Problem with Keycloak and logout from SAML identity provider - single-sign-on

I have problem with Keycloak's configuration and Single Logout from SAML Identity Provider.
Scenario:
User tries to log into Service Provider using Keycloak's client (OID)
KC redirects to SAML identity provider
Entering correct credentials, user is logged in, KC creates session and user is redirected back to SP page
In another tab user directly logs into IP (no credentials are needed because of SSO)
User logs out from SP
After refresh 2nd tab (IP), user is logged out.
However, if user logs out from IP first, SP session is not closed and user is still logged in:
User logs out from IP (redirect to KC endpoint and return back to IP login page)
After refresh, user is still logged in SP
Keycloak correctly receives samlp:LogoutRequest request and returns <samlp:LogoutResponse
...
samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status></samlp:LogoutResponse>
In KC admin console I can still see there is active session for given client (and user). Actually I can see SAML logout request from IP only in KC stdout (request-dumper filter) but no logout event occured in KC.
I dont really understand in details how SAML works, but shouldn't be user logout from SP using SLO? Or maybe I am missing something in KC's client/realm/IP configuration?
Thank you for your help/explanation

Requirements for Global Logout to work
Clients which are being used for both the service providers should be in the same realm.
When you log out from IdP, do you see a request being fired to logout from each of the service providers? I believe in your case, it is not calling Logout URL for your SP. That needs to be configured at a client level.
If logout URL for SP is being called and if even then you are logged into your SP, then it means that SP has some issues in the implementation of Log out.
When you logout from SP first in that case your SP is sending logout request to IdP and that's why you are being logged out from IdP as well as SP.
But on the other case, I believe Logout URL is not being called (which could be due to missing configuration in the client).
Can you post a screenshot of the configuration to help you better?

Related

Keycloak IDP forwarded auth does not redirect to front-channel logout URL

Situation
For my web application, I have set up a keycloak (v18.0.0) realm with an external SAML IDP.
After successfully logging in, the application is using its own cookies (I can't change this since this is an external piece of software) and has a logout endpoint to destroy those cookies when visited through the browser.
In the corresponding client configuration, I set a front-channel logout URI to be called by the browser whenever a logout is triggered from the IDP.
Problem
When triggering the single sign-out from keycloak itself using this "https://baseurl/realms/my-realm/protocol/openid-connect/logout"`, keycloak successfully logs out from the IDP and destroys its own cookies but does not redirect to the front-channel logout URI, which leaves the app in a logged-in state. I tested this without an IDP enabled and it logged me out from my app.
Question
How can I force keycloak to trigger the front-channel logout URI on a single sign-out request?

ADFS do not forward the Logout request to the Identity Provider, if there is an active SAML session

I have next components:
RP-1 (connected by Ws-Fed, WIF)
RP-2 (connected by SAML, Federation Provider, actially it is another ADFS)
MY-ADFS (ADFS Server 2019 as primary STS)
MY-IP (separate Identity Provider web service, Identity Server 4)
Thus, when I make a sing-out request from RP-1(Ws-Fed), a simple Ws-Fed Logout is formed a request to ADFS:
GET https:/MY-ADFS/adfs/ls/
wtrealm: https://RP-1.com/
wa: wsignout1.0
wreply: https://RP-1.com/logout/
Next ADFS makes redirect to IP:
GET https://MY-IP/WsFederation
wa: wsignout1.0
wreply: https://MY-ADFS/adfs/ls/?redirectContextId=2dd581d2-6e02-4476-915b-a581e3c855d4
thus the user clears the session from ADFS and from IP. - as expected.
However, if before the logout, the transition to SAML RP was made and the SAML session became active, then upon exiting ADFS gives an error:
MSIS7055: Not all SAML session participants logged out properly. It is
recommended to close your browser.
To fix it, I configured the logout endpoint (URL) in the SAML relying party trust as:
https:/RP-2/adfs/ls/?wa=wsignout1.0
With POST binding. After these changes, the error disappeared. But now ADFS no longer does make Logout redirec to to IP, but instead it does a SAML Logout redirect to RP-2:
POST https://RP-2/adfs/ls/?wa=wsignout1.0
SAMLRequest: PHNhbWxwOkxvZ291dFJl
And as a result, Instead of switching to IP, I remain on the RP-2(ADFS also) page where it is written that the exit was successful. However, the user still has an active session (cookies) on the IP side.
Several questions here:
It is not clear why ADFS changes the chain of calls with the SAML active session.
It is not clear how to exclude SAML Logout redirects, or force ADFS to make Logout to IP also.
You will have to add the logout URL in the IP (Identity provider) side as well to ensure that the SAML token generated by signing out from the SaaS application through ADFS is forwarded to the Identity provider and is updated for logout at IP authorization provider end. So that, the cookie on the browser will be updated and sign out will be processed smoothly.
Please find the below probable steps to update the logout URL at the Identity Provider end: -
Open the authentication provider workspace.
Find the logout URL.
Update the URL to the ‘https://RP-2/adfs/ls/?wa=wsignout1.0’ same as that configured in ADFS Server.
Save your changes.
And as for your first query why ADFS changes the chain of calls with SAML active session, it is because the cookies and cache must be removed from the system for successful logout request, thus the logout time as recorded when signing out is updated at the SaaS app end and thus, it is recommended to close the browser let it update in the system also.
Thus, recommend you open both the RP trust apps in different browser windows as both are configured for different token providers.
Please refer the below thread for more information: -
How do you handle the logout process for applications federated with ADFS?
Thanking you,

How to send assertion from one Service Provider to another Service Provider to enable Single Sign on

I have two service providers(SP) and one common identity provider(IDP).
I can login to both my SP through IDP initiated SSO.
I have same user in both my SP so user lookup is working fine.
After logging in through IDP i have landed in SP1. In SPA i want a link which will be redirected to SP2 landing page without calling the login ti ISP again.
How can i do this?

