Logout a user from external IDP, after successful token generation

Hi everyone!
I want to logout a user from an external IDP(identity brokering), after they have sucessfully logged in through my IDP, retrieved access token and redirected successfully to my client app page. For this reason, I need to call a logout endpoint to my IDP, providing some parameters (state, sessionId, clientId etc.).
What should I do in keycloak, in order to achieve that?

Hi. There is no built-in funcionality for this use case in Keycloak right new (version 18).

You can implemente a custom authenticator and make that part of your authentication flow.

If your IDP accepts backchannel logout, you could in theory make the logout in your application backend.

  • User login
  • Application retrieves IDP token on keycloak broker
  • Application submit login to the backchannel URL of IDP

Tutorial on how to write a custom authenticator: Keycloak Tutorial Series - Authenticator Part 1 - YouTube

1 Like

Is there a way to get the userSessionModel (in order later to get the sessionId = state) inside the authenticator? I found the related code below but it always returns null = authResult

Thank you

UserSessionModel userSessionModel = null;
AuthenticationManager.AuthResult authResult = AuthenticationManager.authenticateIdentityCookie(context.getSession(),
context.getRealm(), true);
if (authResult != null) {
// That is it:
userSessionModel = authResult.getSession();