Keycloak 密钥斗篷中的SAML注销失败

我们正在从SpringSecuritySAML转换为使用Key斗篷作为SAML代理

首先，我通过从我们的身份提供者导入IdP元数据XML，在KeyClope中配置了IdP。这将导致服务提供商实体ID变为

https://saml.test-nemlog-in.dk/

，登录后，我从IdP收到以下错误：

The entity ID https://saml.test-nemlog-in.dk/ could not be found

我认为使用了错误的值，因为它必须是SP entityId（

https://our.address.com

）。
当我将服务提供者实体ID更改为我们的entityId时，登录工作正常

登录与上面的工作一样，现在当我从第三方注销时，我会通过注销请求重定向到我们的SP（如预期的那样）。目的地正确，发卡机构也正确：

<LogoutRequest
    Destination="https://our.address.com/auth/realms/saml-broker-realm/protocol/saml"
    ID="..." IssueInstant="..." NotOnOrAfter="..." Version="2.0"
    xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.test-nemlog-in.dk/</Issuer>
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">....</NameID>
    <SessionIndex>....</SessionIndex>
</LogoutRequest>

我知道，在KeyClope中的IdP配置中，entityId设置为

https://our.address.com

，但这是出现在现场服务提供商实体ID中的地址，如果我将其更改为IdP entityId，则登录不起作用

我是不是错过了什么？也许是我错过了配置的钥匙斗篷

下面是从Key斗篷导出的IdP配置

"identityProviders": [
    {
      "alias": "NemLog-in",
      "displayName": "NemLog-in",
      "internalId": "",
      "providerId": "saml",
      "enabled": true,
      "updateProfileFirstLoginMode": "on",
      "trustEmail": false,
      "storeToken": false,
      "addReadTokenRoleOnCreate": false,
      "authenticateByDefault": false,
      "linkOnly": false,
      "firstBrokerLoginFlowAlias": "Simple browser flow",
      "config": {
        "validateSignature": "true",
        "signingCertificate": "",
        "postBindingLogout": "false",
        "nameIDPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
        "postBindingResponse": "true",
        "singleLogoutServiceUrl": "https://login.test-nemlog-in.dk/adfs/ls/",
        "entityId": "https://our.address.com",
        "signatureAlgorithm": "RSA_SHA256",
        "wantAssertionsEncrypted": "false",
        "xmlSigKeyInfoKeyNameTransformer": "KEY_ID",
        "useJwksUrl": "true",
        "loginHint": "false",
        "authnContextComparisonType": "exact",
        "postBindingAuthnRequest": "false",
        "syncMode": "IMPORT",
        "singleSignOnServiceUrl": "https://login.test-nemlog-in.dk/adfs/ls/",
        "wantAuthnRequestsSigned": "true",
        "addExtensionsElementWithKeyInfo": "false",
        "encryptionPublicKey": "",
        "principalType": "SUBJECT"
      }
    }

上面的JSON导致了这种情况

"identityProviders": [
    {
      "alias": "NemLog-in",
      "displayName": "NemLog-in",
      "internalId": "",
      "providerId": "saml",
      "enabled": true,
      "updateProfileFirstLoginMode": "on",
      "trustEmail": false,
      "storeToken": false,
      "addReadTokenRoleOnCreate": false,
      "authenticateByDefault": false,
      "linkOnly": false,
      "firstBrokerLoginFlowAlias": "Simple browser flow",
      "config": {
        "validateSignature": "true",
        "signingCertificate": "",
        "postBindingLogout": "false",
        "nameIDPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
        "postBindingResponse": "true",
        "singleLogoutServiceUrl": "https://login.test-nemlog-in.dk/adfs/ls/",
        "entityId": "https://our.address.com",
        "signatureAlgorithm": "RSA_SHA256",
        "wantAssertionsEncrypted": "false",
        "xmlSigKeyInfoKeyNameTransformer": "KEY_ID",
        "useJwksUrl": "true",
        "loginHint": "false",
        "authnContextComparisonType": "exact",
        "postBindingAuthnRequest": "false",
        "syncMode": "IMPORT",
        "singleSignOnServiceUrl": "https://login.test-nemlog-in.dk/adfs/ls/",
        "wantAuthnRequestsSigned": "true",
        "addExtensionsElementWithKeyInfo": "false",
        "encryptionPublicKey": "",
        "principalType": "SUBJECT"
      }
    }