What is the back channel logout url for a Keycloak used as an Identity Broker?

Question

We use Keycloak as an Identity Broker which delegates user authentication to an external Identity Provider.

This external Identity Provider needs the back channel logout url of Keycloak to end user session on this Keycloak when user logout from this external Identity provider.

I didn't see where I can find it in Keycloak admin interface or in Keycloak OpenID Endpoint Configuration.

It's not the "end_session_endpoint" because this is used for front channel logout (with browser interaction) not for a back channel call that doesn't involve a browser.

This is our configuration: MyApp -> MyKeycloak -> ExternalIDP

• MyKeycloak : my keycloak instance
• MyApp : a web application, configured as an OpenID Connect client (RP) of MyKeycloak (OP)
• ExternalIDP : an external IDP  MyKeycloak : keycloak realm configured with ExternalIDP as a brokering Identity Provider

MyApp delegate authentication to my MyKeycloak

MyKeycloak delegate authentication to ExternalIDP

Now, user go to ExternalIDP and logout. ExternalIDP need to call the back channel logout URL for each application client like MyKeycloak.

Where I can find this URL ?

Answer 1

It's /realms/{realm-name}/protocol/openid-connect/logout/backchannel-logout
ref: https://www.keycloak.org/docs/latest/server_admin/#con-server-oidc-uri-endpoints_server_administration_guide

Answer 2

The backchannel logout feature is located in the page OpenID Connect settings/Advanced of your external identity provider. Activate the flag Backchannel logout.

Here an image to show exactly the location of the button