Keycloak IDP forwarded auth does not redirect to front-channel logout URL

Asked Aug 01 '22 at 16:39

Active Nov 08 '22 at 16:34

Viewed 858 times

Situation
For my web application, I have set up a keycloak (v18.0.0) realm with an external SAML IDP. After successfully logging in, the application is using its own cookies (I can't change this since this is an external piece of software) and has a logout endpoint to destroy those cookies when visited through the browser.

In the corresponding client configuration, I set a front-channel logout URI to be called by the browser whenever a logout is triggered from the IDP.

Problem
When triggering the single sign-out from keycloak itself using this "https://baseurl/realms/my-realm/protocol/openid-connect/logout"`, keycloak successfully logs out from the IDP and destroys its own cookies but does not redirect to the front-channel logout URI, which leaves the app in a logged-in state. I tested this without an IDP enabled and it logged me out from my app.

Question
How can I force keycloak to trigger the front-channel logout URI on a single sign-out request?

edited Aug 02 '22 at 12:14

asked Aug 01 '22 at 16:39

Theo

2,262
3
23
49

1

It will be nice if you show how did you trigger the front-channel logout, because this request seems to be a problem in your case. – Jan Garaj Aug 01 '22 at 17:16
@JanGaraj I added a picture and an explanation – Theo Aug 02 '22 at 12:16

Keycloak IDP forwarded auth does not redirect to front-channel logout URL

0 Answers0