SAML global logout and session id cookie with the generic servlet filter


I’m trying to figure out what I’m missing when attempting to perform a global logout when using the generic SAML servlet filter from the Keycloak 12.0.1.

I’m logging out by appending ?GLO=true to my web app URL and the SamlFilter is correctly picking that up and building a HTML response to send back to the client to have the browser redirect to the authentication server to perform the logout, and that seems to work fine.

The problem I’m seeing is that when the authentication server redirects back to my app after it’s performed the logout the session cookie for my app is not included in the response so the SamlFilter (specifically the isLoggingOut() method in the FilterSamlSessionStore class) does not think that the redirect back to my app is part of the logout request it initiated and it gets confused about the response it doesn’t understand (ending up in a 403 response to the browser).

So am I missing something here? Is there something I need to configure in keycloak-saml.xml or something I should be doing in my code? Should I not be using the ?GLO=true option in this situation? Is it a requirement that the two servers be on the same domain to allow the cookie to be handled correctly? I’m not sure how the authentication server would even know that it needs to send back a session id cookie and I can’t see an obvious way in the code to interject myself into the flow to “add” it myself (not that I’m sure at this stage how I’d do that anyway)

I’m new to SAML and wouldn’t have even gotten this far without Keycloak doing the heavy lifting, so I’m sure I must be missing something obvious.

Any advice would be appreciated,

I believe the issue may be related to this ticket, will continue investigating.