Hello, I am setting up our AGOL security for SAML. I'm using the latest 15.01 release of Keycloak as the IdP. Authentication works for login just fine and the automatic creation of the account in AGOL also works. My issue is during logout. I want the session on the IdP to also be logged out, so I have the following set in AGOL:
With these settings, after a successful login, I then click Sign Out, my session within the IdP is logged out, but I am not being redirected to our main site in AGOL. I get the following:
It just stays on the animated graphic. However, when I manually refresh the page I then get redirected to our main AGOL site. Any insight is appreciated, thank you.
Hi @snicio ,
As a test, would you please edit the SAML login configuration as follows:
Once you have tested, consider re-enabling Propagate logout to Identity Provider (refer to information in the next paragraph).
When this option is switched off, clicking Sign Out in ArcGIS Online will sign out the user from ArcGIS Online but not from the IDP. If the user's web browser cache is not cleared, attempting to immediately sign back in to ArcGIS Online using the SAML login option will result in an immediate login without needing to provide user credentials to the SAML IDP. This is a security vulnerability that can be exploited when using a computer that is easily accessible to unauthorized users or to the general public.
Also, check with the administrators of your Identity Provider and ask them -
Does a SAML LogoutRequest require a SessionIndex element to be included?
If your Identity Provider does require a SAML LogoutRequest to include a SessionIndex element, and switching off Propagate logout to Identity Provider resolved the problem, log a support case with Esri and inform them "ArcGIS Online SAML logout not completed when Propagate logout to Identity Provider is enabled. My SAML IdP requires a SAML LogoutRequest to include a SessionIndex element."
Best regards.