SAML Single Logout Service Redirect

• Used Zammad version: 6.4.1-1741348581.b9a98307.bookworm
• Used Zammad installation type: package
• Operating system: Debian 12
• Browser + version: Firefox 128.7.0esr

Expected behavior:

• Redirect to Zammad login page.

Actual behavior:

• Redirects to Zammad SAML metadata page.

Steps to reproduce the behavior:

• Configure Keycloak in production mode with SAML client, import the Zammad metadata xml file, add user property ‘email’ mapping, and add certificate.

• Master SAML Processing URL: https://zammad.domain.tld/auth/saml/metadata

• Enable sign assertions

• Configure Zammad with SAML SSO, HTTPS setup in nginx.

• IDP SSO target URL: https://keycloak.domain.tld/realms/name/protocol/saml

• IDP Single Logout target URL: https://keycloak.domain.tld/realms/name/protocol/saml

• IDP Cert: cert-blob without begin/end

• Name Identifier Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

• SSL Verify: no

• Sign in with SSO > Keycloak user > mapped to Zammad user

• Sign out

• Redirects to https://zammad.domain.tld/auth/saml/metadata

I have the same issue.

Is the logout URL on the Keycloak side configured correctly?

By clicking Sign-Out you mean inside Zammad?