We are integrating Kibana in our Keycloak identity management solution but have problems getting ‘single logout’ working when triggered from another client.
This is the scenario:
User enters the portal but has to login in Keycloak first
Keycloak handles authentication and redirects back to portal
In the portal is a link to the Kibana dashboard and the user clicks it
Kibana does OIDC single sign on with keycloak and the dashboard is presented
User goes back to portal and clicks on logout in the portal
Keycloak logoff is called and the portal session is gone
The Kibana session with the user still exists
In the normal situation the Single Logoff scenario would mean that the Keycloak server calls the Kibana logoff endpoint with the session-id used for single sign on.
Does this work for Kibana? Do you have examples for Single or Global Logoff and Kibana where the action is performed from server to server.
We don't have a published example of Single or Global Logoff, and Kibana/Elasticsearch don't currently support OP-initiated logout as the specs define it, but we can come pretty close if you are able to configure Keycloak for front-channel logout.
If so, it should be sufficient to register Kibana's logout URL (e.g. https://your-kibana-host:5601/logout) as the frontchannel_logout_uri.
The one caveat here is that we do not currently support the optional iss or sid parameters which may be used by the OP. We just opened an issue in response to your question to track this initiative: https://github.com/elastic/elasticsearch/issues/51424
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.