[keycloak-user] Single Logout in Identity brokering mode

Leonid Rozenblyum lrozenblyum at gmail.com
Fri May 17 03:46:50 EDT 2019


Hello!

I'm working on Single Logout in Identity broker mode.

App -> Keycloak (OpenIdConnect)
Keycloak -> 3'd party (SAML)

Documentation to keycloak states that there are 2 ways to execute logout.
1) HttpServletRequest.logout().
2) redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri

If I execute 2) it indeed causes Keycloak send SAML Logout request to the
3'd party Idp.
However if I execute 1) SAML logout request is not sent thus 3'd party
session is still valid.

(I see that by enabling trace logging in keycloak and by fact that user is
still logged in)

Is it something by design/misconfiguration at my side or a bug?


More information about the keycloak-user mailing list