SLO: Keycloak

Begin by navigating to your Keycloak IDP configuration and select Single Logout from the navigation menu. As of Kantega SSO 3.5.0, The logout URL should be populated, and you can enable Single Logout and click "Save":

Read the following if the SAML provider logout URL for Keycloak isn't already configured:

If the Keycloak logout URL isn't specified already, it's likely because the configuration predates Kantega SSO 3.5.0, where this URL wasn't imported yet. You can either fill it manually or do a metadata refresh against Keycloak to obtain it. To refresh from metadata, use the indicated link in the nav menu:

The Keycloak metadata URL may not be on file. If it's missing, you can obtain it from https://<host>/auth/realms/<realm>/protocol/saml/descriptor, in this case: https://keycloak4.example.com/auth/realms/example.com/protocol/saml/descriptor (Keycloak uses the same URL for all SAML endpoints, so this is most likely also your logout URL). You can either download the metadata to a file and upload that, save the text content and paste it, or input the URL directly, as shown in the screenshot.

Now go back to the Single Logout menu and if the logout URL is now populated, enable SLO and save.

Log in to your Keycloak server and locate the Client/SP configuration for the Atlassian app:

The logout endpoint for the service provider is configured by expanding the "Fine Grain SAML Endpoint Configuration" heading. Paste the SP logout URL from a few screenshots back and save. Keycloak does not (to our knowledge) support service provider metadata import, so you will need to input the SP logout URL manually (i.e., the logout URL of the Atlassian app). This can be found under "URLs and cert for IdP setup," as shown in the below screenshot. Copy the URL and paste it into Keycloak:

Obtain the URL to use here:

Single logout should now be configured and working for new Keycloak sessions. Existing SAML sessions need to log out and back into the Atlassian app before SLO is initiated.