Logout from IDP does not end session with SP

I have problem with Keycloak’s configuration and Single Logout from SAML Identity Provider.


  1. User tries to log into Service Provider using Keycloak’s client (OID)
  2. KC redirects to SAML identity provider
  3. Entering correct credentials, user is logged in, KC creates session and user is redirected back to SP page
  4. In another tab user directly logs into IP (no credentials are needed because of SSO)
  5. User logs out from SP
  6. After refresh 2nd tab (IP), user is logged out.

However, if user logs out from IP first, SP session is not closed and user is still logged in:

  1. User logs out from IP (redirect to KC endpoint and return back to IP login page)
  2. After refresh, user is still logged in SP

Checking logs in browser and KC logs, KC correctly receives samlp:LogoutRequest request and returns <samlp:LogoutResponse … samlp:Status<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success”/></samlp:Status></samlp:LogoutResponse>

In KC admin console I can still see there is active session for given client (and user). Actually I can see SAML logout request from IP only in KC stdout (request-dumper filter) but no logout event occured in KC.

I dont really understand in details how SAML works, but shouldn’t be user logout from SP using SLO? Or maybe I am missing something in KC’s client/realm/IP configuration? Thank you for your help/explanation