[keycloak-dev] Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page

Tue Aug 23 09:05:31 EDT 2016

On keycloak logs, I only see this error:

2016-08-23 00:49:24,648 WARN  [org.keycloak.events] (default task-6)
type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_token

This is a generic error and does not give any clue.

I used SAML tracer with firefox and there I see the following request in
RED:

GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
Here are the contents for this request from SAML tracer (but its not giving
me any clue on what is wrong):

GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
 HTTP/1.1
Host: rashmiidp.cloud.com:9990
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101
Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=0.5,es-ES;q=0.3,en-US;q=0.2
Accept-Encoding: gzip, deflate
Cookie: KEYCLOAK_SESSION=saml-demo/6d25a0c6-7bb8-4cfc-b918-
e3384f9dfe72/1e3911dc-3237-4aee-ba56-07de530e00f7; KC_RESTART=
eyJhbGciOiJIUzI1NiJ9.eyJjcyI6ImI1M2QxOGJiLWQ3ODItND
ZhNS04YjY5LWQxM2IxMDVhMTc4NSIsImNpZCI6Imh0dHBzOi8vc2FtbC5zYW
xlc2ZvcmNlLmNvbSIsInB0eSI6InNhbWwiLCJydXJpIjoiaHR0cHM6Ly9yYX
NobWk3ODktZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tP3NvPTAwRDQxMDAwMD
AwNUwxNCIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7ImFjdGlvbl
9rZXkiOiJmNDBmYTJmYi01YTM0LTRmZDQtYTc2NC0xZDI5NWVlZDFmODIiLC
JSZWxheVN0YXRlIjoiLyIsIlNBTUxfUkVRVUVTVF9JRCI6Il8yQ0FBQUFWZE
ZCal9tTUU4d05ERXdNREF3TURBMFF6azJBQUFBeWszaE1mODBfdTJ5cGVpSX
pjVWNkQUtJWUFkeF9vNmN2Y0ZoMTE4QkcxWnFVRVQtREZJY29Wb1BqLUNheW
ZFV2FHLXRCLUo3YXhHUEhGaWdWbmV3MEREQUVlTTdJR21KcURuMmpUOUlPOD
VfT2pYTlVNQzlrbmV0cmRDcmpweDZCWTJjcWVCVWV0cldsb0JVaWhpMHBKMW
0tb2dBSmM1T1NDTXhIUkxpclNNR2FYRVhEeFpLVldadENfQTUwTFl6S1o2bm
o3XzZ1ekhIak9qa01kYnpoY2RTZlVZS0Q2bVRhNmtCRjlweTRwQTB4bHg1eG
RpN1M5OWc1d0xnSklmeVJ3Iiwic2FtbF9iaW5kaW5nIjoicG9zdCJ9fQ.
E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-7PFtY7JKNOLd-U; KEYCLOAK_IDENTITY=
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmNTQyYjY0Yy1iYTNhLT
RiY2ItYmE2OC0xZGEyZTY0ZGRjMTQiLCJleHAiOjE0NzE5NDg2NjAsIm5iZi
I6MCwiaWF0IjoxNDcxOTEyNjYwLCJpc3MiOiJodHRwOi8vcmFzaG1paWRwLm
Nsb3VkLmNvbTo5OTkwL2F1dGgvcmVhbG1zL3NhbWwtZGVtbyIsInN1YiI6Ij
ZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4LWUzMzg0ZjlkZmU3MiIsInNlc3Npb2
5fc3RhdGUiOiIxZTM5MTFkYy0zMjM3LTRhZWUtYmE1Ni0wN2RlNTMwZTAwZj
ciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.IfnQezJi5hCMHac2K3B9QnjWdx4SR7
F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8z9XY-u0hN4DLFePXjzLOl0UwYaZ0ySxm-l-
gUsCkveVzTPRMS98ekuTMlc-1fPI4h1tCRrVawW5zOgH7zc-
a03KK0WZJ6b3iuU49PGsDXmeiNb6aqG-BIrmSkfsjfXr4zB69PcY0EF3sse0jl
OkZXYBcmbH46b_fWm-p4hpyt6QnGvxanKOc2jtavkUPSo5UrQxmQ3-
ahfxqZOFAvRbeHys5RdUUHs5BBefjkE4p8teCeG0nNzpgJfgPHgMNsnjELrTSafTcq1AM-yV2UOWrYeh0sA;
testusergrid={}

HTTP/?.? 500 Internal Server Error
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Server: WildFly/10
X-Frame-Options: SAMEORIGIN
content-security-policy: frame-src 'self'
Date: Tue, 23 Aug 2016 00:37:56 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 2906

Does this give you any idea? Do you have any more suggestions?

