Hi Keycloak Community,
Currently, I’m implementing OIDC and SAML with Keycloak. I have two questions:
- Will Keycloak send a backchannel logout request to the SP when a user is deleted in Keycloak?
- Does SAML support something like backchannel logout similar to OIDC? I want to log a user out on the SP after clicking the sign-out button on the session tab.
Thanks
Hi @maivanhung12c1,
Answer 1: Yes it does. If your SP supports this feature and it’s enabled in your keycloak it will work.
https://www.keycloak.org/docs/latest/server_admin/#backchannel-logout
Answer 2: As far as I know SAML does not support backchannel logout like OIDC but it provides SLO and it’s possible to use it to log a user out from multiple services if you configure it properly.
1 Like
Thank you for your detailed answer @ozdemirrulass ,
1: I don’t see any requests sent to my SP when I delete a user in Keycloak, unlike when I sign out a user in the session tab of Keycloak. My configuration for backchannel logout is as follows. I want Keycloak to send a request to “https://10.22.10.10:443/oidc/backchannel_logout” when I delete a user in Keycloak.
2: Does Keycloak support this? I don’t know how to configure Keycloak to send a request to my SP when I click the sign-out button, like I did with OIDC. Do you know how?
I don’t want to mislead you and It’s been a while since I last worked on something like this.
I just I took a quick look on one of my keycloak setup’s admin console and saw these options while defining an SAML IP
Which version of Keycloak do you use? I’d like to replicate and experiment on your issue when I have time.
1 Like
Also in case if it does not works as expected it is theoretically doable by adding a listener for account deletion event and triggering the logout.
1 Like
AFAIK the backchannel logout token will only be sent if the user session is actively being destroyed (either by the user itself or by an admin). When the user is being deleted, I think there will be no logout information sent. Also no notification is being sent if you click “log out all users” on the sessions menu (left side).
2 Likes
I’m using version 24.0.2, and I don’t see the configuration like yours. I have some configurations related to the Single Logout Service (SLS) as follows:
I tried to put my SLS URL in them, but my SP does not receive any information about a user logging out after I click sign-out for that user in the session tab.
Thanks for your information. According to your information, I will let users be logged out from my SP when their session expires after it is deleted from Keycloak. For question 2, what should I configure in Keycloak to send a request to my SP when I click the sign-out button on the session tab?