I'm trying to implement single logout for SAML in keycloak and the documentation doesn't mention this properly and is confusing. I was looking for exact steps on how to implement it. So far, what i have done is:
Generate the logout request payload, base64 encode it, url encode it and send it to the logout url as a param. Assume that the realm name is Abc
http://auth-server/auth/realms/Abc/protocol/saml?SAMLRequest={encodedSAMLRequest}
The saml payload is
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="random uuid" Version="2.0" IssueInstant="2021-02-09T06:53:26Z" Destination="ip-address:8443/auth/realms/Abc/protocol/saml">
<saml:Issuer>https://ip-address:8443/auth/realms/Abc</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user-email@abc.com</saml:NameID>
</samlp:LogoutRequest>
However, while sending this, i get 400 error saying "Unknown login requestor" (eventhough I want to logout)
The site here says the request is valid. Maybe I am missing some extra parameter or something? I would also need an exact way to send. I have to use scala. Thanks in advance!
I think your Issuer might be wrong. It looks like your issuer is a Keycloak URI, but it is supposed to be a URI representing your application (service provider). It is the same as the client ID field of your configured SAML client in the Keycloak admin gui