<div dir="ltr"><span style="font-size:12.8px">On keycloak logs, I only see this error:</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">2016-08-23 00:49:24,648 WARN  [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null, ipAddress=192.168.99.1, error=invalid_token</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">This is a generic error and does not give any clue.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">I used SAML tracer with firefox and there I see the following request in RED:</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">GET <a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" target="_blank">http://rashmiidp.cloud.com:<wbr>9990/auth/realms/saml-demo/<wbr>protocol/saml</a><br></div><div style="font-size:12.8px">Here are the contents for this request from SAML tracer (but its not giving me any clue on what is wrong):</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><div>GET <a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" target="_blank">http://rashmiidp.cloud.com:<wbr>9990/auth/realms/saml-demo/<wbr>protocol/saml</a> HTTP/1.1</div><div>Host: <a href="http://rashmiidp.cloud.com:9990/" target="_blank">rashmiidp.cloud.com:9990</a></div><div>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0</div><div>Accept: text/html,application/xhtml+<wbr>xml,application/xml;q=0.9,*/*;<wbr>q=0.8</div><div>Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=<wbr>0.5,es-ES;q=0.3,en-US;q=0.2</div><div>Accept-Encoding: gzip, deflate</div><div>Cookie: KEYCLOAK_SESSION=saml-demo/<wbr>6d25a0c6-7bb8-4cfc-b918-<wbr>e3384f9dfe72/1e3911dc-3237-<wbr>4aee-ba56-07de530e00f7; KC_RESTART=<wbr>eyJhbGciOiJIUzI1NiJ9.<wbr>eyJjcyI6ImI1M2QxOGJiLWQ3ODItND<wbr>ZhNS04YjY5LWQxM2IxMDVhMTc4NSIs<wbr>ImNpZCI6Imh0dHBzOi8vc2FtbC5zYW<wbr>xlc2ZvcmNlLmNvbSIsInB0eSI6InNh<wbr>bWwiLCJydXJpIjoiaHR0cHM6Ly9yYX<wbr>NobWk3ODktZGV2LWVkLm15LnNhbGVz<wbr>Zm9yY2UuY29tP3NvPTAwRDQxMDAwMD<wbr>AwNUwxNCIsImFjdCI6IkFVVEhFTlRJ<wbr>Q0FURSIsIm5vdGVzIjp7ImFjdGlvbl<wbr>9rZXkiOiJmNDBmYTJmYi01YTM0LTRm<wbr>ZDQtYTc2NC0xZDI5NWVlZDFmODIiLC<wbr>JSZWxheVN0YXRlIjoiLyIsIlNBTUxf<wbr>UkVRVUVTVF9JRCI6Il8yQ0FBQUFWZE<wbr>ZCal9tTUU4d05ERXdNREF3TURBMFF6<wbr>azJBQUFBeWszaE1mODBfdTJ5cGVpSX<wbr>pjVWNkQUtJWUFkeF9vNmN2Y0ZoMTE4<wbr>QkcxWnFVRVQtREZJY29Wb1BqLUNheW<wbr>ZFV2FHLXRCLUo3YXhHUEhGaWdWbmV3<wbr>MEREQUVlTTdJR21KcURuMmpUOUlPOD<wbr>VfT2pYTlVNQzlrbmV0cmRDcmpweDZC<wbr>WTJjcWVCVWV0cldsb0JVaWhpMHBKMW<wbr>0tb2dBSmM1T1NDTXhIUkxpclNNR2FY<wbr>RVhEeFpLVldadENfQTUwTFl6S1o2bm<wbr>o3XzZ1ekhIak9qa01kYnpoY2RTZlVZ<wbr>S0Q2bVRhNmtCRjlweTRwQTB4bHg1eG<wbr>RpN1M5OWc1d0xnSklmeVJ3Iiwic2Ft<wbr>bF9iaW5kaW5nIjoicG9zdCJ9fQ.<wbr>E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-<wbr>7PFtY7JKNOLd-U; KEYCLOAK_IDENTITY=<wbr>eyJhbGciOiJSUzI1NiJ9.<wbr>eyJqdGkiOiJmNTQyYjY0Yy1iYTNhLT<wbr>RiY2ItYmE2OC0xZGEyZTY0ZGRjMTQi<wbr>LCJleHAiOjE0NzE5NDg2NjAsIm5iZi<wbr>I6MCwiaWF0IjoxNDcxOTEyNjYwLCJp<wbr>c3MiOiJodHRwOi8vcmFzaG1paWRwLm<wbr>Nsb3VkLmNvbTo5OTkwL2F1dGgvcmVh<wbr>bG1zL3NhbWwtZGVtbyIsInN1YiI6Ij<wbr>ZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4<wbr>LWUzMzg0ZjlkZmU3MiIsInNlc3Npb2<wbr>5fc3RhdGUiOiIxZTM5MTFkYy0zMjM3<wbr>LTRhZWUtYmE1Ni0wN2RlNTMwZTAwZj<wbr>ciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9<wbr>fQ.