diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
index 6746d9dcb4..e6a2175602 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
@@ -444,8 +444,10 @@ public class SamlProtocol implements LoginProtocol {
     @Override
     public Response consentDenied(ClientSessionModel clientSession) {
         if ("true".equals(clientSession.getClient().getAttribute(SAML_IDP_INITIATED_LOGIN))) {
+            session.sessions().removeClientSession(realm, clientSession);
             return ErrorPage.error(session, Messages.CONSENT_DENIED);
         } else {
+            session.sessions().removeClientSession(realm, clientSession);
             return getErrorResponse(clientSession, JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
         }
     }
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
index 87480793e0..bfdffadda3 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
@@ -148,6 +148,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
         UriBuilder redirectUri = UriBuilder.fromUri(redirect).queryParam(OAuth2Constants.ERROR, "access_denied");
         if (state != null)
             redirectUri.queryParam(OAuth2Constants.STATE, state);
+        session.sessions().removeClientSession(realm, clientSession);
         Response.ResponseBuilder location = Response.status(302).location(redirectUri.build());
         return location.build();
     }