[keycloak-user] Single Logout in Identity brokering mode
Leonid Rozenblyum
lrozenblyum at gmail.com
Fri May 17 03:46:50 EDT 2019
Hello!
I'm working on Single Logout in Identity broker mode.
App -> Keycloak (OpenIdConnect)
Keycloak -> 3'd party (SAML)
Documentation to keycloak states that there are 2 ways to execute logout.
1) HttpServletRequest.logout().
2) redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
If I execute 2) it indeed causes Keycloak send SAML Logout request to the
3'd party Idp.
However if I execute 1) SAML logout request is not sent thus 3'd party
session is still valid.
(I see that by enabling trace logging in keycloak and by fact that user is
still logged in)
Is it something by design/misconfiguration at my side or a bug?
More information about the keycloak-user
mailing list