<wbr>IfnQezJi5hCMHac2K3B9QnjWdx4SR7<wbr>F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8<wbr>z9XY-<wbr>u0hN4DLFePXjzLOl0UwYaZ0ySxm-l-<wbr>gUsCkveVzTPRMS98ekuTMlc-<wbr>1fPI4h1tCRrVawW5zOgH7zc-<wbr>a03KK0WZJ6b3iuU49PGsDXmeiNb6aq<wbr>G-<wbr>BIrmSkfsjfXr4zB69PcY0EF3sse0jl<wbr>OkZXYBcmbH46b_fWm-<wbr>p4hpyt6QnGvxanKOc2jtavkUPSo5Ur<wbr>QxmQ3-<wbr>ahfxqZOFAvRbeHys5RdUUHs5BBefjk<wbr>E4p8teCeG0nNzpgJfgPHgMNsnjELrT<wbr>SafTcq1AM-yV2UOWrYeh0sA; testusergrid={}</div><div><br></div><div>HTTP/?.? 500 Internal Server Error</div><div>Cache-Control: no-store, must-revalidate, max-age=0</div><div>X-Powered-By: Undertow/1</div><div>Server: WildFly/10</div><div>X-Frame-Options: SAMEORIGIN</div><div>content-security-policy: frame-src &#39;self&#39;</div><div>Date: Tue, 23 Aug 2016 00:37:56 GMT</div><div>Connection: keep-alive</div><div>X-Content-Type-Options: nosniff</div><div>Content-Type: text/html;charset=utf-8</div><div>Content-Length: 2906</div><div><br></div><div><div style="font-size:12.8px">Does this give you any idea? Do you have any more suggestions?</div><div class="" style="font-size:12.8px"></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 22, 2016 at 7:54 PM, Rashmi Singh <span dir="ltr">&lt;<a href="mailto:singhrasster@gmail.com" target="_blank">singhrasster@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">John, On keycloak logs, I only see this error:<div><br></div><div>2016-08-23 00:49:24,648 WARN  [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null, ipAddress=192.168.99.1, error=invalid_token</div><div><br></div><div>This is a generic error and does not give any clue.</div><div><br></div><div>I used SAML tracer with firefox and there I see the following request in RED:</div><div><br></div><div>GET <a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" target="_blank">http://rashmiidp.cloud.com:<wbr>9990/auth/realms/saml-demo/<wbr>protocol/saml</a><br></div><div>Here are the contents for this request from SAML tracer (but its not giving me any clue on what is wrong):</div><div><br></div><div><div>GET <a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" target="_blank">http://rashmiidp.cloud.com:<wbr>9990/auth/realms/saml-demo/<wbr>protocol/saml</a> HTTP/1.1</div><div>Host: <a href="http://rashmiidp.cloud.com:9990" target="_blank">rashmiidp.cloud.com:9990</a></div><div>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0</div><div>Accept: text/html,application/xhtml+<wbr>xml,application/xml;q=0.9,*/*;<wbr>q=0.8</div><div>Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=<wbr>0.5,es-ES;q=0.3,en-US;q=0.2</div><div>Accept-Encoding: gzip, deflate</div><div>Cookie: KEYCLOAK_SESSION=saml-demo/<wbr>6d25a0c6-7bb8-4cfc-b918-<wbr>e3384f9dfe72/1e3911dc-3237-<wbr>4aee-ba56-07de530e00f7; KC_RESTART=<wbr>eyJhbGciOiJIUzI1NiJ9.