I got a problem with logout using saml protocol in Keycloak Server 4.2.1. Next to the Keycloak there is a Wildfly 9 server. In the Wildfly Server there are serveral .war files deployed. They are JSF Applications with JEE7.
I configured the saml adapter (keycloak-saml.xml) like this. Similiar to the documetation (https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-general-config)
<keycloak-saml-adapter>
<SP entityID="amp"
sslPolicy="EXTERNAL"
logoutPage="logout.jsp">
<Keys>
<Key signing="true">
<PrivateKeyPem>
...CLIENT PRIVATE KEY...
</PrivateKeyPem>
<CertificatePem>
...CLIENT CERTIFICATE ...
</CertificatePem>
</Key>
</Keys>
<PrincipalNameMapping policy="FROM_ATTRIBUTE"/>
<IDP entityID="idp"
signatureAlgorithm="RSA_SHA256"
signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">
<SingleSignOnService signRequest="true"
validateResponseSignature="true"
requestBinding="POST"
bindingUrl="http://localhost:8080/auth/realms/My-Realm/protocol/saml"/>
<SingleLogoutService signRequest="true"
signResponse="true"
validateRequestSignature="true"
validateResponseSignature="true"
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8080/auth/realms/My-Realm/protocol/saml"
redirectBindingUrl="http://localhost:8080/auth/realms/My-Realm/protocol/saml"/>
<Keys>
<Key signing="true">
<CertificatePem>
... REALM CERTIFICATE ...
</CertificatePem>
</Key>
</Keys>
</IDP>
</SP>
</keycloak-saml-adapter>
When i click the "logout button" the application calls the code below so that the Wildfly server invalidate the session.
((HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest()).logout();
((HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false)).invalidate();
I checked it and its working, the application is invalidate the session.
Now after that, i have to tell the keycloak server that he should invalidate this session too. Which URL I have to call?
FacesContext.getCurrentInstance().getExternalContext().redirect(" ???? ");
Before I migrated to Keycloak Server 4.2.1, I had the older version 1.8.1 running. With the 1.8.1 Server I called the URL
"http://localhost:8080/auth/realms/My-Realm/tokens/logout?redirect_uri=http://localhost:8180/amp".
But that is not working anymore.
I have tested serveral URL but none of them are working. I checked the latest documetation https://www.keycloak.org/docs/latest/securing_apps/index.html#logout-2 and the parameter GLO=true is not working either. I also tried to configure "Logout Service POST Binding URL" and "Logout Service Redirect Binding URL" for the client in the keycloak adminstration console.
Did i miss something in code or adminstration console of keycloak? Do i have to call a specific url in keycloak 4.2.1?
If you need more informations, let me know.
Thanks for your help.
kind regards.
java FacesContext context = getCurrentInstance(); ((HttpServletRequest) context.getExternalContext().getRequest()).logout()((HttpSession) context.getExternalContext().getSession(false)).invalidate(); context.getExternalContext().redirect("http://localhost:8180/MY_APP_NAME/saml/logout?GLO=true");
Sorry for the horrible format.. – XSLHater