We are integrating Kibana in our Keycloak identity management solution but have problems getting ‘single logout’ working when triggered from another client.
This is the scenario:
User enters the portal but has to login in Keycloak first
Keycloak handles authentication and redirects back to portal
In the portal is a link to the Kibana dashboard and the user clicks it
Kibana does OIDC single sign on with keycloak and the dashboard is presented
User goes back to portal and clicks on logout in the portal
Keycloak logoff is called and the portal session is gone
The Kibana session with the user still exists
In the normal situation the Single Logoff scenario would mean that the Keycloak server calls the Kibana logoff endpoint with the session-id used for single sign on.
Does this work for Kibana? Do you have examples for Single or Global Logoff and Kibana where the action is performed from server to server.
@Larry_Gregory can u please shed more light on this ?
Hey @Dennis_Rietvink, welcome to the discussion boards!
We don't have a published example of Single or Global Logoff, and Kibana/Elasticsearch don't currently support OP-initiated logout as the specs define it, but we can come pretty close if you are able to configure Keycloak for front-channel logout.
If so, it should be sufficient to register Kibana's logout URL (e.g. https://your-kibana-host:5601/logout
) as the frontchannel_logout_uri
The one caveat here is that we do not currently support the optional iss
parameters which may be used by the OP. We just opened an issue in response to your question to track this initiative: https://github.com/elastic/elasticsearch/issues/51424
Btw @Larry_Gregory, could you have a look at another issue I posted related to OIDC en canvas? Losing a session in a Canvas
@Dennis_Rietvink I’m very sorry nobody has replied to that question yet. I’ll take a look on Monday morning EST for you
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.