SAML Single Log-out (SLO) doesn't work with Keycloak

Incident Report for TechTime Initiative Group

Resolved

We have released version 4.2.14 on the Atlassian Marketplace to fix this issue:

Server:
Jira: https://marketplace.atlassian.com/apps/1212581/easy-sso-jira-kerberos-ntlm-saml/version-history#b4002014005
Confluence: https://marketplace.atlassian.com/apps/1212583/easy-sso-confluence-kerberos-ntlm-saml/version-history#b4002014005
Bitbucket: https://marketplace.atlassian.com/apps/1214247/easy-sso-bitbucket-kerberos-ntlm-saml/version-history#b4002014005
Bamboo: https://marketplace.atlassian.com/apps/1214240/easy-sso-bamboo-kerberos-ntlm-saml/version-history#b4002014005

Data Center:
Jira: https://marketplace.atlassian.com/apps/1212581/easy-sso-jira-kerberos-ntlm-saml/version-history#b4002014000
Confluence: https://marketplace.atlassian.com/apps/1212583/easy-sso-confluence-kerberos-ntlm-saml/version-history#b4002014000
Bitbucket: https://marketplace.atlassian.com/apps/1214247/easy-sso-bitbucket-kerberos-ntlm-saml/version-history#b4002014000

Posted Jan 27, 2020 - 15:17 NZDT

Identified

We have identified the issue. Our SLO messages were indeed malformed for Keycloak and missing "destination" tag.

Posted Jan 22, 2020 - 16:30 NZDT

Investigating

We've been informed that when logging out of Jira with Keycloak SAML SLO enabled, Keycloak doesn't perform the log out, and instead returns "invalid requester", with the exception "invalid destination"

Posted Jan 20, 2020 - 22:00 NZDT

This incident affected: TechTime Server Apps (EasySSO for Jira Server, EasySSO for Confluence Server, EasySSO for Bitbucket Server, EasySSO for Bamboo Server) and TechTime Data Center Apps (EasySSO for Bitbucket Data Center, EasySSO for Jira Data Center, EasySSO for Confluence Data Center).