Keycloak SAML single logout

Alan Baltic

unread,

Dec 9, 2024, 9:45:00 AM12/9/24

to Wazuh | Mailing List

Hi all,

I set up SAML login using Keycloak by following this guide.
Everything works fine but there is one major issue. If I sign out user directly from Keycloak (Go to Sessions -> Sign out), user is still logged in in Wazuh dashboard.
If I set Logout Service POST Binding URL in Keycloak it seems that it never calls logout URL in Wazuh dashboard (Opensearch).
Is that still a known issue or is there a solution for this problem.

All Wazuh components are updated to the latest (2.9.2)

Thank you,

Alan

Fabian Ruiz

unread,

Dec 9, 2024, 10:32:31 AM12/9/24

to Wazuh | Mailing List

Hi Alan,

As mentioned in the documentation the URL that you must configure in Logout Service Redirect Binding URL, must be https://<WAZUH_DASHBOARD_URL>, you can check that this is that way, on the other hand I can recommend you, check if all the settings that are mentioned in the guide are correct on your side, finally you can check the dashboard logs to check if there is any error, you can also check the version of wazuh from the dashboard, in the menu you must select dashboard management -> about here you can check the version to know which version it is.

https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/keycloak.html

Regards

Alan Baltic

unread,

Dec 10, 2024, 10:44:42 AM12/10/24

to Wazuh | Mailing List

Hi Fabian,

Logout Service Redirect Binding URL is set and it is WAZUH_DASHBOARD_URL. This works fine. So when I go to Log out in Wazuh dashboard Keycloak session is also terminated.

The problem is if someone is logged in in Dashboard and I want to forcefully logout the user by killing the Keycloak session, then user is still logged in and can use Wazuh Dashboard. From security perspective this is very bad.

What I want to achieve is to logout users from Wazuh dashboard by killing sessions directly in Keycloak

Keycloak sessions screenshot

So the main goal is to have Single sign out.

Thanks,

Alan

Fabian Ruiz

unread,

Dec 11, 2024, 10:19:06 PM12/11/24

to Wazuh | Mailing List

Hi, Alan,

This might be an issue related to OpenSearch, which Wazuh relies on. Wazuh frequently updates the versions it integrates with OpenSearch, depending on the version of Wazuh you are using. It's possible that your version of OpenSearch is affected by this problem. Could you confirm which version of Wazuh you are using, as I mentioned in the previous message?

Regards.

Alan Baltic

unread,

Dec 12, 2024, 9:10:34 AM12/12/24

to Wazuh | Mailing List

Hi Fabian,

Wazuh is upgraded to latest version 2.9.2. (all components)

BR,

Alan

Fabian Ruiz

unread,

Dec 12, 2024, 10:37:17 AM12/12/24

to Wazuh | Mailing List

Hi Alan,

The latest version of wazuh is 4.9:

You can check the wazuh version in the about section:

Regards.

Alan Baltic

unread,

Dec 14, 2024, 2:42:50 AM12/14/24

to Wazuh | Mailing List

Hi,

I misspelled. It is 4 9.2.

BR

Fabian Ruiz

unread,

Dec 15, 2024, 11:11:22 AM12/15/24

to Wazuh | Mailing List

Hi Alan,

As I mentioned, it seems this issue is still occurring with the version of OpenSearch that Wazuh is currently using. I understand that your configurations are correct and the behavior is as expected. Typically, with each release, efforts are made to update the OpenSearch version used by Wazuh to address this kind of issue. The team is actively working on these improvements to enhance the experience.

Regards.

Reply all

Reply to author

Forward