<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>My guess is that Salesforce is not signing the logout request and
Keycloak expects it to be signed, but can't really know unless you
post your SAML tracer. Also, Edit your standalone.xml config file
(really depending on how you've booted keycloak). Search for
"logging:3.0". IN that section, turn on debug logging for
keycloak:</p>
<p> <logger category="org.keycloak"><br>
<level name="DEBUG"/><br>
</logger></p>
<p><br>
</p>
<p>That may shed some light on things.<br>
</p>
<br>
<div class="moz-cite-prefix">On 8/24/16 12:33 PM, Rashmi Singh
wrote:<br>
</div>
<blockquote
cite="mid:CAJ0vL++AmZanrZGLAYXOpG73jscvmrhjtwJDqVZi-GHfNiwOdw@mail.gmail.com"
type="cite">
<div dir="ltr"><span style="font-size:12.8px">Here is how my SP
Metadata looks like:</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">
<div><EntityDescriptor xmlns="urn:oasis:names:tc:<wbr>SAML:2.0:metadata"
entityID="<a moz-do-not-send="true"
href="https://saml.salesforce.com/" target="_blank">https://saml.<wbr>salesforce.com</a>"></div>
<div> <SPSSODescriptor AuthnRequestsSigned="true"</div>
<div> protocolSupportEnumeration="<wbr>urn:oasis:names:tc:SAML:2.0:<wbr>protocol
urn:oasis:names:tc:SAML:1.1:<wbr>protocol<a
moz-do-not-send="true"
href="http://schemas.xmlsoap.org/ws/2003/07/secext"
target="_blank">http://schemas.xmlsoap.org/ws/<wbr>2003/07/secext</a>"></div>
<div> <NameIDFormat>urn:oasis:names:<wbr>tc:SAML:1.1:nameid-format:<wbr>unspecified</div>
<div> </NameIDFormat></div>
<div> <SingleLogoutService
Binding="urn:oasis:names:tc:<wbr>SAML:2.0:bindings:HTTP-POST"
Location="<a moz-do-not-send="true"
href="https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14"
target="_blank">https://rashmi789-<wbr>dev-ed.my.salesforce.com?so=<wbr>00D410000005L14</a>"/></div>
<div> <AssertionConsumerService</div>
<div> Binding="urn:oasis:names:tc:<wbr>SAML:2.0:bindings:HTTP-POST"
Location="<a moz-do-not-send="true"
href="https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14"
target="_blank">https://rashmi789-<wbr>dev-ed.my.salesforce.com?so=<wbr>00D410000005L14</a>"</div>
<div> index="1" isDefault="true" /></div>
<div> <KeyDescriptor use="signing"></div>
<div> <dsig:KeyInfo xmlns:dsig="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#" target="_blank">http://www.w3.org/<wbr>2000/09/xmldsig#</a>"></div>
<div> <dsig:X509Data></div>
<div> <dsig:X509Certificate></div>
<div>MIIFYDCCBEigAwIBAgIQQ4KxN7E3aA<wbr>GP1rpwQm6gZzANBgkqhkiG9w0BAQUF<wbr>ADCBvDELMAkGA1UEBhMCVVMxFzAVBg<wbr>NVBAoTDlZlcmlTaWduLCBJbmMuMR8w<wbr>HQYDVQQLExZWZXJpU2lnbiBUcnVzdC<wbr>BOZXR3b3JrMTswOQYDVQQLEzJUZXJt<wbr>cyBvZiB1c2UgYXQgaHR0cHM6Ly93d3<wbr>cudmVyaXNpZ24uY29tL3JwYSAoYykx<wbr>MDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2<wbr>xhc3MgMyBJbnRlcm5hdGlvbmFsIFNl<wbr>cnZlciBDQSAtIEczMB4XDTEzMTAxOD<wbr>AwMDAwMFoXDTE3MTAxNzIzNTk1OVow<wbr>gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQ<wbr>QIEwpDYWxpZm9ybmlhMRYwFAYDVQQH<wbr>FA1TYW4gRnJhbmNpc2NvMR0wGwYDVQ<wbr>QKFBRTYWxlc2ZvcmNlLmNvbSwgSW5j<wbr>LjEVMBMGA1UECxQMQXBwbGljYXRpb2<wbr>5zMR0wGwYDVQQDFBRwcm94eS5zYWxl<wbr>c2ZvcmNlLmNvbTCCASIwDQYJKoZIhv<wbr>cNAQEBBQADggEPADCCAQoCggEBALJt<wbr>S/8tJmPZ/CKOz/<wbr>dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY<wbr>+RviREe+zwjrKd9ZsCS3GltV2GBFD+<wbr>YxXzuptQr+ZUDC8Vwx+<wbr>49WQ13D55nmoUJVcB1nHlTXBICJQDo<wbr>87cZ4AIViuSVkUfQRG7BeMfKTMngyG<wbr>dAOIsnSFwp1ONmRqaIarWTfr2w0SNF<wbr>NPikW9rQjehAF/eh6Ib4H3bJEE/<wbr>kAwRS4mFJoxEKsiJQhnymqeoVgLMSb<wbr>3UTS8J9R1RmQi+<wbr>kisC39NAzVwQjM1X677cdQt0FaF6Gl<wbr>Z97vCH/<wbr>rpNAJnAVwaWiRNQ32AR2X39rp8DVpS<wbr>k9eynNGp1JI/<wbr>6mIv3ECAwEAAaOCAYcwggGDMB8GA1U<wbr>dEQQYMBaCFHByb3h5LnNhbGVzZm9yY<wbr>2UuY29tMAkGA1UdEwQCMAAwDgYDVR0<wbr>PAQH/<wbr>BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQ<wbr>UFBwMBBggrBgEFBQcDAgYJYIZIAYb4<wbr>QgQBMEMGA1UdIAQ8MDowOAYKYIZIAY<wbr>b4RQEHNjAqMCgGCCsGAQUFBwIBFhxo<wbr>dHRwczovL3d3dy52ZXJpc2lnbi5jb2<wbr>0vY3BzMB8GA1UdIwQYMBaAFNebfNgi<wbr>oBX33a1fzimbWMO8RgC1MEEGA1UdHw<wbr>Q6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJ<wbr>bnRsLUczLWNybC52ZXJpc2lnbi5jb2<wbr>0vU1ZSSW50bEczLmNybDByBggrBgEF<wbr>BQcBAQRmMGQwJAYIKwYBBQUHMAGGGG<wbr>h0dHA6Ly9vY3NwLnZlcmlzaWduLmNv<wbr>bTA8BggrBgEFBQcwAoYwaHR0cDovL1<wbr>NWUkludGwtRzMtYWlhLnZlcmlzaWdu<wbr>LmNvbS9TVlJJbnRsRzMuY2VyMA0GCS<wbr>qGSIb3DQEBBQUAA4IBAQAEMsL4HAd5<wbr>uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4<wbr>ZjzkSFwvRR9+<wbr>5zijYqlhe4ou1SL4WAWAsTKMTpKz0C<wbr>L1S9Npt0IcKmIWeRsjJKKznFa8sxHh<wbr>gEvm3O11a9uVfgvmnwn0VEpuTmGvXv<wbr>IUSAZ5q0CVDgzbGsrjWnZXllgO6krw<wbr>PonEg6MdFarA87bAkLCrLZ0HqWeUVl<wbr>f2ntfvR7kjr0trUM/<wbr>EBxPdcPxeMK70EJqku7GMEPOxkexTr<wbr>2O0yD/2lZM0il+<wbr>AUuOboZDl0SyfjU0N7YIKNKZq5hcoU<wbr>P/<wbr>sCpcReMNj0dAWeVYmADrV7LlOVvndg<wbr>HKcLrUydS/9obQHen</div>
<div> </dsig:X509Certificate></div>
<div> </dsig:X509Data></div>
<div> </dsig:KeyInfo></div>
<div> </KeyDescriptor></div>
<div> </SPSSODescriptor></div>
<div></EntityDescriptor></div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 24, 2016 at 11:30 AM, John
Dennis <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On 08/23/2016 06:04 PM, Rashmi Singh wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Looking more closely into this, it seems like Salesforce
does not<br>
support SAML logout.<br>
<br>
In Salesforce, where I did the configuration for "SAML
Single Sign-On<br>
Settings", there is the following field:<br>
<br>
Identity Provider Logout URL:<br>
I had specified this as:<br>
<a moz-do-not-send="true"
href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml"
rel="noreferrer" target="_blank">http://rashmiidp.cloud.com:99<wbr>90/auth/realms/saml-demo/proto<wbr>col/saml</a><br>
<br>
But, since Salesforce does not seem to support SAML
logout, is it<br>
possible to specify some keycloak URL in this field that
would logout<br>
the user? It seems like the URL I specify in this field
gets invoked but<br>
then Salesforce is not really sending a SAML logout
request and I just<br>
get an error as indicated earlier. So, I was thinking if
there is some<br>
keycloak URL that we can specify in this field that
would logout the user?<br>
<br>
If there is no such URL support, is there an alternative
to solve this<br>
issue since Salesforce does not seem to handle the
single logout?<br>
</blockquote>
<br>
</span>
Why do you draw the conclusion Salesforce does not support
logout? That does not seem to be indicated from this
document:<br>
<br>
<a moz-do-not-send="true"
href="http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_single_sign_on.pdf"
rel="noreferrer" target="_blank">http://resources.docs.salesfor<wbr>ce.com/202/18/en-us/sfdc/pdf/<wbr>salesforce_single_sign_on.pdf</a><br>
<br>
What is the SP metadata you used?<span class="HOEnZb"><font
color="#888888"><br>
<br>
<br>
-- <br>
John<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>