I’m configuring a client for SSO in Google Workspace using Keycloak as IDP. Everything is working fine with the exception of logout. When I try to logout I receive the following error: “Invalid redirect uri”
If I understand this doc correctly, then only SAML SSO protocol is supported by Google Workspace, so I don’t understand why you want to use OIDC logout Keycloak URL. Don’t mix OIDC/SAML Keycloak URLs.
Open your IDP metadata (e.g. /auth/realms/icone/protocol/saml/descriptor) and find SingleLogoutService. Used Location is the same as SingleSignOnServiceLocation usually in the Keycloak case. So I bet these URLs must be the same:
That seems to be very crazy setup (or genius workaround, which may work only with certain Keycloak versions). I would contact Google support first to double check their documentation. Are you sure that you don’t have any OIDC keycloak session active - Keycloak may picking that OIDC session/client during OIDC logout.