25,088 questions
SAML Logout Issue with Microsoft Entra ID and Keycloak 18v – Session Not Terminating on Entra
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 76%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SP
5
Reputation points
Description:
We have configured SAML-based SSO with Microsoft Entra ID as the external IdP for our application using Keycloak 18v. The setup details are attached in the screenshot. However, we’re facing a critical issue with the logout process:
- When a user logs out of our application, the session is terminated in both the application and Keycloak, but the session remains active in Entra ID.
- This causes a security issue: if another user attempts to log in on the same system (using the same browser), they are not prompted to reauthenticate with Entra ID and are automatically logged in without entering credentials.
Steps to Reproduce:
- USER-1 logs into our application via Chrome. Since it’s their first login, they are redirected to Entra ID for SSO authentication, enter their credentials, and log in successfully.
- USER-1 logs out of the application.
- USER-2 attempts to log in using the same browser. Instead of being prompted for authentication, USER-2 is automatically logged into the application as soon as they enter their username.
Expected Behavior:
- After logout, the Entra ID session should also terminate, ensuring that any subsequent login attempt prompts for reauthentication.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote
-
SP 5 Reputation points
2025-06-02T15:40:03.0133333+00:00 Hey Team, I'm waiting for your response. Thank you!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 94%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
-
SP 5 Reputation points
2025-06-04T09:44:16.9966667+00:00 Hi Deepthi,
Please refer to the previously attached Keycloak SAML.png, which contains all information related to our SAML setup.
FYI, we are using Keycloak 18 version.
-
Deepthi R 25 Reputation points Microsoft External Staff Moderator
2025-06-04T18:44:28.6966667+00:00 Hi SP,
Thank you for the details.
To troubleshoot this issue, you need to use HTTP trace debugging tools like Fiddler to inspect what happens when the logout button is clicked in your web application. Ideally, it should trigger an HTTP redirect to:https://login.windows.net/{tenant-id or "common"}/oauth2/logout?post_logout_redirect_uri={URL}. I feelLogoutRequestmessage to Microsoft Entra ID not received and hence it is not terminating the session. -
SP 5 Reputation points
2025-06-05T15:15:04.6433333+00:00 Hi Deepthi,
Please find the attached flow while we log out of the application. When BackChannel Logout and HTTP-POST Binding Logout is OFF in Keycloak then the user session from the external Identity Provider (Entra) is being deactivated, but not from the SP Keycloak during logout. We are receiving a 404 error when logging out of the application.
https://<url>/auth/realms/customers/broker/BtiqEntraSamlTestUnstableDonotDelete/endpoint/logout_response?SAMLResponse=fZLLjtswDEV%2fxdBell%2fyQ3AMtHUXAaabJp1FNwEt0x2jtuSKMqb9%2b2qSzCKbWVLQveQ9ZEuwLpt6sr%2fs7r8jbdYQRsf%2bwC4om2mEBHlVlSUvKl1zkAg8lRrGYZrSRk8sekZHszUHlsUJi45EOx4NeTA%2bPCWZ5EnJE3lOCyVzJZs4rfOfLOqR%2fGzAX5Uv3m%2bkhBj8%2fIfvb%2bJhQW7%2bZWbLYgIgbmJtVwG7fxEOYVlJ6J28XUNvMTj7G534HMRfjXdwCoHOwf7H3ai3xvoeF%2fQo0IybnY0XyzXvxd0Dh8HNe%2fizPbBjf4EGKt3onDcVZryo04w3xZBzGKpCFrKesJYs%2brsuhtSV4YHtzigLNJMysCIpr9Xp07cnFciozVlvtV1Y114ZuZv0YxEQoXtjxLp3RuQpfp3NaF8pNuhFndVJOiY1L9OyDkuSEx9GmfCkbiDJh7IoCy1acevZtbdtnzz4nR6rL3bE6BmWHT%2beKUANv9Vp1xqJmOha8Wh6Lx8vqvsP&RelayState=5f587310-9902-4082-93c2-be6676d49bdf&Signature=YOnA4WBbiIymAHzaZHFzW6JLNu402mlMfAQ57zPeb3neihDRecRjo3LMao8QpYsXA1Apfyo%2fXb4nGgKhhumleqHDtQBBR9ijjLKBxoaGa9QQL9au5PbxctzuQ1knmXj2z48cIHfH38xikZLoH%2f6Wr%2fHOd%2f07EWqKr6R5UQzAlg7%2b0LSekRsmuR6a%2b6padod7TPksopf1EBVrsbxob4v4WMP9guRDq2GM21rXI%2bxW8ixBbPOoYdv7VQtYFNSsn5fM8RPhB35R2%2b%2bOnbVVYxn7N0z6HjhQo4ILDRlo3ljeVKlUokGZGB7JvuKFCPb51jZ%2bnVrtOs7ofHbbej2pZ6nAFQ%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256
FYI, I have changed the IDP name from EntraSamlTest to BtiqEntraSamlTestUnstableDonotDelete everywhere. In the previously attached screenshot, you can consider the updated broker name as BtiqEntraSamlTestUnstableDonotDelete.
