KeyCloak-Encountered-Problems.md

@@ -3,7 +3,7 @@
 When logging in at [oeresource](https://oeresource-dev.logic.at/en/) or the [sharing platform](https://dev-exchange.codeability-austria.uibk.ac.at/) via Keycloak / TU Wien Identity Provider we see `InvalidFederatedIdentityActionMessage`, and cannot proceed. 
 ![Screenshot_2024-04-22_at_14.37.52](uploads/3cbb758297fa299e6474c7022808ee64/Screenshot_2024-04-22_at_14.37.52.png)
 ### Cause:
-In our case, the identity providers' X509 certificate expired.
+The identity providers' X509 certificate expired.
 ### Solution:
 1. Download the current SAML entity from [https://idp.zid.tuwien.ac.at/saml2](https://idp.zid.tuwien.ac.at/saml2). For other identity providers see [https://eduid.at/entities/idp/](https://eduid.at/entities/idp/)
 2. Go to the [keycloak admin console](https://keycloak.sharing-codeability.uibk.ac.at/auth/admin)
@@ -12,4 +12,12 @@ In our case, the identity providers' X509 certificate expired.
 4. Scroll to *Validating X509 Certificates*
 6. Insert X509 certificate from SAML entity and click save
 
- 
\ No newline at end of file
+## "500 Internal Server Error" @ TU Wien Identity Provider (ZID)
+### Description:
+When logging out at [oeresource](https://oeresource-dev.logic.at/en/), the user is not correctly redirected back, but sees a vague "500 Internal Server Error" and is stuck at the identity providers' site.
+![Screenshot_2024-04-22_at_14.53.21](uploads/3fd2633aa8e87e0f6a8428c7a484706f/Screenshot_2024-04-22_at_14.53.21.png)
+### Cause:
+In our case, the *single logout endpoint* was not passed on to the identity provider correctly.
+### Solution:
+1. Go to the [keycloak admin console](https://keycloak.sharing-codeability.uibk.ac.at/auth/admin)
+2. Enable "backchannel logout" ![Screenshot_2024-04-22_at_14.58.25](uploads/0878958d73161fa48ea1b86f24fe20a1/Screenshot_2024-04-22_at_14.58.25.png) and save
\ No newline at end of file