Hi,
It’s a bit of an inverse of an issue a lot of people are facing, no doubt, but propagating logout requests from broker to external system works fine. However, i can’t seem to find a way to force keycloak to kill user session if user session is being killed on the external identity provider.
So far, debugging a test config of two keycloaks (one “external system” and one “broker”) shows that there is indeed a potential for this: org.keycloak.services.managers.ResourceAdminManager#sendBackChannelLogoutRequestToClientUri tries to send a logout request to whatever is set in managementUrl, but no matter how i configure it it always return an error 400:
[2021-10-06 18:32:22,986] [INFO] [thread=default task-48] [caller=com.netcracker.cloud.keycloak.provider.AuditLogEventListenerProvider] Got Event type=LOGOUT_ERROR realmId=saml-broker-realm clientId=null userId=null ipAddress=127.0.0.1 error=invalid_client_credentials
I don’t see any place to configure client credentials but on the broker itself and this won’t help external idp to send a logout request to the broker.
Is such a thing at all possible with keycloak?