<div dir="ltr"><span style="font-size:12.8px">Here is how my SP Metadata looks like:</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><div><EntityDescriptor xmlns="urn:oasis:names:tc:<wbr>SAML:2.0:metadata" entityID="<a href="https://saml.salesforce.com/" target="_blank">https://saml.<wbr>salesforce.com</a>"></div><div> <SPSSODescriptor AuthnRequestsSigned="true"</div><div> protocolSupportEnumeration="<wbr>urn:oasis:names:tc:SAML:2.0:<wbr>protocol urn:oasis:names:tc:SAML:1.1:<wbr>protocol<a href="http://schemas.xmlsoap.org/ws/2003/07/secext" target="_blank">http://schemas.xmlsoap.org/ws/<wbr>2003/07/secext</a>"></div><div> <NameIDFormat>urn:oasis:names:<wbr>tc:SAML:1.1:nameid-format:<wbr>unspecified</div><div> </NameIDFormat></div><div> <SingleLogoutService Binding="urn:oasis:names:tc:<wbr>SAML:2.0:bindings:HTTP-POST" Location="<a href="https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14" target="_blank">https://rashmi789-<wbr>dev-ed.my.salesforce.com?so=<wbr>00D410000005L14</a>"/></div><div> <AssertionConsumerService</div><div> Binding="urn:oasis:names:tc:<wbr>SAML:2.0:bindings:HTTP-POST" Location="<a href="https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14" target="_blank">https://rashmi789-<wbr>dev-ed.my.salesforce.com?so=<wbr>00D410000005L14</a>"</div><div> index="1" isDefault="true" /></div><div> <KeyDescriptor use="signing"></div><div> <dsig:KeyInfo xmlns:dsig="<a href="http://www.w3.org/2000/09/xmldsig#" target="_blank">http://www.w3.org/<wbr>2000/09/xmldsig#</a>"></div><div> <dsig:X509Data></div><div> <dsig:X509Certificate></div><div>MIIFYDCCBEigAwIBAgIQQ4KxN7E3aA<wbr>GP1rpwQm6gZzANBgkqhkiG9w0BAQUF<wbr>ADCBvDELMAkGA1UEBhMCVVMxFzAVBg<wbr>NVBAoTDlZlcmlTaWduLCBJbmMuMR8w<wbr>HQYDVQQLExZWZXJpU2lnbiBUcnVzdC<wbr>BOZXR3b3JrMTswOQYDVQQLEzJUZXJt<wbr>cyBvZiB1c2UgYXQgaHR0cHM6Ly93d3<wbr>cudmVyaXNpZ24uY29tL3JwYSAoYykx<wbr>MDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2<wbr>xhc3MgMyBJbnRlcm5hdGlvbmFsIFNl<wbr>cnZlciBDQSAtIEczMB4XDTEzMTAxOD<wbr>AwMDAwMFoXDTE3MTAxNzIzNTk1OVow<wbr>gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQ<wbr>QIEwpDYWxpZm9ybmlhMRYwFAYDVQQH<wbr>FA1TYW4gRnJhbmNpc2NvMR0wGwYDVQ<wbr>QKFBRTYWxlc2ZvcmNlLmNvbSwgSW5j<wbr>LjEVMBMGA1UECxQMQXBwbGljYXRpb2<wbr>5zMR0wGwYDVQQDFBRwcm94eS5zYWxl<wbr>c2ZvcmNlLmNvbTCCASIwDQYJKoZIhv<wbr>cNAQEBBQADggEPADCCAQoCggEBALJt<wbr>S/8tJmPZ/CKOz/<wbr>dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY<wbr>+RviREe+zwjrKd9ZsCS3GltV2GBFD+<wbr>YxXzuptQr+ZUDC8Vwx+<wbr>49WQ13D55nmoUJVcB1nHlTXBICJQDo<wbr>87cZ4AIViuSVkUfQRG7BeMfKTMngyG<wbr>dAOIsnSFwp1ONmRqaIarWTfr2w0SNF<wbr>NPikW9rQjehAF/eh6Ib4H3bJEE/<wbr>kAwRS4mFJoxEKsiJQhnymqeoVgLMSb<wbr>3UTS8J9R1RmQi+<wbr>kisC39NAzVwQjM1X677cdQt0FaF6Gl<wbr>Z97vCH/<wbr>rpNAJnAVwaWiRNQ32AR2X39rp8DVpS<wbr>k9eynNGp1JI/<wbr>6mIv3ECAwEAAaOCAYcwggGDMB8GA1U<wbr>dEQQYMBaCFHByb3h5LnNhbGVzZm9yY<wbr>2UuY29tMAkGA1UdEwQCMAAwDgYDVR0<wbr>PAQH/<wbr>BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQ<wbr>UFBwMBBggrBgEFBQcDAgYJYIZIAYb4<wbr>QgQBMEMGA1UdIAQ8MDowOAYKYIZIAY<wbr>b4RQEHNjAqMCgGCCsGAQUFBwIBFhxo<wbr>dHRwczovL3d3dy52ZXJpc2lnbi5jb2<wbr>0vY3BzMB8GA1UdIwQYMBaAFNebfNgi<wbr>oBX33a1fzimbWMO8RgC1MEEGA1UdHw<wbr>Q6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJ<wbr>bnRsLUczLWNybC52ZXJpc2lnbi5jb2<wbr>0vU1ZSSW50bEczLmNybDByBggrBgEF<wbr>BQcBAQRmMGQwJAYIKwYBBQUHMAGGGG<wbr>h0dHA6Ly9vY3NwLnZlcmlzaWduLmNv<wbr>bTA8BggrBgEFBQcwAoYwaHR0cDovL1<wbr>NWUkludGwtRzMtYWlhLnZlcmlzaWdu<wbr>LmNvbS9TVlJJbnRsRzMuY2VyMA0GCS<wbr>qGSIb3DQEBBQUAA4IBAQAEMsL4HAd5<wbr>uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4<wbr>ZjzkSFwvRR9+<wbr>5zijYqlhe4ou1SL4WAWAsTKMTpKz0C<wbr>L1S9Npt0IcKmIWeRsjJKKznFa8sxHh<wbr>gEvm3O11a9uVfgvmnwn0VEpuTmGvXv<wbr>IUSAZ5q0CVDgzbGsrjWnZXllgO6krw<wbr>PonEg6MdFarA87bAkLCrLZ0HqWeUVl<wbr>f2ntfvR7kjr0trUM/<wbr>EBxPdcPxeMK70EJqku7GMEPOxkexTr<wbr>2O0yD/2lZM0il+<wbr>AUuOboZDl0SyfjU0N7YIKNKZq5hcoU<wbr>P/<wbr>sCpcReMNj0dAWeVYmADrV7LlOVvndg<wbr>HKcLrUydS/9obQHen</div><div> </dsig:X509Certificate></div><div> </dsig:X509Data></div><div> </dsig:KeyInfo></div><div> </KeyDescriptor></div><div> </SPSSODescriptor></div><div></EntityDescriptor></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 08/23/2016 06:04 PM, Rashmi Singh wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Looking more closely into this, it seems like Salesforce does not<br>
support SAML logout.<br>
<br>
In Salesforce, where I did the configuration for "SAML Single Sign-On<br>
Settings", there is the following field:<br>
<br>
Identity Provider Logout URL:<br>
I had specified this as:<br>
<a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" rel="noreferrer" target="_blank">http://rashmiidp.cloud.com:99<wbr>90/auth/realms/saml-demo/proto<wbr>col/saml</a><br>
<br>
But, since Salesforce does not seem to support SAML logout, is it<br>
possible to specify some keycloak URL in this field that would logout<br>
the user? It seems like the URL I specify in this field gets invoked but<br>
then Salesforce is not really sending a SAML logout request and I just<br>
get an error as indicated earlier. So, I was thinking if there is some<br>
keycloak URL that we can specify in this field that would logout the user?<br>
<br>
If there is no such URL support, is there an alternative to solve this<br>
issue since Salesforce does not seem to handle the single logout?<br>
</blockquote>
<br></span>
Why do you draw the conclusion Salesforce does not support logout? That does not seem to be indicated from this document:<br>
<br>
<a href="http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_single_sign_on.pdf" rel="noreferrer" target="_blank">http://resources.docs.salesfor<wbr>ce.com/202/18/en-us/sfdc/pdf/<wbr>salesforce_single_sign_on.pdf</a><br>
<br>
What is the SP metadata you used?<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
-- <br>
John<br>
</font></span></blockquote></div><br></div>