I’m configuring a client for SSO in Google Workspace using Keycloak as IDP. Everything is working fine with the exception of logout. When I try to logout I receive the following error: “Invalid redirect uri”
Valid Redirect URIs are configured as requested by Google. Logout URL also: https://{KEYCLOAK}/auth/realms/{MY-REALM}/protocol/openid-connect/logout?redirect_uri=https://www.google.com/
If I understand this doc correctly, then only SAML SSO protocol is supported by Google Workspace, so I don’t understand why you want to use OIDC logout Keycloak URL. Don’t mix OIDC/SAML Keycloak URLs.
Open your IDP metadata (e.g. /auth/realms/icone/protocol/saml/descriptor) and find SingleLogoutService. Used Location is the same as SingleSignOnServiceLocation usually in the Keycloak case. So I bet these URLs must be the same:
That seems to be very crazy setup (or genius workaround, which may work only with certain Keycloak versions). I would contact Google support first to double check their documentation. Are you sure that you don’t have any OIDC keycloak session active - Keycloak may picking that OIDC session/client during OIDC logout.
FYI, this “hack” by Google no longer seems to work in Keycloak 15.0.2. It fails with an “Invalid redirect_uri” error, even when the URI is set properly on both sides.
I don’t know how you solved the problem, but I found one workaround. I setup another client in realm for logout and it worked. Logout client is openid-connect, login client is saml
Please open your realm settings and find Open ID Configuration File, Open this Json, you will get your logout URL, use that URL and append it with redirect URL.
http://serverUrl/realms/my-realm-name/protocol/openid-connect/logout
you can append this with redirect url.
I noticed in configuration that it doesn’t require “auth” in the URL.
I am new to Keycloack, I may be missing something, but using the URL from configuration worked for me.
Hello, I know it is too late to implement saml with Keycloak but it is a client requirement.
My Login with Saml is working Properly but When I try to log out I am facing the issue Of an invalid Destination. As It is already said By osis.pdf when you send an unsigned logout request you don’t have to send the destination URL but if I remove the Destination URL then I face the Redirect URI as empty .