[keycloak-user] Keycloak with Ping Identity OpenID Connect Provider

[Mitchell S Bowers]

Hello Pedro,

When configuring Keycloak to use an external IDP, I’m not finding any documentation regarding logout. Logout is happening at our IDP, however the session and token generated by Keycloak is remaining active.

We’ve also manually terminated the session (Logout all) and revoked all (Revocation tab) but session is still active.

Thanks,

Mitchell

From: Mitchell S Bowers
Sent: Monday, July 22, 2019 11:15 AM
To: Pedro Igor Silva <psilva at redhat.com>
Cc: keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Keycloak with Ping Identity OpenID Connect Provider

Hello Pedro,

Thank you for the prompt response. As for your statement below:

IIRC, If the logout is starting at the brokered IdP, it should send a logout request to Keycloak including the initiating_idp parameter. I would check if the brokered IdP is at least sending a request to Keycloak

We’ve configured the logout URL (from our brokered IdP) with our Keycloak client. When tracing the request on logout, it’s making a POST call to Keycloak for a refresh token (not sure why). Then doing a GET logout call to Keycloak (https://keycloak.sandbox.adf.kp.org/auth/realms/master/protocol/openid-connect/logout? , then making a GET call to brokered IdP (Ping).

Thanks


From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Monday, July 22, 2019 9:48 AM
To: Mitchell S Bowers <Mitchell.S.Bowers at kp.org<mailto:Mitchell.S.Bowers at kp.org>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak with Ping Identity OpenID Connect Provider



On Mon, Jul 22, 2019 at 1:19 PM Mitchell S Bowers <Mitchell.S.Bowers at kp.org<mailto:Mitchell.S.Bowers at kp.org>> wrote:
Hello Pedro,

I don’t have any error logs to share but let me explain further. After configuring Ping as the OIDC provider, we would be routed to Ping for authentication. After successfully authenticating, we’d be sent back to the application (Keycloak) with the ID token and Access token. After decoding the JWT, we see that the issuer had changed to Keycloak. So not sure if Keycloak issues it’s own token after receiving the one from Ping.

It does. But you should still be able to obtain the original tokens as per https://www.keycloak.org/docs/latest/server_admin/#retrieving-external-idp-tokens<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_server-5Fadmin_-23retrieving-2Dexternal-2Didp-2Dtokens&d=DwMFaQ&c=V-WiB07a9ZG9AUogGPqIYBXfVnjryhYX1W_SjITv1Oo&r=VcrfVILBQLZrURPoC8PnflvbtsRzK_VMx7MCP6S2hyI&m=Hbc8uf9Y6vwoyofVCH55ucl3ZrLC65wYeLreDv3adMo&s=0XMlyrg4uBWbGpdPDkxUu-6T5Qm8BfewLrPbP9Pf-rA&e=>.


The other issue is around session management. When invoking logout at our OIDC provider, the session remains active (even after closing the browser). We see the logout happening at our OIDC provider (Ping) but when the user navigates back to the app (Keycloak), they are not challenged. Is there a setting for invalidating the session on logout in Keycloak?

IIRC, If the logout is starting at the brokered IdP, it should send a logout request to Keycloak including the initiating_idp parameter. I would check if the brokered IdP is at least sending a request to Keycloak.

Regards.


Thanks,

Mitchell

From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Monday, July 22, 2019 8:08 AM
To: Mitchell S Bowers <Mitchell.S.Bowers at kp.org<mailto:Mitchell.S.Bowers at kp.org>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak with Ping Identity OpenID Connect Provider


Caution: This email came from outside Kaiser Permanente. Do not open attachments or click on links if you do not recognize the sender.

________________________________
Hi,

I have never configured PingIdentity as a broker before, but the configuration steps should be the same. Could you provide more details about the issues you are facing? Any specific error in logs?

On Fri, Jul 19, 2019 at 8:14 PM Mitchell S Bowers <Mitchell.S.Bowers at kp.org<mailto:Mitchell.S.Bowers at kp.org>> wrote:
Hello,

Is there any documentation on configuring Keycloak to use Ping as an external OIDC provider? I've used the documentation provided for Okta, which should be essentially the same.

However, we are experiencing issues (specifically token issuance and logout). Any info would be greatly appreciated.

https://ultimatesecurity.pro/post/okta-oidc/<https://urldefense.proofpoint.com/v2/url?u=https-3A__ultimatesecurity.pro_post_okta-2Doidc_&d=DwMFaQ&c=V-WiB07a9ZG9AUogGPqIYBXfVnjryhYX1W_SjITv1Oo&r=VcrfVILBQLZrURPoC8PnflvbtsRzK_VMx7MCP6S2hyI&m=12QW91npVFVsrPGWUUgNypU-HQuCg1cj6RDXSZd69NY&s=g0NJX9qRVuh5-xBfiwa3IdLZ5iX1zAWhcFNFlEv2ES0&e=>

Thanks - Mitchell

NOTICE TO RECIPIENT:  If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.  If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.  Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=V-WiB07a9ZG9AUogGPqIYBXfVnjryhYX1W_SjITv1Oo&r=VcrfVILBQLZrURPoC8PnflvbtsRzK_VMx7MCP6S2hyI&m=12QW91npVFVsrPGWUUgNypU-HQuCg1cj6RDXSZd69NY&s=yrtLyzLrA4PEDSUtI8BmxCSrmlYxhyTgUU6AznIwu9o&e=>
NOTICE TO RECIPIENT:  If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.  If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.  Thank you.
NOTICE TO RECIPIENT:  If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents.  If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them.  Thank you.