SAML Backchannel logout

[Pages Laurent]

Hello,

 

I’m currently struggling on the SAML backchannel logout of Keycloak.

When Keycloak wants to logout a given Service Provider over backchannel, it makes a POST-binding-formatted request with an http client [1]. Some custom code try to handle potential 302 redirects, and the response content is ignored.

To me, this is not compliant with the SAML specification, as the only backchannel binding is the SOAP binding [2].

 

1. Is there any reason why the backchannel logout was implemented like this in Keycloak?
2. Is there any plan to add the SOAP binding in the single logout context?

 

Thanks!

Laurent

 

[1] https://github.com/keycloak/keycloak/blob/208e45cfb2441580af952bd380500d33d5297f3c/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java#L768

[2] https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf, section 4.4.3