Keycloak IDP initiated logout SAML

2
votes

I have one SP and one IDP using Keycloak. I'm using SAML protocol and I can successfully login and logout when the request is initiated by the SP.

But when connected as an admin in Keycloak I logout an user from his session no request are sent to the SP. The session is indeed terminated on the IDP side but not on the SP side. Because of that the user on the SP can still use the application.

I can't see any option in client configuration for that.

Has anyone made IDP initiated log out in SAML works with keycloak ?
Could you give me some directions ?

Thank you for your time.

2
samlsaml-2.0keycloak

2 Answers

1
votes

After some other research this is not a feature of Keycloak.

https://www.keycloak.org/docs/2.5/server_admin/topics/sessions/administering.html

Quoting the docs

Only certain clients are notified of this logout event, specifically clients that are using the Keycloak OIDC client adapter. Other client types (i.e. SAML) will not receive a backchannel logout request.

1
votes

I had the same issues using keycloak saml broker. It turned out that enabling back-channel logout (disabling front-channel logout) in keycloak client configuration solved my problem.

I am using 4.8.0.Final