We are trying to configure SAML integration between KeyCloak (9.0) and Zendesk (as unfortunately ZenDesk does not support openId connect). We are able to get login working well, unfortunately the same cannot be said for logout.
We have tried numerous logout redirect URLs (including same as SSO URL) however logout always fails with the following error recorded in the keycloak logs:
message:type=LOGOUT_ERROR, realmId=Redacted, clientId=null, userId=null, ipAddress=nnn.nnn.nnn.nn, error=invalid_logout_request, reason=invalid_destination
This appears to be being produced by Code in services/src/main/java/org/keycloak/protocol/saml/SamlService.java in protected Response logoutRequest(LogoutRequestType logoutRequest, ClientModel client, String relayState), line 401 to 410 (in version 9 of keycloak), as below.
However given that this code should not error if no destination is supplied (ZenDesk does not supply one) and requiresClientSignature is off (which it is) I am unsure what is causing the problem.
Has anyone else had success configuring SAML logout with ZenDesk before? Or has anyone seen a problem similar to this configuring SAML logout for other systems and know a solution?
Details of our configuration are below:
I am unfortunately unable to post details of our keycloak config due to restrictions on posting links.
Zendesk is configured with
SAML SSO URL
staging.environment.net/keycloak/auth/realms/Redacted/protocol/saml
Remote logout URL
staging.environment.net/keycloak/auth/realms/Redacted/protocol/saml
The following logout token is being sent:
<?xml version="1.0"?>
<samlp:LogoutRequest ID="samlr-xxxxxxxxxxxxx-xxxx-c63e99bedfde"
IssueInstant="2020-05-04T07:25:04Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>https://redacted.zendesk.com</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid format:emailAddress">email@gmail.com</saml:NameID>
</samlp:LogoutRequest>