Sorry for being late in the party Can you check what is the value of the Login delegation logout URL in Settings -> Authentication tab ? I am sorry I forgot to add it in the documentation it seems, would you like to open a PR in the 5th point(OIDC parameters) Foreman documentation?
Also, about idle session timeout, if you set it to 2 minutes, after 2 mins if you try to access any resource it must redirect you to the keycloak login page again. For the redirection to happen you need to add a valid redirect url in your client.
If have registered the client in a correct manner, in your client you will have one valid redirect url which would look something like, https://<your foreman url>.com/users/extlogin/redirect_url, copy this url and add another redirect_url which is https://<your foreman url>.com/users/extlogin without the redirect_url and the trailing /
I think you should be good to go with this explanation, if you are still stuck somewhere, please le tme know. I’d be more than happy to help
I tried your suggestion but it does seem to close the session. The logout redirects me to /users/extlogout but it does not actually log me out (I have the same behavior this person has in his demo https://youtu.be/ypF-yvaaSXw?t=899).
Happy to open a PR after we sort this out!
About the session timeout I am still testing out the latest changes, so nothing conclusive just yet.
Yes, Once you place the /users/extlogout url in the Login delegation logout URL the SSO functionality would work. In Single Sign On, even if you try to manually try to logout the authentication system must allow you to login without providing the credentials. Therefore, when you press the Logout button manually you still have an option of login again on the extlout page which is the correct functionality. This is rightly demonstrated in the video that you have pointed. You should be allowed to logout only when your session has expired.
This will make things really clear, (sorry for the noise in the video) but this should really clear all your questions:
You don’t need to use this because this is implemented in the code for you. Once session expires this url is invoked to logout of the system and thats how you are redirected to the keycloak login page again. Only thing you need to add is the valid redirect url in keycloak as mentioned above (https://foreman-url.com/users/extlogin without the /redirect_uri/)
Let me know if you still have any concerns regarding this.
I am afraid I am still having this issue… When the session expires I am still being redirected to https://foreman.server/users/login
This is very strange.
I thought there might a problem with my memcached but I only have one server now, and the issue is still happening. (I have an HAProxy in front of Foreman, but the HAProxy only has one foreman server in the backend section)
I am not sure what else to check. This is my Foreman config in case there is something wrong:
Your settings look fine to me, except that your idle timeout is set to 600 minutes, that is 10 hours. Can you set it to 2 minutes to test the result (whether or not you are redirect to your keycloak instance).
Also, it would be nice if you shared your valid redirect urls from the keycloak client?
Looks like @danielfr was using the older version of Foreman, therefore, the incorporated changes do not reflect on his system. Although, once they upgrade, it will be fine. Also, anyone else reading this thread, the solution marked should solve most of questions so please go through that