LogoutRequest from SAML Identity Provider does not close keycloak sessions

We want to use Keycloak as a broker, providing OIDC to clients but driven by a SAML IdP as the “backend” Identity Provider. When a user does a logout in the source environment, we want the related Keycloak sessions to be closed. They are not closing for me.

I have seen similar questions posted, but not exactly like this. Specifically, the source IdP is initiating the logout, not Keycloak.

My Keycloak realm has an Identity Provider of type “SAML v2.0” that describe the source IdP. I named it “aria-saml”.

I then configured my source SAML IdP with aria-saml’s metadata as a remote SP there, using values from aria-saml’s “SAML 2.0 Service Provider Metadata”. In particular the remote SP’s logout URL is a value like this: “https://…/realms/abroker/broker/aria-saml/endpoint”

Lastly “aria-saml”'s “Single logout service URL” is set to the source IdP’s SAML logout endpoint.

When doing a logout in the source IdP, everything appears to work except that Keycloak sessions remain open. In particular:
a. In response to a user action, the source IdP does a redirect to “https://…/realms/abroker/broker/aria-saml/endpoint” with an appropriate SAMLRequest param.
b. Keycloak then redirects back to the source IdP’s logout URL with a SAMLResponse param that indicates Success. Correctly, I think.
c. There are a couple more redirects driven by the source IdP, ultimately landing on a login page.
d. At this point an OIDC auth request to Keycloak client is successful without a login page, and should not be. In Keycloak admin UI, I can still see an open user session.

It looks like Keycloak happily accepts and processes the logout request, even returns Success. Except it doesn’t do anything.

FWIW I’ve tried configuring the source IdP with the logout URL from the Keycloak realm’s “SAML 2.0 Identity Provider Metadata”. That’s a value that looks like “https://…/realms/abroker/abroker/protocol/saml”. My step (b) fails in this case. It looks like Keycloak is trying itself to (incorrectly) redirect to a login page. It is not surprising to me that this endpoint would do that. The logout endpoint from the broker config (aria-saml here) does seem like the correct one. It just doesn’t work.

FWIW we ran it down to an issue on our side. We included an empty element in the original SAMLResponse. On logout Keycloak was requiring a match on that.

FWIW I debugged this by using IntelliJ to investigate the source inside the jars in the Keycloak download. It’s not that crazy. Definitely helped to see the exact logic used in Keycloak to find matching sessions.

Hi mconnor,

We are facing the same issue. When am doing logout from my application am calling the Keycloak endpoint to logout with an id token. Keycloak is calling the IDP Single Logout url. We are getting a success response from SAML Identity Provider in the endpoint payload. But the endpoint payload is failing with below error in Keycloak logs

ERROR [org.keycloak.broker.saml.SAMLEndpoint] (executor-thread-4) usersession in different state2024-07-02 13:11:13,726 WARN [org.keycloak.events] (executor-thread-4) type=LOGOUT_ERROR, realmId=ab783dd0-03ec-457e-9f4b-3feb9f5d364f, clientId=null, userId=null, ipAddress=172.10.2.8, error=user_session_not_found

Can you please suggest how you were able to resolve this, it would be very helpful. Thanks in advance.