vanrar68
commented
4 years ago FYI the logout chaining problem is described in section 4.2 and in section 13.1.2 of the WSFED specs.
Open vanrar68 opened 4 years ago
vanrar68
commented
4 years ago FYI the logout chaining problem is described in section 4.2 and in section 13.1.2 of the WSFED specs.
fperot74
commented
4 years ago Ideally, it would be great to have a toggle button to enable serial (like for SAML) or parallel (iframe) logout mechanism. Anyway, your PR would be welcomed...
vanrar68
commented
4 years ago I'll submit a PR for this
The way Keycloak is chaining the WSFED logout requests when a user is connected to multiple WSFED clients can lead to the user not being disconnected from some of these clients.
Imagine the following scenario:
This is how things are supposed to work in a frontchannel logout scenario (exactly like for SAML but without the token) The problem is that a few well known WSFED clients (namely Microsoft Sharepoint and Exchange OWA) won't make use of the wreply parameter when receiving a wa=signoutcleanup1.0 request. Keycloak will never get a chance to trigger a logout request directed at Client2 and Client3. In the above scenario this means that after clicking the "logout" link in Client1, the user will still have a valid session in Client2 and Client3 and even worse, will have no clue about it.
A solution would be the following scenario:
This way the logout requests initiated by Keycloak are independent of the client behaviour. Ideally, upon receiving a wa=signout1.0 request Keycloak could send a single response containing multiple iFrames pointing to the connected clients logout URLs in order to trigger all logouts in the same request (just like ADFS does) but that would require changes at Keycloak level.
I've implemented and tested this successfully with Sharepoint. I can submit a PR with both the current behavior and the iFrame logout as an alternative. Let me know