Single Logout not working with GitLab and Keycloak

I intend to set up a Single Sign On/Out experience for the users of our GitLab instance.
To achieve this, I use Keycloak. I would like all login/logout to be made over our Keycloak instance.

Our GitLab instance is currently configured to use LDAPS for user authentication and SAML looks like the best SSO replacement for that in the case of GitLab.
Unfortunately I have not yet been able to find a solution to implement Single Logout with GitLab (Login works well). When a user clicks on the sign out button he gets immediately logged back in again. The Keycloak session does not get invalidated and we have the option ‘omniauth_auto_sign_in_with_provider’ enabled.

I have tried solving this issue by adding the following to our gitlab.rb file:

gitlab_rails['omniauth_providers'] = [
    name: 'saml',
    args: {
        idp_slo_target_url: 'https://keycloak.instance/auth/realms/REALM-NAME/protocol/saml/logout'

After adding this and reconfiguring GitLab, there was no noticeable effect however.
I tried the following pattern for idp_slo_target_url as well:

This did not solve the problem.

As a workaround I even tried adding those sign out urls as a “After sign out path” in the GitLab admin GUI under Settings → General → Sign-in restrictions.
Unfortunately this didn’t work either.

Any help would be very appreciated!

Hi @joel01

GitLab currently does not support Single Logout: Explore SAML Single Sign Out (#14414) · Issues · / GitLab · GitLab
As workaround you can use the “After sign out path”.

Quick look at the Keycloak docs tells me Keycloak is using single endpoint https://keycloak.instance/auth/realms/REALM-NAME/protocol/saml for every saml request, I guess even for single logout. Try to put that in the “After sign out path”. We have it working like that with our IdP even when we get a nasty error from IdP.