Hi!
I’m configuring a client for SSO in Google Workspace using Keycloak as IDP. Everything is working fine with the exception of logout. When I try to logout I receive the following error: “Invalid redirect uri”
Valid Redirect URIs are configured as requested by Google. Logout URL also: https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout?redirect_uri=https://www.google.com/
Anyone knows what I can do?
Thanks and I’m sorry for the typos
Hi. Did u tried just to ask logout without redirect ?
Just like this :
https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout
Hi! Yes. It works normally.
Try URL encoded value (it is not clear from the question what executes that URL, so if URL is URL encoded), e.g.
https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fwww.google.com
I would recommend to Workspace read documentation - quick google and I believe it is this one: Set up SSO for your organization - Google Workspace Admin Help
If I understand this doc correctly, then only SAML SSO protocol is supported by Google Workspace, so I don’t understand why you want to use OIDC logout Keycloak URL. Don’t mix OIDC/SAML Keycloak URLs.
Open your IDP metadata (e.g. /auth/realms/icone/protocol/saml/descriptor) and find SingleLogoutService. Used Location is the same as SingleSignOnService Location usually in the Keycloak case. So I bet these URLs must be the same:
Of course Google Workspace must initiate SAML logout properly.
I followed this tutorial by Google Keycloak single sign-on | Cloud Architecture Center | Google Cloud
When the URLs are the same, it’s not possible to initiate the logout. The error is as following:
(EN: We are sorry… Invalid request.)
That seems to be very crazy setup (or genius workaround, which may work only with certain Keycloak versions). I would contact Google support first to double check their documentation. Are you sure that you don’t have any OIDC keycloak session active - Keycloak may picking that OIDC session/client during OIDC logout.
Check Web Origins option on keycloak. Should be *
FYI, this “hack” by Google no longer seems to work in Keycloak 15.0.2. It fails with an “Invalid redirect_uri” error, even when the URI is set properly on both sides.
Hi guys,
I don’t know how you solved the problem, but I found one workaround. I setup another client in realm for logout and it worked. Logout client is openid-connect, login client is saml
Please open your realm settings and find Open ID Configuration File, Open this Json, you will get your logout URL, use that URL and append it with redirect URL.
Find your configuration here.
http://serverUrl/realms/my-realm-name/.well-known/openid-configuration
For example:
http://serverUrl/realms/my-realm-name/protocol/openid-connect/logout
you can append this with redirect url.
I noticed in configuration that it doesn’t require “auth” in the URL.
I am new to Keycloack, I may be missing something, but using the URL from configuration worked for me.
Hello, I know it is too late to implement saml with Keycloak but it is a client requirement.
My Login with Saml is working Properly but When I try to log out I am facing the issue Of an invalid Destination. As It is already said By osis.pdf when you send an unsigned logout request you don’t have to send the destination URL but if I remove the Destination URL then I face the Redirect URI as empty .
is it possible to perform both login and logout with the help of
http://127.0.0.1:8080/realms/OBSuiteXXXXX/protocol/saml
