Keycloak SSO and logout issue

Hello!
@david help me please, great man! ))))

I have successfully configured the Discourse + Keycloak SSO + SAML plugin + Openid Connect plugin bundle. There is only one thing that overshadows this beauty - it is logout.

I do a logout from the forum, the user is deauthorized, this part works fine.
Then I look at the open sessions on Keycloak - the session of the user who left the forum is not deleted.
I suspect this is due to the logout url settings. I just don’t know where - in Discourse or Keycloak.

My SAML settings on Keycloak:

image1634×1202 76.1 KB

My Openid Connect settings on Keycloak:

image1636×954 64.4 KB

The OpenID Connect plugin supports RP Initiated Logout. Is that supported by keybase?

Now it remains to understand what it is and whether it is in Keycloak ))))
Where is this option configured in the openid-connect plugin?

It’s configured in the site settings:

Thanks! I’ll try to google what Keycloak has with this question.

Yes! It’s works fine! I want to clarify that it is necessary to set the openid_connect_rp_initiated_logout_redirect variable.

@david I have one more question. Important question.
Now I’m in the final stages of testing Keycloak SSO, I need to choose a protocol - SAML or Openid Connect.
I liked Openid Connect better, but right now I have found an annoying problem with creating new users when using Openid Connect.

To understand the problem, I’ll start from the other side. When a new forum user is created using SAML, the user is created in SSO and transparently submitted for creation in Discourse. And it is immediately activated - this is important!
That is, when I click “Sign Up” on the Discourse forum, I go to Keycloak, where I create a user, confirm his mail, etc. After that, I am moved to the Discourse forum, where the user has already been created and ACTIVATED, automatically:

CUBA.Platform 2021-02-02 11-40-391338×612 87.9 KB

But if I use the Openid Connect plugin, then, when creating a new user, the following window appears:

CUBA.Platform 2021-02-02 11-35-531169×625 64.6 KB

This is extremely inconvenient! What for? After all, the user’s mail has already been confirmed when creating an account on SSO. Is there any way to get rid of this window?

Thank you very much in advance!

If that message is showing for OpenID Connect then it means that the identity provider passed an email_verified: false message to Discourse. If you enable the verbose debugging setting, it will print all the authentication data to /logs for you to examine. Hopefully there is some way to tell keycloak to pass the verification state properly.

Why then does the SAML plugin ignore this?

In the SAML plugin, this is controlled by the saml_default_emails_valid global setting (default true).

I found solution! ))))
In Keycloak:

image927×483 47.2 KB

image1514×350 46.8 KB

Disable these options:

image1235×628 42 KB

As long as you’re 100% sure that Keycloak has verified the emails, that’s fine. If the emails aren’t verified, doing that will open up your Discourse site to attackers.

Yes it’s right…
Now testing new case - two forum with one Keycloak Openid client ))

By the way, @david , what do you think is more correct:

1. Use one OpenID client for all forums and specify the required Valid Redirect URLs, as I have now:
   
   

   image1251×423 60.7 KB
   
   
   

   image818×202 18.7 KB
2. Or use own OpenID client for each forum?

I’m not familiar with Keycloak, but either approach sounds fine. If you later want to have separate access controls for each forum, having them as separate clients might make that easier