Problem: Keycloak SSO: UCS 5.2 Portal Doesn’t Require Credentials After Logout

Knowledge Base Community
, , , ,
1

Problem

In UCS 5.2 with Keycloak SSO, logging out from the management portal does not always work as expected. After logging out, when clicking the login tile again, users are sometimes immediately logged in without being prompted for credentials.

Investigation

The issue was tested with three different assertion-lifetime configurations between UCS (UMC) and Keycloak:

  1. UMC/SAML assertion-lifetime (UCS) higher than Keycloak’s saml.assertion.lifespan

    • Let the Keycloak assertion-lifetime expire while the UMC lifetime was still valid.
    • Logged out from the portal.

  2. UMC/SAML assertion-lifetime (UCS) lower than Keycloak’s saml.assertion.lifespan

    • Let the UMC assertion-lifetime expire while the Keycloak lifetime was still valid.
    • Logged out from the portal.

  3. UMC/SAML assertion-lifetime (UCS) identical to Keycloak’s saml.assertion.lifespan

    • Let both lifetimes expire simultaneously.
    • Logged out from the portal.

Observations:

  • In all cases, users could log out from the portal and were redirected to the start page.
  • Users had to manually click the login tile to access the portal again.
  • Cases 1 and 3 (when the Keycloak assertion-lifetime had expired) allowed users to log in again without re-entering credentials.

This indicates that the portal logout does not fully invalidate Keycloak sessions in certain scenarios.

Solution / Workaround

A bug has been filed for this behavior: Bug 58040.

In the meantime, the following workaround can be applied:

  1. Increase the Keycloak assertion-lifetime to a high value (e.g., 1 day) to prevent it from expiring unexpectedly.
  2. Apply the workaround on all servers registered as SAML SPs for SSO. Servers can be listed with:
univention-keycloak saml/sp get --json
  1. Execute the following commands on each SAML SP server:
ucr set umc/saml/assertion-lifetime='86400' && \
univention-run-join-scripts --run-scripts --force 92univention-management-console-web-server && \
ucr set umc/saml/assertion-lifetime='300' && \
systemctl restart univention-management-console-server.service

Explanation:

  • The join script updates the Keycloak configuration of the SAML SP on the respective server.
  • Afterward, the UMC assertion-lifetime is reset to a lower value.
  • This ensures that the Keycloak assertion-lifetime remains higher than UMC’s, preventing logout inconsistencies.
3

This topic was automatically closed after 24 hours. New replies are no longer allowed.