On Mon, Aug 22, 2016 at 7:54 PM, Rashmi Singh <singhrasster at gmail.com>
wrote:

> John, On keycloak logs, I only see this error:
>
> 2016-08-23 00:49:24,648 WARN  [org.keycloak.events] (default task-6)
> type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
> ipAddress=192.168.99.1, error=invalid_token
>
> This is a generic error and does not give any clue.
>
> I used SAML tracer with firefox and there I see the following request in
> RED:
>
> GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
> Here are the contents for this request from SAML tracer (but its not
> giving me any clue on what is wrong):
>
> GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
> HTTP/1.1
> Host: rashmiidp.cloud.com:9990
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101
> Firefox/47.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=0.5,es-ES;q=0.3,en-US;q=0.2
> Accept-Encoding: gzip, deflate
> Cookie: KEYCLOAK_SESSION=saml-demo/6d25a0c6-7bb8-4cfc-b918-
> e3384f9dfe72/1e3911dc-3237-4aee-ba56-07de530e00f7; KC_RESTART=
> eyJhbGciOiJIUzI1NiJ9.eyJjcyI6ImI1M2QxOGJiLWQ3ODItND
> ZhNS04YjY5LWQxM2IxMDVhMTc4NSIsImNpZCI6Imh0dHBzOi8vc2FtbC5zYW
> xlc2ZvcmNlLmNvbSIsInB0eSI6InNhbWwiLCJydXJpIjoiaHR0cHM6Ly9yYX
> NobWk3ODktZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tP3NvPTAwRDQxMDAwMD
> AwNUwxNCIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7ImFjdGlvbl
> 9rZXkiOiJmNDBmYTJmYi01YTM0LTRmZDQtYTc2NC0xZDI5NWVlZDFmODIiLC
> JSZWxheVN0YXRlIjoiLyIsIlNBTUxfUkVRVUVTVF9JRCI6Il8yQ0FBQUFWZE
> ZCal9tTUU4d05ERXdNREF3TURBMFF6azJBQUFBeWszaE1mODBfdTJ5cGVpSX
> pjVWNkQUtJWUFkeF9vNmN2Y0ZoMTE4QkcxWnFVRVQtREZJY29Wb1BqLUNheW
> ZFV2FHLXRCLUo3YXhHUEhGaWdWbmV3MEREQUVlTTdJR21KcURuMmpUOUlPOD
> VfT2pYTlVNQzlrbmV0cmRDcmpweDZCWTJjcWVCVWV0cldsb0JVaWhpMHBKMW
> 0tb2dBSmM1T1NDTXhIUkxpclNNR2FYRVhEeFpLVldadENfQTUwTFl6S1o2bm
> o3XzZ1ekhIak9qa01kYnpoY2RTZlVZS0Q2bVRhNmtCRjlweTRwQTB4bHg1eG
> RpN1M5OWc1d0xnSklmeVJ3Iiwic2FtbF9iaW5kaW5nIjoicG9zdCJ9fQ.
> E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-7PFtY7JKNOLd-U; KEYCLOAK_IDENTITY=
> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmNTQyYjY0Yy1iYTNhLT
> RiY2ItYmE2OC0xZGEyZTY0ZGRjMTQiLCJleHAiOjE0NzE5NDg2NjAsIm5iZi
> I6MCwiaWF0IjoxNDcxOTEyNjYwLCJpc3MiOiJodHRwOi8vcmFzaG1paWRwLm
> Nsb3VkLmNvbTo5OTkwL2F1dGgvcmVhbG1zL3NhbWwtZGVtbyIsInN1YiI6Ij
> ZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4LWUzMzg0ZjlkZmU3MiIsInNlc3Npb2
> 5fc3RhdGUiOiIxZTM5MTFkYy0zMjM3LTRhZWUtYmE1Ni0wN2RlNTMwZTAwZj
> ciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.IfnQezJi5hCMHac2K3B9QnjWdx4SR7
> F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8z9XY-u0hN4DLFePXjzLOl0UwYaZ0ySxm-l-
> gUsCkveVzTPRMS98ekuTMlc-1fPI4h1tCRrVawW5zOgH7zc-
> a03KK0WZJ6b3iuU49PGsDXmeiNb6aqG-BIrmSkfsjfXr4zB69PcY0EF3sse0jl
> OkZXYBcmbH46b_fWm-p4hpyt6QnGvxanKOc2jtavkUPSo5UrQxmQ3-
> ahfxqZOFAvRbeHys5RdUUHs5BBefjkE4p8teCeG0nNzpgJfgPHgMNsnjELrTSafTcq1AM-yV2UOWrYeh0sA;
> testusergrid={}
>
> HTTP/?.? 500 Internal Server Error
> Cache-Control: no-store, must-revalidate, max-age=0
> X-Powered-By: Undertow/1
> Server: WildFly/10
> X-Frame-Options: SAMEORIGIN
> content-security-policy: frame-src 'self'
> Date: Tue, 23 Aug 2016 00:37:56 GMT
