I am using a SAML to manage my main application SSO with Keycloak. Recently, I tried to add a plugin application which is using an OpenID OAuth 2.
I created another client beside my main application client for this plugin. Everything went well except it is not logout from the main application it doesn’t log out from the plugin application.
Every thought of you will be much appreciated. Thanks in advance.
Im using Keycloak version 4.2.1.Final
So you are saying when you logout from the saml application, the openID connect application does not logout.
So I think Single sign out is not working.
Is your Admin URL in your OpenID Connect client set and accessible by keycloak?
I am exactly facing the same problem. I have two applications in the same realm. One is using SAML and the other is using OIDC (it is openshift console actually).
And if I initiate the logout from my OIDC client application, the SAML client application will receive a logout request.
But If i initiate it from the SAML client application, the browser doesn’t redirect to logout OIDC application.
And I have also tried two SAML client applications, the SLO works perfectly.
BTW, I set the Admin URL as https://console-openshift-console.xxx.com. But whatever it is ,it seems the URL is not called at all.
That really depends on the app implementation. Did you use and configure oidc backchannel oidc logout?
actually, I have no idea about how the app (openshift console) is implemented. Does Keycloak support front-channel logout for OIDC just like SAML?
I may make an inappropriate statement. Keycloak surely supports front-channel logout (OIDC SP initiated), however, it seems keycloak just assumes OIDC service provider only accept a back-channel logout. So there is no configuration in the client tab like “front-channel logout URI”.