Two SAML clients not working as expected

Hi everybody,

I have KeyCloak configured in HA and now I’m trying to configure SAML to 2 different applications (Nextcloud and Zabbix) just to try.

I have configured the 2 clients and the SSO/SAML login works perfect for any of the apps, but I’m only abled to close the SSO session from the first SP where I logged in, I mean, if I login with SAML at NextCloud and then I SSO at Zabbix the login procedure works, but if I close the session from Zabbox (the second SP where I logged in) the session is not closed, indeed the “Logout Service POST Binding URL” used for Zabbix is not used, instead the SSO logout procedure uses the “Logout Service POST Binding URL” configured at NextCloud client.

If I do the test logging in Zabbix SP first the behaviour is the same but the “Logout Service POST Binding URL” used when I close the SSO session from NextCloud is the one configured at Zabbix one.

I think I have a mess with Logout Service POST URL and Logout Service Redirect URL, or something is messing up with the 2 clients.

Any clue?

Make sure:

  1. Both SAML clients are in the same realm
  2. Both SAML clients have configured Logout Service URL correctly and they must be supported by used SP (NextCloud, Zabbix)
  3. Both service providers support and have configured SAML single Logout Service properly

Blind guess (because your are typical user, who claims “it doesn’t work”, but he doesn’t share any configuration): singleLogoutService is not configured in your Zabbix

It is also not clear what SSO session means in your case. There is IDP session usually, but Service provider may maintain own independent session, which needs to terminated.

Hi, I can confirm:

  1. Both SAML clients are in the same realm

  2. Both SAML clients have configured Logout Service URL (let me put the dollar symbol for the editor to not create hyperlink):
    In case NextCloud:
    SLO URL: https$://keycloak.domain.com/auth/realms/demolab/protocol/saml

In case Zabbix:
SLO Service URL: https$://keycloak.domain.com/auth/realms/demolab/protocol/saml

  • Both SP support SLS, unless they support SLO URL to logout sessions.

This is the Keycloak config for both SP:
NextCloud:

Zabbix:
Valid Redirect URIs: https$://zbkeycloak.domain.com/index_sso.php?acs
Assertion Consumer Service POST BInding URL: https$://zbkeycloak.domain.com/index_sso.php?acs
Logout Service PORT Binding URL: https$://zbkeycloak.domain.com/index_sso.php?acs

If I initiate the SSO first in one of SP then I can SSO to the second SP, but I can only close the session from the first initiated SP, and the Logout Service URL used for any of the SP is the one configured in initiated IDP… I that the normal behavior?