I have configured an external identity provider (on SAML 2.0 protocol) in a realm in my Keycloak instance (which is my IAM for my internal applications). I have configured a single logout URL (provided by the external IDP) in the external IDP configuration (with HTTP Redirect binding). When user clicks on logout from my internal applications, the logout flow is initiated to the external IDP and the user is logged out from the external IDP. But the user is still "logged-in" in my Keycloak instance as the user's session is not cleared. And this allows user to access my internal application even after logging out. So what to be done to fix this issue (ideally Keycloak user session should be cleared on clicking logout)?
A user from the given realm logged in via SSO, accessed my internal application, and clicked on logout. Ideally user should be logged out from both Keycloak (SP) and external IDP, but the user only gets logged out from external IDP.