I intend to set up a Single Sign On/Out experience for the users of our GitLab instance.
To achieve this, I use Keycloak. I would like all login/logout to be made over our Keycloak instance.
Our GitLab instance is currently configured to use LDAPS for user authentication and SAML looks like the best SSO replacement for that in the case of GitLab.
Unfortunately I have not yet been able to find a solution to implement Single Logout with GitLab (Login works well). When a user clicks on the sign out button he gets immediately logged back in again. The Keycloak session does not get invalidated and we have the option ‘omniauth_auto_sign_in_with_provider’ enabled.
I have tried solving this issue by adding the following to our gitlab.rb file:
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
...
idp_slo_target_url: 'https://keycloak.instance/auth/realms/REALM-NAME/protocol/saml/logout'
...
}
}
]
After adding this and reconfiguring GitLab, there was no noticeable effect however.
I tried the following pattern for idp_slo_target_url as well:
https://keycloak.instance/auth/realms/REALM-NAME/protocol/openid-connect/logout
This did not solve the problem.
As a workaround I even tried adding those sign out urls as a “After sign out path” in the GitLab admin GUI under Settings → General → Sign-in restrictions.
Unfortunately this didn’t work either.
Any help would be very appreciated!