Logout: Shibboleth SP to Keycloak IDP

Nate Klingenstein ndk at signet.id
Wed Jun 23 21:47:15 UTC 2021


Presuming it's your primary authentication mechanism, all that needs to be done is that their metadata as loaded by the SP must include:

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<keycloak_host>/auth/realms/<realm_name>/protocol/saml"/>

And SAML2 needs to be in the <Logout> element, as it is in the stock configuration distributed by the Project.


I haven't actually done this integration myself, but if they're following the standards, things should work.  If they aren't, we'll find out.

Take care,

Signet, Inc.
The Art of Access ®


-----Original message-----
From: Joshua Brodie
Sent: Wednesday, June 23 2021, 9:41 pm
To: users
Subject: Logout: Shibboleth SP to Keycloak IDP

I’m trying to initiate a logout from an application (protected by Shibboleth SP) to Keycloak.

Wondering if any on this list may have tips.

For the logout to Keycloak – will be a straight HTTP POST to:



For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list