I have Springboot
app acting as an SP built by following this example.Below is my usecase -
- Using
Keycloak
as an IDP.
- Launched SP-1 at port 3030 having EntityId
login-app-one
.
- Launched SP-2 at port 4040 having EntityId
login-app-two
.
- Registered these two instances in
Keycloak
as two clients in same realm named demo
.
- Created dummy user in Keycloak.
- Logged in to SP-1 successfully.
- Logged in to SP-2 successfully.
- I can see two sessions created in Keycloak admin console.
- Tried
Global Logout
from SP-1, Keycloak sessions are still active.
- Tried
Global Logout
from SP-2, Keycloak session are still active.
- Sometimes, doing a Global logout from SP-2 lands me on SP-1 after redirection from Keycloak. This is weird. (Found the reason for this behaviour, the my update below)
Important thing to note here is that if I have a single SP logged in, the Global logout works fine. I'm trying to achieve simple SSO and SLO using multiple SPs but it does not work.
I suspect the problem is with my Spring SAML
app. I don't see any errors on the Springboot console.
Update:
- SLO is working well if springboot app is hosted on some domain. I deployed two instances of my Springboot app and keycloak server on a docker container (using https://labs.play-with-docker.com/). So now the question is why it doesn't work on
localhost
.
- Logging out SP-1 lands me on SP-2 because the
Front Channel Logout
option was enabled in the client settings in my Keycloak server. Because of this, Keycloak logs out all the clients one by one through a browser redirect.
question from:
https://stackoverflow.com/questions/65834833/single-logout-not-working-with-multiple-sp-spring-security-saml 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…