AGOL SAML Logout Not Redirecting

08-13-2021 06:50 AM
New Contributor

Hello, I am setting up our AGOL security for SAML. I'm using the latest 15.01 release of Keycloak as the IdP. Authentication works for login just fine and the automatic creation of the account in AGOL also works. My issue is during logout. I want the session on the IdP to also be logged out, so I have the following set in AGOL:


With these settings, after a successful login, I then click Sign Out, my session within the IdP is logged out, but I am not being redirected to our main site in AGOL. I get the following:


It just stays on the animated graphic. However, when I manually refresh the page I then get redirected to our main AGOL site. Any insight is appreciated, thank you.

2 Replies
New Contributor III

Hi @snicio ,

We've come across the same issue, did you ever find a resolution?



Esri Contributor

Hi @snicio ,

As a test, would you please edit the SAML login configuration as follows:

  1. Connect to your ArcGIS Online organization as an administrator.
  2. Navigate to Organization > Settings > Security.
  3. For the SAML Login item, click on Configure login.
  4. Click on Show advanced settings.
  5. Switch off Propagate logout to Identity Provider.
  6. Click on Save.

Once you have tested, consider re-enabling Propagate logout to Identity Provider (refer to information in the next paragraph).

When this option is switched off, clicking Sign Out in ArcGIS Online will sign out the user from ArcGIS Online but not from the IDP. If the user's web browser cache is not cleared, attempting to immediately sign back in to ArcGIS Online using the SAML login option will result in an immediate login without needing to provide user credentials to the SAML IDP. This is a security vulnerability that can be exploited when using a computer that is easily accessible to unauthorized users or to the general public.

Also, check with the administrators of your Identity Provider and ask them -
Does a SAML LogoutRequest require a SessionIndex element to be included?

If your Identity Provider does require a SAML LogoutRequest to include a SessionIndex element, and switching off Propagate logout to Identity Provider resolved the problemlog a support case with Esri and inform them "ArcGIS Online SAML logout not completed when Propagate logout to Identity Provider is enabled. My SAML IdP requires a SAML LogoutRequest to include a SessionIndex element."

Best regards.

Tags (1)
0 Kudos