I have problem with Keycloak’s configuration and Single Logout from SAML Identity Provider.
Scenario:
- User tries to log into Service Provider using Keycloak’s client (OID)
- KC redirects to SAML identity provider
- Entering correct credentials, user is logged in, KC creates session and user is redirected back to SP page
- In another tab user directly logs into IP (no credentials are needed because of SSO)
- User logs out from SP
- After refresh 2nd tab (IP), user is logged out.
However, if user logs out from IP first, SP session is not closed and user is still logged in:
- User logs out from IP (redirect to KC endpoint and return back to IP login page)
- After refresh, user is still logged in SP
Checking logs in browser and KC logs, KC correctly receives samlp:LogoutRequest request and returns <samlp:LogoutResponse … samlp:Status<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success”/></samlp:Status></samlp:LogoutResponse>
In KC admin console I can still see there is active session for given client (and user). Actually I can see SAML logout request from IP only in KC stdout (request-dumper filter) but no logout event occured in KC.
I dont really understand in details how SAML works, but shouldn’t be user logout from SP using SLO? Or maybe I am missing something in KC’s client/realm/IP configuration? Thank you for your help/explanation