> Connection: keep-alive
> X-Content-Type-Options: nosniff
> Content-Type: text/html;charset=utf-8
> Content-Length: 2906
>
>
> Does this give you any idea? Do you have any more suggestions?
>
>
> On Fri, Aug 19, 2016 at 7:52 AM, John Dennis <jdennis at redhat.com> wrote:
>
>> On 08/18/2016 10:06 PM, Rashmi Singh wrote:
>>
>>> Hi,
>>>
>>> I have setup a Salesforce Saml SP in keycloak. So, I basically created a
>>> new client from keycloak admin console for salesforce. This is how my SP
>>> url looks like:
>>>
>>> rashmi789-dev-ed.my.salesforce.com
>>> <http://rashmi789-dev-ed.my.salesforce.com>
>>>
>>> I edited the salesforce configuration settings to point it to the
>>> keycloak IDP. So, when I access the SP:
>>> http://rashmi789-dev-ed.my.salesforce.com
>>>
>>> I am successfully taken to the keycloak IDP page (where I have
>>> configured my Authenticator). I enter my credentials there and am able
>>> to login. But, now when I try to logout, I get the following error on
>>> the web page:
>>>
>>> We're sorry ...
>>> Invalid Request
>>>
>>
>> Is logout supported on both ends (i.e. SP and IdP)? The definition of
>> support is in the metadata of each entity. Is there a SingleLogoutService
>> binding with a valid location URL in each metadata? The vast majority of
>> SAML problems are directly attributable to the metadata because that is
>> what drives the conversation between the SP and IdP. You have access to
>> both metadata because it was necessary to load the metadata in each party.
>>
>> If the problem is not the absence of SingleLogoutService then I would try
>> tracing the flow. That is easy with the Firefox browser and the SAMLTracer
>> add-on. That will let you see the exchange of messages and identify who the
>> offending party is.
>>
>> So, single sign out does not seem to be working for me. What is the
>>> issue? Is it a problem with the IDP logout url that I have configured?
>>> What I have is:
>>>
>>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>>
>>>
>>> my IDP Login URL is:
>>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>>
>>> and that seem to be perfectly fine as I am able to login without any
>>> issue. what is the issue with the logout I am seeing above when using a
>>> Salesforce SP with keycloak? Please let me know if you need me to
>>> provide more details.
>>>
>>
>> This suggests the problem is not with the IdP. Keycloak uses the same URL
>> for all services (don't assume this is always the case, it's just one
>> implementation choice). If login to the same URL works a valid
>> LogoutRequest to the same URL should also work, provided of course it a
>> valid SAML Request. Are there any errors in the Keycloak log concerning
>> invalid requests.
>>
>> Once again. using SAMLTracer will help nail down who is generating the
>> error and what the content of the message was that induced it.
>>
>>
>> Also, once this issue is resolved and I am able to logout successfully,
>>> could you give some insights on how to customize the logout page?
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>
>> --
>> John
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160823/1412dfbf/attachment.html 