<div dir="ltr">John, Can you take a look at my last post? It seems like Salesforce is not supporting Single logout. Is there some keycloak URL we can provide for the field "<span style="font-size:12.8px">Identity Provider Logout URL" on saleforce Single Sign on Settings" that would </span>log the user out? Since, it seems like Salesforce is not even sending a SAML request when doing a logout. Here is what I wrote yesterday:<div><br></div><div>"<span style="font-size:12.8px">Looking more closely into this, it seems like Salesforce does not support SAML logout. </span></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">In Salesforce, where I did the configuration for "SAML Single Sign-On Settings", there is the following field:</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Identity Provider Logout URL:</div><div style="font-size:12.8px">I had specified this as: <span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12px"><a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" target="_blank">http://rashmiidp.cloud.com:<wbr>9990/auth/realms/saml-demo/<wbr>protocol/saml</a></span></div><div style="font-size:12.8px"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12px"><br></span></div><div style="font-size:12.8px"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12px">But, since Salesforce does not seem to support SAML logout, is it possible to specify some keycloak URL in this field that would logout the user? It seems like the URL I specify in this field gets invoked but then Salesforce is not really sending a SAML logout request and I just get an error as indicated earlier. So, I was thinking if there is some keycloak URL that we can specify in this field that would logout the user?</span></div><div style="font-size:12.8px"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12px"><br></span></div><div style="font-size:12.8px"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:12px">If there is no such URL support, is there an alternative to solve this issue since Salesforce does not seem to handle the single logout?"</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 24, 2016 at 11:20 AM, John Dennis <span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 08/23/2016 09:05 AM, Rashmi Singh wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On keycloak logs, I only see this error:<br>
<br>
2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)<br>
type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,<br>
ipAddress=192.168.99.1, error=invalid_token<br>
<br>
This is a generic error and does not give any clue.<br>
<br>
I used SAML tracer with firefox and there I see the following request in<br>
RED:<br>
<br>
GET <a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" rel="noreferrer" target="_blank">http://rashmiidp.cloud.com:999<wbr>0/auth/realms/saml-demo/protoc<wbr>ol/saml</a><br>
<<a href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml" rel="noreferrer" target="_blank">http://rashmiidp.cloud.com:99<wbr>90/auth/realms/saml-demo/proto<wbr>col/saml</a>><br>
Here are the contents for this request from SAML tracer (but its not<br>
giving me any clue on what is wrong):<br>
</blockquote>
<br></span>
You didn't post the SAML content from the SAMLTracer SAML tab.<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
-- <br>
John<br>
</font></span></blockquote></div><br></div>