[keycloak-user] Single Logout in Identity brokering mode
Leonid Rozenblyum
lrozenblyum at gmail.com
Tue Jul 9 03:56:04 EDT 2019
1) Most likely keycloak cannot execute 3'd party log-out without browser
interaction when the 3'd party Idp is not supporting backchannel logout,
right?
so HttpServletRequest.logout() documentation should be extended to mention
this limitation
That's why redirect solution works
3) why is Spring Security adapter exposing '/sso/logout' endpoint as a
logout handler? is it a third 'unofficial' way to log-out?
it looks like it does a little bit less than HttpServletRequest.logout()
because HttpServletRequest.logout() also
invokes SecurityContextLogoutHandler after KeycloakLogoutHandler
(while /sso/logout directly invokes KeycloakLogoutHandler)
On Fri, May 17, 2019 at 10:46 AM Leonid Rozenblyum <lrozenblyum at gmail.com>
wrote:
> Hello!
>
> I'm working on Single Logout in Identity broker mode.
>
> App -> Keycloak (OpenIdConnect)
> Keycloak -> 3'd party (SAML)
>
> Documentation to keycloak states that there are 2 ways to execute logout.
> 1) HttpServletRequest.logout().
> 2) redirect the browser to
> http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
>
> If I execute 2) it indeed causes Keycloak send SAML Logout request to the
> 3'd party Idp.
> However if I execute 1) SAML logout request is not sent thus 3'd party
> session is still valid.
>
> (I see that by enabling trace logging in keycloak and by fact that user is
> still logged in)
>
> Is it something by design/misconfiguration at my side or a bug?
>
>
>
More information about the keycloak-user
mailing list