Issue Overview
During a network analysis, we identified a potential configuration issue with Bildungslogin. Specifically, when users log out of Bildungslogin, they are redirected to a URI containing /univention/logout. This behavior likely stems from an outdated simpleSAMLphp configuration.
Root Cause Analysis
The issue seems to be related to the metadata provided to Bildungslogin regarding how it should interact with the Identity Provider (IdP). It appears that the logout URL in the configuration is incorrect. Since the integration with Keycloak is established via OpenID Connect (OIDC), we reviewed the ‘OpenID Endpoint Configuration’ under the realm settings in Keycloak. We identified the correct logout URL (end_session_endpoint) that should be configured in Bildungslogin:
https://ucs-sso-ng.dom.ain/realms/ucs/protocol/openid-connect/logout
However, this URL does not appear to be correctly configured in Bildungslogin at the moment.
Action Required
Please review the configuration settings in Bildungslogin, particularly the metadata related to the logout URL. Ensure that the logout URL is correctly set to the end_session_endpoint as specified above.
Quick Summary
- OIDC Integration: The logout process should be correctly configured to align with the OpenID Connect protocol settings in Keycloak.
- SimpleSAMLphp Configuration: The current behavior suggests remnants of an older simpleSAMLphp configuration, which may need to be updated or removed.