Single Logout using Kibana and Keycloak

We are integrating Kibana in our Keycloak identity management solution but have problems getting ‘single logout’ working when triggered from another client.
This is the scenario:

  • User enters the portal but has to login in Keycloak first
  • Keycloak handles authentication and redirects back to portal
  • In the portal is a link to the Kibana dashboard and the user clicks it
  • Kibana does OIDC single sign on with keycloak and the dashboard is presented
  • User goes back to portal and clicks on logout in the portal
  • Keycloak logoff is called and the portal session is gone
  • The Kibana session with the user still exists

In the normal situation the Single Logoff scenario would mean that the Keycloak server calls the Kibana logoff endpoint with the session-id used for single sign on.
Does this work for Kibana? Do you have examples for Single or Global Logoff and Kibana where the action is performed from server to server.

@Larry_Gregory can u please shed more light on this ?


Hey @Dennis_Rietvink, welcome to the discussion boards!

We don't have a published example of Single or Global Logoff, and Kibana/Elasticsearch don't currently support OP-initiated logout as the specs define it, but we can come pretty close if you are able to configure Keycloak for front-channel logout.

If so, it should be sufficient to register Kibana's logout URL (e.g. https://your-kibana-host:5601/logout) as the frontchannel_logout_uri.

The one caveat here is that we do not currently support the optional iss or sid parameters which may be used by the OP. We just opened an issue in response to your question to track this initiative:

Thanks @Larry_Gregory!

Btw @Larry_Gregory, could you have a look at another issue I posted related to OIDC en canvas? Losing a session in a Canvas


@Dennis_Rietvink I’m very sorry nobody has replied to that question yet. I’ll take a look on Monday morning EST for you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.