Azure AD SAML with OIDC Client Protocol for Grafana SLO(Single Logout) having problems

Getting advice
,
1

Hey everyone,

I’m not sure if this is even possible.

But right now we have Azure AD as an external SAML-based IdP which we use to authenticate users.
We use mappers and other claims to get attributes from SAML requests through Keycloak and finally to our end application (Grafana).

Login work nicely, with me getting redirected to Azure Login page and finally receiving all claims I need on Grafana.

However when I try to logout, I do get a page from Azure saying

You signed out of your account
It’s a good idea to close all browser windows.

I assume it should successfully log me out, but when I hit the grafana home page, it redirects me to grafana dashboards, without asking me for authentication.

This issue does not occur if I close my browser after logout.

Grafana logs tell me i’m successfully signing in and out from grafana.

But keycloak logs give me the following stuff

e[32m05:52:46,801 DEBUG [org.keycloak.protocol.oidc.endpoints.LogoutEndpoint] (default task-1574) Initiating OIDC browser logout

e[0me[32m05:52:46,801 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-1574) Logging out: sshrivastava@afasdfasdfasdfafsf.onmicrosoft.com (d7e043a7-2b75-4cea-9d1d-805745fc68e1)

e[0me[32m05:52:46,801 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1574) AUTH_SESSION_ID cookie found in the request header

e[0me[32m05:52:46,801 DEBUG [org.keycloak.services.util.CookieHelper] (default task-1574) AUTH_SESSION_ID cookie found in the cookie field

e[0me[32m05:52:46,801 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1574) Found AUTH_SESSION_ID cookie with value d7e043a7-2b75-4cea-9d1d-805745fc68e1.keycloak-0

e[0me[32m05:52:46,801 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1574) Set AUTH_SESSION_ID cookie with value d7e043a7-2b75-4cea-9d1d-805745fc68e1.keycloak-0

e[0me[32m05:52:46,802 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-1574) backchannel logout to: asdfasdf.example.com

e[0me[32m05:52:46,802 DEBUG [org.keycloak.services.managers.ResourceAdminManager] (default task-1574) Cant logout {0}: no management url

e[0me[32m05:52:46,802 DEBUG [org.keycloak.saml.common] (default task-1574) org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2021-05-21T05:52:46.802Z

e[0me[32m05:52:46,803 DEBUG [org.keycloak.saml.BaseSAML2BindingBuilder] (default task-1574) saml document: <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://login.microsoftonline.com/dasdadfadsf-0b0e-469a-sdsd-asdfasdfafsa/saml2" ID="ID_a344eb7d-asdasd-91d6-sadasdfasdf" IssueInstant="2021-05-21T05:52:46.802Z" Version="2.0"><saml:Issuer>https://asdasaas-dev.tools.np.sadasda.io/auth/realms/asdadasd-asdas</saml:Issuer><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">xGriB9unL8e9tNQ3rhY73Gmy_chra9g5-agIxG4FOPw</saml:NameID><samlp:SessionIndex>_9840ed7f-0472-asdasdasd-a2b5-asdasasdas</samlp:SessionIndex></samlp:LogoutRequest>

e[0me[32m05:52:46,803 DEBUG [org.keycloak.protocol.oidc.endpoints.LogoutEndpoint] (default task-1574) finishing OIDC browser logout

TIA