We have an app authenticating with Keycloak via SAML which is communicating with an IDP via OIDC. After a user successfully logs into the app in Chrome and then logs out, you can see in Keycloak that their user session is removed. However, about 50% of the time if the user attempts to re-login to the app, they get a “You are already logged in” error, and you see a new session has been created in Keycloak for them. This only ever happens in Chrome (and Opera, which is a Chromium based browser). We have tested in Safari and Firefox and never see this problem. The user can also log into the app via the same Keycloak server with Google as the IDP and that works in all browsers, including Chrome. So it is specific to Chrome and our OIDC IDP setup.
Logout is done via a html link to https://[OUR_SITE]/saml/logout?local=false.
We have seen this in both Keycloak 9.0.0 (helm chart 7.2.0) and 11.0.0 (helm chart 9.0.1). (https://github.com/codecentric/helm-charts)
We have tried to find a reliable way to produce this condition, but despite trying many permutations we cannot generate the problem deterministically. We can provide more details.
Thank you in advance for any help you can give.
Manda