[keycloak-user] SAML SSO logout invalid destination error
Martin Duží
duzimartin at gmail.com
Fri Jan 25 06:47:30 EST 2019
Hello,
our team is using SAML SSO via Keycloak with several 3rd party applications.
After updating Keycloak version from 4.2.1 to 4.8.2, we started having
problem with logout from JFrog Artifactory, which ends up on page "We're
sorry ... Invalid Request".
Keycloak prints following error in server.log:
2019-01-18 19:02:44,198 WARN [org.keycloak.events] (default task-1)
type=LOGOUT_ERROR, realmId=fea322ef-a93e-c7db-aa08-c4eea81b38ff,
clientId=null, userId=null, ipAddress=(null), error=invalid_logout_request,
reason=invalid_destination
Which seems to indicate problem with destination attribute in logout
request and it is indeed missing from the xml sent by Artifactory:
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="add9d022-12da-40a2-80bd-f1d5b042a595"
IssueInstant="2019-01-18T07:23:50.822Z" Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">artifactory.example.com</saml2:Issuer><saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">logout
user</saml2:NameID><saml2p:SessionIndex>a8ec478f-a05c-4feb-8ec2-4dd9015eabe9::37dcf7a4-0a11-4cfe-9a23-6d4d3cd4e9e0</saml2p:SessionIndex></saml2p:LogoutRequest>
Looking at SAML specs and also recent code changes in Keycloak, destination
should be optional. Client Signature Required is turned off. Other
applications that actually send destination attribute can logout without
issues.
Anyone has idea what could be the problem here?
BR
Martin Duzi
More information about the keycloak-user
mailing list