Hello,
I have SSO setup comprising of two SAML clients in a single KeyCloak Realm. The user authentication seems to work perfectly fine. I am facing problem with user logout. Following section describes the scenario and problem. I have created local application to demonstrate problem as I can’t share details from work.
Working setup
KeyCloak version: 24.0.4
Protocol: SAML
Setup: KeyCloak as Idp
Authentication flow: Default
Scenario
User is logged in with one of SAML client in a browser tab. The same user logs-in into another SAML client (in same Realm) in other tab of same browser. When checked for session, KeyCloak shows a single user session with clients being composite. It seems pretty organic, in the sense that KeyCloak’s user session is actually browser and not the clients. The situation looks as following:
Here a user, superman, can be seen having a single session against two clients. The SP application is spring boot based SAML client (spring boot - 3 and Spring security - 6) based on opensaml.
When I try to log the user out from one of the clients, the request is not honoured by KeyCloak. The SAML trace shows request reaching and response from KeyCloak but there is no impact on user session. The user continues to be logged in. When repeated the user logout from another client, sometimes, the same thing happens. After attempting one more time to log user out, the logout request is honoured by KeyCloak and user is logged out BUT from both clients.
Following is sample saml request and response (it for different user than shown in screenshot above but it doesn’t change behavior):
SAML Logout Request:
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://localhost:8080/auth/realms/tzn8qz9FcCFS2ncd/protocol/saml"
ID="LR5395995f-009c-4697-9f45-a95c573c32f9"
IssueInstant="2024-06-05T12:03:54.758Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8086/saml2/service-provider-metadata/carsonline</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#LR5395995f-009c-4697-9f45-a95c573c32f9">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>...digest value.....</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...........signature value..........
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>.......certificate value....</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">bats.bruce.wayne@yopmail.com</saml2:NameID>
<saml2p:SessionIndex>6409409b-0e79-48af-9b69-1bae032c8d58::004d710f-4c12-42f3-ab7f-39256c62c526</saml2p:SessionIndex>
</saml2p:LogoutRequest>
SAML logout response:
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="http://localhost:8086/logout/saml2/slo"
ID="ID_c6d5fd47-4e34-40fc-ac4d-13be12e0609c"
InResponseTo="LR5395995f-009c-4697-9f45-a95c573c32f9"
IssueInstant="2024-06-05T12:03:54.814Z"
Version="2.0"
>
<Issuer>http://localhost:8080/auth/realms/tzn8qz9FcCFS2ncd</Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<dsig:Reference URI="#ID_c6d5fd47-4e34-40fc-ac4d-13be12e0609c">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<dsig:DigestValue>.....digest value.....</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>....signature value....</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>...keyname value....</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>......certificate value....</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
</samlp:LogoutResponse>
The response shows the success status but there is no change at user’s session and user continue to be logged-in in both of clients.
In case of actual success when the user is logged out completely (from both clients) the SAML request and SAML response are same as above only.
So, I have following questions:
-
Is there any way or setting at KeyCloak that allows selective logout from particular client in case like this where session is composition of multiple clients?
-
If above behaviour as exhibited by KeyCloak is appropriate then why KeyCloak needs to be sent multiple logout requests?
-
In case if I am doing something which is not appropriate, what change can I do?
If anyone has any valuable suggestions or have similar setup then kindly respond.