question

jon-4998 avatar image
0 Votes"
jon-4998 asked sikumars commented

Keycloak Single logout with Azure AD saml Application

We have configured keycloak as our identity provider and have added Azure AD as an identity provider using SAML. In Azure AD we have an Enterprise Application with Single Sign on using SAML.

In Keycloak we have turn on Backchannel Logout, i've set the Single Sign-On Service URL and Single Logout Service URL to the url provided by azure.

We can login to our application fine, but when we logout of our application, we are only logged out of our application and not logged out of our azure AD account. I can see the SLO request being sent to Azure from keycloak. But for some reason we aren't logged out.

Does anyone know why SLO isn't working?
I'm wondering if it has to do with not setting the Azure AD Identifier in keycloak. But i'm not sure where to set it in keycloak.

Any help would be greatly appreciated.

azure-ad-saml-sso
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @jon-4998,
I'd want to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let us know. Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

1 Answer

sikumars avatar image
0 Votes"
sikumars answered sikumars edited

Hi @jon-4998,

Thanks for reaching out and apologies for the delayed response.

This would require HTTP trace debugging (such as Fiddler tool) to see what's being called when you click on logout on your WebApp because it suppose to trigger a HTTP redirect logout call to https://login.windows.net/{tenantid or "common"}/oauth2/logout?post_logout_redirect_uri={URL} ( The URL needs to be a reply url registered with your application in Azure AD) also this would help us validating whether application is clearing the user's session data successfully. To learn more, refer to this guidance of Single Sign-Out SAML Protocol.

also make sure you didn't configure with incorrect "Front-channel logout URL" in Azure AD app registration.

Hope this helps.

196301-111406-screen-shot-2021-07-02-at-102501-am.png


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.