<wbr>eyJjcyI6ImI1M2QxOGJiLWQ3ODItND<wbr>ZhNS04YjY5LWQxM2IxMDVhMTc4NSIs<wbr>ImNpZCI6Imh0dHBzOi8vc2FtbC5zYW<wbr>xlc2ZvcmNlLmNvbSIsInB0eSI6InNh<wbr>bWwiLCJydXJpIjoiaHR0cHM6Ly9yYX<wbr>NobWk3ODktZGV2LWVkLm15LnNhbGVz<wbr>Zm9yY2UuY29tP3NvPTAwRDQxMDAwMD<wbr>AwNUwxNCIsImFjdCI6IkFVVEhFTlRJ<wbr>Q0FURSIsIm5vdGVzIjp7ImFjdGlvbl<wbr>9rZXkiOiJmNDBmYTJmYi01YTM0LTRm<wbr>ZDQtYTc2NC0xZDI5NWVlZDFmODIiLC<wbr>JSZWxheVN0YXRlIjoiLyIsIlNBTUxf<wbr>UkVRVUVTVF9JRCI6Il8yQ0FBQUFWZE<wbr>ZCal9tTUU4d05ERXdNREF3TURBMFF6<wbr>azJBQUFBeWszaE1mODBfdTJ5cGVpSX<wbr>pjVWNkQUtJWUFkeF9vNmN2Y0ZoMTE4<wbr>QkcxWnFVRVQtREZJY29Wb1BqLUNheW<wbr>ZFV2FHLXRCLUo3YXhHUEhGaWdWbmV3<wbr>MEREQUVlTTdJR21KcURuMmpUOUlPOD<wbr>VfT2pYTlVNQzlrbmV0cmRDcmpweDZC<wbr>WTJjcWVCVWV0cldsb0JVaWhpMHBKMW<wbr>0tb2dBSmM1T1NDTXhIUkxpclNNR2FY<wbr>RVhEeFpLVldadENfQTUwTFl6S1o2bm<wbr>o3XzZ1ekhIak9qa01kYnpoY2RTZlVZ<wbr>S0Q2bVRhNmtCRjlweTRwQTB4bHg1eG<wbr>RpN1M5OWc1d0xnSklmeVJ3Iiwic2Ft<wbr>bF9iaW5kaW5nIjoicG9zdCJ9fQ.<wbr>E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-<wbr>7PFtY7JKNOLd-U; KEYCLOAK_IDENTITY=<wbr>eyJhbGciOiJSUzI1NiJ9.<wbr>eyJqdGkiOiJmNTQyYjY0Yy1iYTNhLT<wbr>RiY2ItYmE2OC0xZGEyZTY0ZGRjMTQi<wbr>LCJleHAiOjE0NzE5NDg2NjAsIm5iZi<wbr>I6MCwiaWF0IjoxNDcxOTEyNjYwLCJp<wbr>c3MiOiJodHRwOi8vcmFzaG1paWRwLm<wbr>Nsb3VkLmNvbTo5OTkwL2F1dGgvcmVh<wbr>bG1zL3NhbWwtZGVtbyIsInN1YiI6Ij<wbr>ZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4<wbr>LWUzMzg0ZjlkZmU3MiIsInNlc3Npb2<wbr>5fc3RhdGUiOiIxZTM5MTFkYy0zMjM3<wbr>LTRhZWUtYmE1Ni0wN2RlNTMwZTAwZj<wbr>ciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9<wbr>fQ.<wbr>IfnQezJi5hCMHac2K3B9QnjWdx4SR7<wbr>F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8<wbr>z9XY-<wbr>u0hN4DLFePXjzLOl0UwYaZ0ySxm-l-<wbr>gUsCkveVzTPRMS98ekuTMlc-<wbr>1fPI4h1tCRrVawW5zOgH7zc-<wbr>a03KK0WZJ6b3iuU49PGsDXmeiNb6aq<wbr>G-<wbr>BIrmSkfsjfXr4zB69PcY0EF3sse0jl<wbr>OkZXYBcmbH46b_fWm-<wbr>p4hpyt6QnGvxanKOc2jtavkUPSo5Ur<wbr>QxmQ3-<wbr>ahfxqZOFAvRbeHys5RdUUHs5BBefjk<wbr>E4p8teCeG0nNzpgJfgPHgMNsnjELrT<wbr>SafTcq1AM-yV2UOWrYeh0sA; testusergrid={}</div><div><br></div><div>HTTP/?.? 500 Internal Server Error</div><div>Cache-Control: no-store, must-revalidate, max-age=0</div><div>X-Powered-By: Undertow/1</div><div>Server: WildFly/10</div><div>X-Frame-Options: SAMEORIGIN</div><div>content-security-policy: frame-src &#39;self&#39;</div><div>Date: Tue, 23 Aug 2016 00:37:56 GMT</div><div>Connection: keep-alive</div><div>X-Content-Type-Options: nosniff</div><div>Content-Type: text/html;charset=utf-8</div><div>Content-Length: 2906</div><div><br></div><div><br></div><div>Does this give you any idea? Do you have any more suggestions?</div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 19, 2016 at 7:52 AM, John Dennis <span dir="ltr">&lt;<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 08/18/2016 10:06 PM, Rashmi Singh wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
Hi,<br>
<br>
I have setup a Salesforce Saml SP in keycloak. So, I basically created a<br>
new client from keycloak admin console for salesforce. This is how my SP<br>
url looks like:<br>
<br>
<a href="http://rashmi789-dev-ed.my.salesforce.com" rel="noreferrer" target="_blank">rashmi789-dev-ed.my.salesforce<wbr>.com</a><br></span>
&lt;<a href="http://rashmi789-dev-ed.my.salesforce.com" rel="noreferrer" target="_blank">http://rashmi789-dev-ed.my.sa<wbr>lesforce.com</a>&gt;<span><br>
<br>
