Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

SAML Broker Logout fails with user_session_not_found and brokered users created as offline-only sessions after upgrade to 26.4.7 #45060

New issue
New issue
Open
bug
Open
SAML Broker Logout fails with user_session_not_found and brokered users created as offline-only sessions after upgrade to 26.4.7#45060
bug
Labels
area/samlIndicates an issue on SAML areakind/bugCategorizes a PR related to a bugstatus/triageteam/core-clients
@abhishekjajoo

Description

@abhishekjajoo
abhishekjajoo
opened on Dec 22, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

saml

Describe the bug

After upgrading Keycloak from 26.0.5 to 26.4.2, SAML broker logout consistently fails with:

LOGOUT_ERROR user_session_not_found
Unexpected error when authenticating with identity provider

At the same time, a behaviour change is observed:

  • Users authenticated via SAML IdP are created with offline sessions only, instead of regular online user sessions.

This behaviour did not exist in 26.0.5, where brokered users always had regular sessions and logout worked correctly.

Version

26.4.7

Regression

  • The issue is a regression

Expected behavior

  • Brokered SAML login should create a regular online user session
  • SAML logout should successfully terminate the session
  • Behaviour should match Keycloak 26.0.5, where:
    • Online sessions were created
    • Logout worked reliably

Actual behavior

  1. User logs in successfully via SAML IdP (Keycloak → Keycloak federation).
  2. Brokered user is created correctly in the SP realm.
  3. In Admin Console → Users → Sessions:
  • Only Offline Sessions exist
  • No regular (online) user session is created
  1. When logout is initiated:
  • IdP sends a valid, signed LogoutResponse
  • SP receives the response at /broker/saml/endpoint
  • SP logs:
no valid user session
user_session_not_found
  1. Logout fails and browser shows:
Unexpected error when authenticating with identity provider

How to Reproduce?

  1. Setup Keycloak A (SP) and Keycloak B (IdP)
  2. Configure SAML IdP on SP
  3. Login via IdP
  4. Observe only offline session created
  5. Trigger logout
  6. Logout fails with user_session_not_found

Anything else?

  • Relevant Logs (SP / Broker)
WARN  Non-secure context detected; cookies are not secured, and will not be available in cross-origin POST requests
ERROR no valid user session
WARN  LOGOUT_ERROR error="user_session_not_found"
  • Relevant Logs (IdP)
type=LOGOUT
auth_method=saml
redirect_uri=http://<sp>/realms/<realm>/broker/saml/endpoint
SAML_LOGOUT_REQUEST_ID=...

Impact

This breaks SAML Single Logout for brokered IdP integrations and causes:

  • Logout failures
  • Orphaned sessions
  • Behaviour change without migration guidance

This is a blocking issue for upgrading to 26.4.x in SAML broker environments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/samlIndicates an issue on SAML areakind/bugCategorizes a PR related to a bugstatus/triageteam/core-clients

    Type

    bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions