Authentication with OIDC (Keycloak) is working but logout doesn't disconnect Keycloak session
-
We were able to connect with OIDC via Keycloak with this guide (https://xen-orchestra.com/blog/xen-orchestra-5-80/ Olivier Lambert being on top of everything as usual
)
Unfortunately when we disconnect, the user is not disconnected from Keycloak and the session stays active.
We are using the .well-known/openid-configuration url so the logout url should be taken into account but we don't see any log showing further communication between XOA and Keycloak when we logout from XOA.
Any idea is appreciated -
Hi,
nathanael-h might take a look if we have the same problem and/or if it's "normal". Ideally, create a support ticket to get an investigation faster than via a community post.
-
olivierlambert We are in the process of purchasing entreprises licenses for a 4 hosts cluster. It's not a big deal so I'll wait untill we have support to open a ticket
-
Hello, thanks for the report. Actually XO does not implement Single Log Out. So it is expected that only the session related to XO is invalidated when the user click on the logout button.
Maybe something to add in XO6 ping pdonias ? -
nathanael-h In the contexte of SSO this makes sense to not logout the session of the IDP as it might be used for other SP but usually when one disconnect from an application (like logging out from Google), you get an option to log out from all other application.
This would send the logout to the IDP ? -
dsmteam Yes I totally agree, a user who logs out from XO, might also have the choice to logout from all SSO'ed applications. That would be for the feature request list
