Logout from keycloak doesn't work

Strateg5

The new stable version of mailcow works great with keycloak, but when the user logout from the SOGo or administrative interface, he does not logout from keycloak. If he click the SSO button again, he will see his SOGo mail instead the keycloak login page. Is it possible to specify in options that when the user exit, he should really logout from keycloak?

Thanks.

esackbauer

I guess that is the point of an SSO like keycloak. Once you are logged on to keycloak you can use any services without needing to log in again:
https://en.wikipedia.org/wiki/Single_sign-on

True single sign-on allows the user to log in once and access services without re-entering authentication factors.

Strateg5

This feature is there - after logging into mailcow via SSO, I can log into other applications, such as Nextcloud, without re-authentication. But the question is, how do I logout of mailcow and not allow the next computer user to access my data? How do I change the mailcow user if I click the SSO button and get into the previous user’s mail again?

esackbauer

The user needs to logout his SSO session with keycloak.
Or, safer is to not run different users under the same user in operating system. Give each user his own login for the computer.
Another solution would be to have the users sharing a computer not to use keycloak (instead use built-in mailcow auth), you can configure this individually per user which auth method shall be used.

Strateg5

Are you depriving users of the ability to work with corporate mail from public computers just because you couldn’t properly implement the end of the session in mailcow? After all, other applications, for example Nextcloud, when exiting, also logout from keycloak. If I want to stop working in mailcow without exiting keycloak, then I just close the browser tab with it and continue working with other SSO applications.

esackbauer

Well, that session IS ended with mailcow, but not with keycloak. This is the way SSO is supposed to work.
Our company does not allow and prevents the use from public terminals, because of the possible data exfiltration threats.
If you are fine with that risk, you could open a feature request on Github, to have the logout button in mailcow and SOGo to properly logout with keycloak as well.
For now it is working as intended with an SSO solution.

I found there is already a feature request:
mailcow/mailcow-dockerized5774

I linked the github issue to this thread, so hopefully devs are taking care in near future.

Strateg5

Since such a request already exists, I join it, and ask to close this thread.
Thanks (especially to esackbauer)!