I have problem with Keycloak's configuration and Single Logout from SAML Identity Provider.
Scenario:
- User tries to log into Service Provider using Keycloak's client (OID)
- KC redirects to SAML identity provider
- Entering correct credentials, user is logged in, KC creates session and user is redirected back to SP page
- In another tab user directly logs into IP (no credentials are needed because of SSO)
- User logs out from SP
- After refresh 2nd tab (IP), user is logged out.
However, if user logs out from IP first, SP session is not closed and user is still logged in:
- User logs out from IP (redirect to KC endpoint and return back to IP login page)
- After refresh, user is still logged in SP
Keycloak correctly receives samlp:LogoutRequest request and returns <samlp:LogoutResponse ... samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status></samlp:LogoutResponse>
In KC admin console I can still see there is active session for given client (and user). Actually I can see SAML logout request from IP only in KC stdout (request-dumper filter) but no logout event occured in KC.
I dont really understand in details how SAML works, but shouldn't be user logout from SP using SLO? Or maybe I am missing something in KC's client/realm/IP configuration? Thank you for your help/explanation
Requirements for Global Logout to work
When you logout from SP first in that case your SP is sending logout request to IdP and that's why you are being logged out from IdP as well as SP. But on the other case, I believe Logout URL is not being called (which could be due to missing configuration in the client).
Can you post a screenshot of the configuration to help you better?