I am having two Keycloak
Keycloak A
Keycloak B
a. Keycloak A IDP is configured with Okta
b. Keycloak B IDP is configured with Keycloak A client.
c. Application connects to the Keycloak B.
For Login Flow:
When the user access the application URL, the application calls Keycloak B, the Keycloak B make request to Keycloak A and then Keycloak A connects to the Okta and retuned with success.
For Logout Flow:
I am calling the below URL format, in this scenario, the user session is removed from the Keycloak B and Keycloak A but the session still valid in the Okta. Because of this My application is not logging out and on refresh it is login again.
https://xxx/auth/realms/sofySolution/protocol/openid-connect/logout
Is there a way to achieve complete logout from Keycloak B -> Keycloak A -> Okta?
Related
Situation
For my web application, I have set up a keycloak (v18.0.0) realm with an external SAML IDP.
After successfully logging in, the application is using its own cookies (I can't change this since this is an external piece of software) and has a logout endpoint to destroy those cookies when visited through the browser.
In the corresponding client configuration, I set a front-channel logout URI to be called by the browser whenever a logout is triggered from the IDP.
Problem
When triggering the single sign-out from keycloak itself using this "https://baseurl/realms/my-realm/protocol/openid-connect/logout"`, keycloak successfully logs out from the IDP and destroys its own cookies but does not redirect to the front-channel logout URI, which leaves the app in a logged-in state. I tested this without an IDP enabled and it logged me out from my app.
Question
How can I force keycloak to trigger the front-channel logout URI on a single sign-out request?
I own an application which has it's own IDP - let's call it app1.
I would like to establish SSO to app2 which uses Keycloak as IDP - let' call it app2.
App1:
Up and running, So I cannot convert my IDP to Keycloak
App2:
No users yet
External vendor app (not managed on my domain)
Which possibilities do I have to establish SSO between app1 and app2?
Thanks
One possible scenario:
You could configure app1-IDP as a third-party IDP in your Keycloak. Then set the app1-IDP as the Default Identity Provider in the Identity Provider Redirector Authenticator in your Realms Browser Flow.
If app-IDP should control the SSO session alone, you can then remove the Cookie Authenticator from the Browser Flow.
I am using Keycloak as a broker with OIDC, connecting to 3rd party IdP. Client app (Welcome page) calls Keycloak, then Keycloak redirects to Idp login page. We have a following requirement:
1) User1 bookmarks Idp Login page. User1 logs in using IdP login page. On successful authentication IdP calls iodc endpoint and Keycloak redirects User1 to client app.
2) User1 closes browser without signing out
3) User2 opens a new browser using bookmarked page, enters credentials and on successful authentication calls back Keycloak.
At this point, I want to kill User1's active session and allow User2 without showing any error at Keycloak side (As if User1 was signed out and User2 logs in). Keycloak should redirect User2 to client app.
Please suggest if this can be done using SPI?
Thanks in advance.
I have an oidc client set up in Keycloak. I am using Keycloak as an IDP. When I hit a logout endpoint in keycloak, I want to trigger logout from my SP.
How do I set this up ?
I have one SP and one IDP using Keycloak.
I'm using SAML protocol and I can successfully login and logout when the request is initiated by the SP.
But when connected as an admin in Keycloak I logout an user from his session no request are sent to the SP.
The session is indeed terminated on the IDP side but not on the SP side.
Because of that the user on the SP can still use the application.
I can't see any option in client configuration for that.
Has anyone made IDP initiated log out in SAML works with keycloak ?
Could you give me some directions ?
Thank you for your time.
After some other research this is not a feature of Keycloak.
https://www.keycloak.org/docs/2.5/server_admin/topics/sessions/administering.html
Quoting the docs
Only certain clients are notified of this logout event, specifically clients that are using the Keycloak OIDC client adapter. Other client types (i.e. SAML) will not receive a backchannel logout request.
I had the same issues using keycloak saml broker. It turned out that enabling back-channel logout (disabling front-channel logout) in keycloak client configuration solved my problem.
I am using 4.8.0.Final