Single Logout not working with GitLab and Keycloak

I intend to set up a Single Sign On/Out experience for the users of our GitLab instance.
To achieve this, I use Keycloak. I would like all login/logout to be made over our Keycloak instance.

Our GitLab instance is currently configured to use LDAPS for user authentication and SAML looks like the best SSO replacement for that in the case of GitLab.
Unfortunately I have not yet been able to find a solution to implement Single Logout with GitLab (Login works well). When a user clicks on the sign out button he gets immediately logged back in again. The Keycloak session does not get invalidated and we have the option ‘omniauth_auto_sign_in_with_provider’ enabled.

I have tried solving this issue by adding the following to our gitlab.rb file:

gitlab_rails['omniauth_providers'] = [
 {
    name: 'saml',
    args: {
        ...
        idp_slo_target_url: 'https://keycloak.instance/auth/realms/REALM-NAME/protocol/saml/logout'
        ...
    }
 }
]

After adding this and reconfiguring GitLab, there was no noticeable effect however.
I tried the following pattern for idp_slo_target_url as well:
https://keycloak.instance/auth/realms/REALM-NAME/protocol/openid-connect/logout

This did not solve the problem.

As a workaround I even tried adding those sign out urls as a “After sign out path” in the GitLab admin GUI under Settings → General → Sign-in restrictions.
Unfortunately this didn’t work either.

Any help would be very appreciated!

3 Likes

Hello,

Did you manage to solve the problem?

Thank you.

Hi there,

I’m currently struggling with integrating keycloak into gitlab too to connect via OpenID Connect for authentication and authorization decision.

I use Omnibus GitLab and have also done the configuration steps like @joel

Used this documentations Link and Link

Have you already made progress with the integration?
Why do you prefer to integrate keycloak with SAML instead of OIDC? Did you also try this protocol? @joel