and the user is logged out from the application, from Keycloak,
and from the identity provider. But if I logout from the Identity provider,
the provider sends a logout request to Keycloak but Keycloak does not send
the logouts to the clients.
I have checked the source code regarding this and in the second scenario
Keycloak uses only the backchannel logout and does not even attempt to do
the browser / frontchannel logout. In my case backchannel logout is not
supported.
In the source code I can see that in SamlService class (which is being
invoked when I do the logout from the application) it uses either browser
logout or backchannel logout
https://github.com/keycloak/keycloak/blob/1ac51611d3c1dd7c9b6537430587fa4c68a1e916/services/src/main/java/org/keycloak/protocol/saml/SamlService.java#L429
But in the SamlEndpoint class (which is used when the identity provider
sends the logout request to Keycloak) it only attempts the backchannel
logout:
https://github.com/keycloak/keycloak/blob/ca4e14fbfa76e5c909503bde9b0f4e233014503f/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java#L293
Is this the way it's supposed to work or is Keycloak just missing this
feature?
Br,
Sauli
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
More information about the keycloak-user
mailing list