Keycloak with OpenIdConnect external identityprovider

I have a external openidconnect identity provider registered with Keycloak. When the client app tries to access the protected resource it gets redirected to KeyCloak login page. On the login page I have the external openidconnect provider buttons enabled. Once the user clicks on the button he is taken to the external identity provider (which is identityserver3 instance). The external provider does authenticate the user and send back a code.
Now the redirecturl for the registered client in the external identity provider is that of keycloak's. So after authentication is successful at the external IDP it send back the code(because it is Auth code flow) to keycloak at a redirect url:
http://localhost:5555/auth/realms/QA/broker/keycloak-client/endpoint?code=7bcf5157105199d50874e64eabf03858&state=wQhNIEKW0Ws6CotZg2EsvOorjDVQlWVvobcM2skPSXo.keycloak-client&session_state=rhgu-BXT8FniG9Z-UARKpp_f-V1nLN-VxFmSE3PSxDg.99b2d903367208e4261fefa475afb1eb
In the URL if you see it ends with endpoint. I don't think that's correct but I cannot change it in KeyCloak (it's disabled) and because of that in the external IDP client configuration.
KeyCloak does not understand above url and errors out with a message "unexpected error when authenticating with Identity Provider"
Isn't KeyCloak supposed to understand the code flow and make another request for token after receiving the code. Then the external IDP will respond with token and Keycloak will send back that token to client(will also store it for future use).
Can someone please share some knowledge on how Keycloak works with external openidconnect ID provider with code flow.
Usually the redirect URI for external identity providers take the form of {keycloak-host}/auth/realms/{realm}/broker/{provider}/endpoint. You have to specify this as the redirect URI when you register your client in the external identity provider. Once the user is authenticated through the external IdP, authorization code will be sent to this url, which in turn will redirect it to the redirect url of your client application (specified when registering the client in Keycloak).
Unexpected error when authenticating with Identity Provider is the general error message sent by Keycloak for several errors that occur during the OAuth flow. You won't be able to determine the actual cause without going through the stack trace or the logs in the prompt.
You are getting this error because keyclaok is unable to get token from identityserver3 by exchanging authorization code. Where did you hosted identityserver3? Does it have a real ca certificate or you are using self sign certificate? Have you configured client_id , secret, token endpoint properly in keycloak external IDP configuration? You can test manually my posting client_id, secret, code (that you received) in token endpoint of identityserver3.

PingFederate IdP-initiated Logout, redirect to TargetResource

Ping Federate Logout From IdP flow as from the Ping Federate Documentation
Sequence
User initiates a single logout request. The request targets the
PingFederate server’s /idp/startSLO.ping endpoint.
PingFederate sends a logout request and receives responses from all
SPs registered for the current SSO session.
PingFederate redirects the request to the IdP Web application’s
Logout Service, which identifies and removes the user’s session locally.
The application Logout Service redirects back to PingFederate to
display a logout-success page.
But, I have a slight problem regarding the application Logout Service , which needs to set at IdP adapter configuration.
The problem is i have dynamic logout URL , due to which i can't use it in the Logout Service.
Currently i am trying to initialize the IdP initiated SLO. For which i am passing TargetResource to redirect user to IdP after SLO success.
https://idp.pf.com:9031/idp/startSLO.ping?PartnerSpId=testSpId&TargetResource=http%3A%2F%2Fdynamicsubhost.baseurl.com%3A8080%2Fweb%2Fmy-bank%2Flogout
Question :
So how can i rig the PingFederate setting to skip the Step 3 , so instead of redirecting to the IdP Logout service it redirects to TargetResource.
What i have tried :
I know it sounds cheesy , but actually i kept the IdP logout service to blank. But obviously it wasn't working.
P.S The awkward thing is when i was using same PF server for
configuring both IdP and SP server it was working well. But when i
switch to separate instance of PF server for hosting the PingFederate
Server the consequence is showing up.
You may add the "resume" parameter in your logout service redirect. This is how I implemented it in .NET. I have a web service that handles the SLO and calls this redirect:
Context.Response.Redirect(< SP Server DNS > + Context.Request("resume").ToString(), True)
This redirect will instantiate the Logout service and then redirect back to the value of the targetResource parameter that you specified when you called the logout service.
If your targetResource does not have a value the default SLO URL will be used (this is set in the Admin Console: SP Configuration > APPLICATION INTEGRATION SETTINGS > Default URLs)
For reference: Just review the implementation of the sample application that you may download here
https://www.pingidentity.com/content/dam/pic/downloads/software/integration-kits/-NET-Integration-Kit-2-5-1.zip