[keycloak-dev] Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
Rashmi Singh
singhrasster at gmail.com
Wed Aug 24 12:27:35 EDT 2016
John, Can you take a look at my last post? It seems like Salesforce is not
supporting Single logout. Is there some keycloak URL we can provide for the
field "Identity Provider Logout URL" on saleforce Single Sign on Settings"
that would log the user out? Since, it seems like Salesforce is not even
sending a SAML request when doing a logout. Here is what I wrote yesterday:
"Looking more closely into this, it seems like Salesforce does not support
SAML logout.
In Salesforce, where I did the configuration for "SAML Single Sign-On
Settings", there is the following field:
Identity Provider Logout URL:
I had specified this as: http://rashmiidp.cloud.com:
9990/auth/realms/saml-demo/protocol/saml
But, since Salesforce does not seem to support SAML logout, is it possible
to specify some keycloak URL in this field that would logout the user? It
seems like the URL I specify in this field gets invoked but then Salesforce
is not really sending a SAML logout request and I just get an error as
indicated earlier. So, I was thinking if there is some keycloak URL that we
can specify in this field that would logout the user?
If there is no such URL support, is there an alternative to solve this
issue since Salesforce does not seem to handle the single logout?"
On Wed, Aug 24, 2016 at 11:20 AM, John Dennis <jdennis at redhat.com> wrote:
> On 08/23/2016 09:05 AM, Rashmi Singh wrote:
>
>> On keycloak logs, I only see this error:
>>
>> 2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)
>> type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
>> ipAddress=192.168.99.1, error=invalid_token
>>
>> This is a generic error and does not give any clue.
>>
>> I used SAML tracer with firefox and there I see the following request in
>> RED:
>>
>> GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>> <http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>
>> Here are the contents for this request from SAML tracer (but its not
>> giving me any clue on what is wrong):
>>
>
> You didn't post the SAML content from the SAMLTracer SAML tab.
>
>
> --
> John
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160824/a9efabf1/attachment.html
More information about the keycloak-dev
mailing list