-
SP 5 Reputation points
2025-06-05T15:25:56.24+00:00 Hi Deepthi,
Please find the attached flow while we log out of the application. When BackChannel Logout and HTTP-POST Binding Logout is OFF in Keycloak then the user session from the external Identity Provider (Entra) is being deactivated, but not from the SP Keycloak during logout. We are receiving a 404 error when logging out of the application.
https://<url>/auth/realms/customers/broker/BtiqEntraSamlTestUnstableDonotDelete/endpoint/logout_response?SAMLResponse=fZLLjtswDEV%2fxdBell%2fyQ3AMtHUXAaabJp1FNwEt0x2jtuSKMqb9%2b2qSzCKbWVLQveQ9ZEuwLpt6sr%2fs7r8jbdYQRsf%2bwC4om2mEBHlVlSUvKl1zkAg8lRrGYZrSRk8sekZHszUHlsUJi45EOx4NeTA%2bPCWZ5EnJE3lOCyVzJZs4rfOfLOqR%2fGzAX5Uv3m%2bkhBj8%2fIfvb%2bJhQW7%2bZWbLYgIgbmJtVwG7fxEOYVlJ6J28XUNvMTj7G534HMRfjXdwCoHOwf7H3ai3xvoeF%2fQo0IybnY0XyzXvxd0Dh8HNe%2fizPbBjf4EGKt3onDcVZryo04w3xZBzGKpCFrKesJYs%2brsuhtSV4YHtzigLNJMysCIpr9Xp07cnFciozVlvtV1Y114ZuZv0YxEQoXtjxLp3RuQpfp3NaF8pNuhFndVJOiY1L9OyDkuSEx9GmfCkbiDJh7IoCy1acevZtbdtnzz4nR6rL3bE6BmWHT%2beKUANv9Vp1xqJmOha8Wh6Lx8vqvsP&RelayState=5f587310-9902-4082-93c2-be6676d49bdf&Signature=YOnA4WBbiIymAHzaZHFzW6JLNu402mlMfAQ57zPeb3neihDRecRjo3LMao8QpYsXA1Apfyo%2fXb4nGgKhhumleqHDtQBBR9ijjLKBxoaGa9QQL9au5PbxctzuQ1knmXj2z48cIHfH38xikZLoH%2f6Wr%2fHOd%2f07EWqKr6R5UQzAlg7%2b0LSekRsmuR6a%2b6padod7TPksopf1EBVrsbxob4v4WMP9guRDq2GM21rXI%2bxW8ixBbPOoYdv7VQtYFNSsn5fM8RPhB35R2%2b%2bOnbVVYxn7N0z6HjhQo4ILDRlo3ljeVKlUokGZGB7JvuKFCPb51jZ%2bnVrtOs7ofHbbej2pZ6nAFQ%3d%3d&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256
FYI, I have changed the IDP name from EntraSamlTest to BtiqEntraSamlTestUnstableDonotDelete everywhere. In the previously attached screenshot, you can consider the updated broker name as BtiqEntraSamlTestUnstableDonotDelete.
-
SP 5 Reputation points
2025-06-06T06:35:34.89+00:00 Hi,
As per the message above, when BackChannel Logout and HTTP-POST Binding Logout is OFF in Keycloak then the user session from the external Identity Provider (Entra) is being deactivated, but not from the SP Keycloak during logout. Additionally, i have sent a detailed network tracing where we can SAML Request and response has been sent.
But, when BackChannel Logout is disabled and HTTP-POST Binding Logout is enabled. We don't see any SAML Request during logout of the application. PFA the screenshots.
Expectation:
After logout, the Entra ID and keycloak user session should also terminate, ensuring that any subsequent login attempt prompts for reauthentication.
NOTE: Entra and Keycloak setup details are already shared. We have not made any changes to the setup
.Logout-1.png Logout-2.png -
Deepthi R 25 Reputation points Microsoft External Staff Moderator
2025-06-06T09:04:35.8966667+00:00 Hi SP,
Can you try HTTP-POST Binding Response to OFF and see the flow please.
This setting determines how the SAML logout response is sent back to Keycloak from the IdP (Microsoft Entra ID).
ON -> IdP sends
SAMLResponseusing HTTP-POST (HTML form POST).OFF -> IdP sends
SAMLResponseusing HTTP-Redirect (URL-based redirect with query string).Since Microsoft Entra ID only supports redirect binding for logout, this must be OFF.
-
-
SP 5 Reputation points
2025-06-09T07:50:55.2766667+00:00 Hi Deepthi,
I have already shared the information in my above messages.
Case-1:
When BackChannel Logout and HTTP-POST Binding Logout is OFF in Keycloak, then the user session from the external Identity Provider (Entra) is being deactivated, but not from the SP Keycloak during logout. We are receiving a 404 error when logging out of the application.Case-2: When BackChannel Logout is enabled and HTTP-POST Binding Logout is disabled. We don't see any SAML Request during logout of the application.
Case-3:
When BackChannel Logout is disabled and HTTP-POST Binding Logout is enabled. We don't see any SAML Request during logout of the application.Observation:
Case-2 and Case-3 scenarios, the Logout flow is the same.Please check the above messages and screenshots for better understanding.
-
SP 5 Reputation points
2025-06-11T06:38:09.93+00:00 Hi Deepthi,
Do you have any updates on this ?
Did you try to replicate the same setup in your side and check the flow ?
-
SP 5 Reputation points
2025-06-13T08:14:08.3633333+00:00 Hi Team,
We are still waiting for a response from you.
Sign in to comment
Sign in to answer