I edited the salesforce configuration settings to point it to the<br>
keycloak IDP. So, when I access the SP:<br>
<a href="http://rashmi789-dev-ed.my.salesforce.com" rel="noreferrer" target="_blank">http://rashmi789-dev-ed.my.sal<wbr>esforce.com</a><br>
<br>
I am successfully taken to the keycloak IDP page (where I have<br>
configured my Authenticator). I enter my credentials there and am able<br>
to login. But, now when I try to logout, I get the following error on<br>
the web page:<br>
<br>
We&#39;re sorry ...<br>
Invalid Request<br>
</span></blockquote>
<br>
Is logout supported on both ends (i.e. SP and IdP)? The definition of support is in the metadata of each entity. Is there a SingleLogoutService binding with a valid location URL in each metadata? The vast majority of SAML problems are directly attributable to the metadata because that is what drives the conversation between the SP and IdP. You have access to both metadata because it was necessary to load the metadata in each party.<br>
<br>
If the problem is not the absence of SingleLogoutService then I would try tracing the flow. That is easy with the Firefox browser and the SAMLTracer add-on. That will let you see the exchange of messages and identify who the offending party is.<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
So, single sign out does not seem to be working for me. What is the<br>
issue? Is it a problem with the IDP logout url that I have configured?<br>
What I have is:<br>
<br>
<a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" rel="noreferrer" target="_blank">http://rashmiidp.cloud.com:999<wbr>0/auth/realms/saml-demo/protoc<wbr>ol/saml</a><br>
<br>
<br>
my IDP Login URL is:<br>
<a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" rel="noreferrer" target="_blank">http://rashmiidp.cloud.com:999<wbr>0/auth/realms/saml-demo/protoc<wbr>ol/saml</a><br>
<br>
and that seem to be perfectly fine as I am able to login without any<br>
issue. what is the issue with the logout I am seeing above when using a<br>
Salesforce SP with keycloak? Please let me know if you need me to<br>
provide more details.<br>
</blockquote>
<br></span>
This suggests the problem is not with the IdP. Keycloak uses the same URL for all services (don&#39;t assume this is always the case, it&#39;s just one implementation choice). If login to the same URL works a valid LogoutRequest to the same URL should also work, provided of course it a valid SAML Request. Are there any errors in the Keycloak log concerning invalid requests.<br>
<br>
Once again. using SAMLTracer will help nail down who is generating the error and what the content of the message was that induced it.<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
Also, once this issue is resolved and I am able to logout successfully,<br>
could you give some insights on how to customize the logout page?<br>
<br>
<br>
<br>
<br></span>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br>
<br><span><font color="#888888">
</font></span></blockquote><span><font color="#888888">
<br>
<br>
-- <br>
John<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>