Single Log Out doesn't work when Keycloak is behind ReverseProxy.
SamlResponse returned in response to logout request is rejected becouse of failure in destination validation.
Validation failes because method SAMLEndpoint.Binding.handleSamlResponse() passes to destinationValidator session.getContext().getUri().getAbsolutePath(). Unfortunately session.getContext().getUri().getAbsolutePath() returns Keycloak backend URL.
This issue is simmilar to