We want to use Keycloak as a broker, providing OIDC to clients but driven by a SAML IdP as the “backend” Identity Provider. When a user does a logout in the source environment, we want the related Keycloak sessions to be closed. They are not closing for me.
I have seen similar questions posted, but not exactly like this. Specifically, the source IdP is initiating the logout, not Keycloak.
My Keycloak realm has an Identity Provider of type “SAML v2.0” that describe the source IdP. I named it “aria-saml”.
I then configured my source SAML IdP with aria-saml’s metadata as a remote SP there, using values from aria-saml’s “SAML 2.0 Service Provider Metadata”. In particular the remote SP’s logout URL is a value like this: “https://…/realms/abroker/broker/aria-saml/endpoint”
Lastly “aria-saml”'s “Single logout service URL” is set to the source IdP’s SAML logout endpoint.
When doing a logout in the source IdP, everything appears to work except that Keycloak sessions remain open. In particular:
a. In response to a user action, the source IdP does a redirect to “https://…/realms/abroker/broker/aria-saml/endpoint” with an appropriate SAMLRequest param.
b. Keycloak then redirects back to the source IdP’s logout URL with a SAMLResponse param that indicates Success. Correctly, I think.
c. There are a couple more redirects driven by the source IdP, ultimately landing on a login page.
d. At this point an OIDC auth request to Keycloak client is successful without a login page, and should not be. In Keycloak admin UI, I can still see an open user session.
It looks like Keycloak happily accepts and processes the logout request, even returns Success. Except it doesn’t do anything.
FWIW I’ve tried configuring the source IdP with the logout URL from the Keycloak realm’s “SAML 2.0 Identity Provider Metadata”. That’s a value that looks like “https://…/realms/abroker/abroker/protocol/saml”. My step (b) fails in this case. It looks like Keycloak is trying itself to (incorrectly) redirect to a login page. It is not surprising to me that this endpoint would do that. The logout endpoint from the broker config (aria-saml here) does seem like the correct one. It just doesn’t work.