Single Logout issue: logging out from Keycloak does not terminate Rancher v2.13 session
Rohan Bachhav
I’m seeing a Single Logout issue between Keycloak and Rancher.
Environment
- Keycloak v24.0.5
- Rancher: v2.13
- Realms:
- central-realm (main SSO realm for users)
- devrancher (realm used only for Rancher)
- In devrancher I have an Identity Provider of type "Keycloak OIDC" pointing to central-realm.
What I want
- If a user logs out from **Keycloak** (central-realm):
- Rancher session should be logged out as well.
- Next time the user opens Rancher they should be redirected to Keycloak login again.
- If a user logs out from **Rancher**:
- Only Rancher should log out. Keycloak SSO session should remain active.
Current behaviour
1. User flow:
- User opens keycloak account and logs in.
- Then opens rancher account, gets redirected to Keycloak, and logs into Rancher successfully.
- So login integration works fine.
2. Logout from Rancher:
- In Rancher I configured "Log Out behavior" as:
- “Log out of Rancher and not keycloakoidc”.
- Logging out from Rancher behaves as expected: Rancher session is cleared, Keycloak stays logged in.
3. Logout from Keycloak:
- User clicks **Sign Out** in the central-realm account console.
- In Keycloak I see that the central-realm session is removed.
- However the Rancher UI is still accessible without re-login (Rancher session cookie is still valid).
- I tried configuring in devrancher → client `login with keycloak`:
- Front-channel logout ON
- Front-channel logout URL = `https://rancher-url/logout` (also tried `/dashboard/auth/logout`)
- This does not change the behaviour: logging out from Keycloak does **not** trigger a logout in Rancher.
Questions
1. Is there a recommended / working configuration for:
- “Logout from Keycloak should log out Rancher too”
- “Logout from Rancher should not log out Keycloak”
when Rancher v2.13 uses Keycloak via a broker realm (devrancher → central-realm)?
Thanks in advance for any hints or working examples.
Regards,
“DISCLAIMER: This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the intended recipient(s). If you are not the intended recipient(s), please notify the sender by e-mail and delete the original message. Any misuse of this email or data in the e-mail is unlawful. Easebuzz Private Limited, has taken every reasonable precaution to minimize risks of virus, trojans, technical glitched transmitting through email, however Easebuzz Private Limited disclaims all responsibility and liability (including errors, loss and negligence) as a result of any virus, trojan, technical glitches in this e-mail. We recommend you to carry out your own technical checks for information security and take any required precautions before opening the e-mail or attachment. Messages sent to or from this e-mail address may be stored on the Easebuzz e-mail system and Easebuzz reserves the right to monitor and review the content of all messages sent to or from this e-mail address.”