<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Yup, you're right:</p>
<p><a class="moz-txt-link-freetext" href="https://success.salesforce.com/ideaView?id=08730000000DjseAAC">https://success.salesforce.com/ideaView?id=08730000000DjseAAC</a></p>
<p>Ok, this is going to sound weird, but it should work.</p>
<p>Register a logout URL for keycloak at salesforce.com as <br>
</p>
<p><b><a moz-do-not-send="true"
href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml">http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/</a>openid-connect?redirect_uri=<encoded-url></b></p>
<p></p>
<pre id="txt"><b>
</b></pre>
<p>Replace <encoded-url> as a URL encoded version of the URL
you want keycloak to redirect the browser after logout.</p>
<p>Next, you'll have to go into the Client tab in the Keycloak admin
console and add that redirect uri to the list of allowed redirect
uris. This is a bit of a hack, but it should work.<br>
</p>
<br>
<div class="moz-cite-prefix">On 8/25/16 10:22 AM, Rashmi Singh
wrote:<br>
</div>
<blockquote
cite="mid:CAJ0vL+Jx876BUJEXFJ=hM48OdkRHfpDUfkfVY_h5sOZAztDTNw@mail.gmail.com"
type="cite">
<div dir="ltr">When I do a logout, my SAML tracer show this
request:
<div><br>
</div>
<div>
<pre id="txt"><b>GET <a moz-do-not-send="true" href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml">http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml</a> HTTP/1.1</b></pre>
<pre id="txt"><b>
</b></pre>
<pre id="txt"><font face="arial, sans-serif"><span style="white-space:normal">And clicking this request just shows the HTTP tab. It does not even show the SAML tab. So, it looks like Salefroce does not send SAML request for logout. That was the reason, I was asking if there is another way to do the user sign out from keycloak. That is, in instead of the above URL we use a different url (some keycloak URL) that would sign out the user. Or some other alternative?</span></font></pre>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 25, 2016 at 12:17 AM, Bill
Burke <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>My guess is that Salesforce is not signing the logout
request and Keycloak expects it to be signed, but can't
really know unless you post your SAML tracer. Also,
Edit your standalone.xml config file (really depending
on how you've booted keycloak). Search for
"logging:3.0". IN that section, turn on debug logging
for keycloak:</p>
<p> <logger category="org.keycloak"><br>
<level name="DEBUG"/><br>
</logger></p>
<p><br>
</p>
<p>That may shed some light on things.<br>
</p>
<div>
<div class="h5"> <br>
<div>On 8/24/16 12:33 PM, Rashmi Singh wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr"><span style="font-size:12.8px">Here
is how my SP Metadata looks like:</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">
<div><EntityDescriptor
xmlns="urn:oasis:names:tc:SAML<wbr>:2.0:metadata"
entityID="<a moz-do-not-send="true"
href="https://saml.salesforce.com/"
target="_blank">https://saml.salesfo<wbr>rce.com</a>"></div>
<div> <SPSSODescriptor
AuthnRequestsSigned="true"</div>
<div> protocolSupportEnumeration="ur<wbr>n:oasis:names:tc:SAML:2.0:prot<wbr>ocol
urn:oasis:names:tc:SAML:1.1:pr<wbr>otocol<a
moz-do-not-send="true"
href="http://schemas.xmlsoap.org/ws/2003/07/secext"
target="_blank">http://schemas.xmlsoap.<wbr>org/ws/2003/07/secext</a>"></div>
<div>
<NameIDFormat>urn:oasis:names:<wbr>tc:SAML:1.1:nameid-format:unsp<wbr>ecified</div>
<div> </NameIDFormat></div>
<div> <SingleLogoutService
Binding="urn:oasis:names:tc:SA<wbr>ML:2.0:bindings:HTTP-POST"
Location="<a moz-do-not-send="true"
href="https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14"
target="_blank">https://rashmi789-de<wbr>v-ed.my.salesforce.com?so=00D4<wbr>10000005L14</a>"/></div>
<div> <AssertionConsumerService</div>
<div>
Binding="urn:oasis:names:tc:SA<wbr>ML:2.0:bindings:HTTP-POST"
Location="<a moz-do-not-send="true"
href="https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14"
target="_blank">https://rashmi789-de<wbr>v-ed.my.salesforce.com?so=00D4<wbr>10000005L14</a>"</div>
<div> index="1" isDefault="true"
/></div>
<div> <KeyDescriptor use="signing"></div>
<div> <dsig:KeyInfo xmlns:dsig="<a
moz-do-not-send="true"
href="http://www.w3.org/2000/09/xmldsig#"
target="_blank">http://www.w3.org/<wbr>2000/09/xmldsig#</a>"></div>
<div> <dsig:X509Data></div>
<div>
<dsig:X509Certificate></div>
<div>MIIFYDCCBEigAwIBAgIQQ4KxN7E3aA<wbr>GP1rpwQm6gZzANBgkqhkiG9w0BAQUF<wbr>ADCBvDELMAkGA1UEBhMCVVMxFzAVBg<wbr>NVBAoTDlZlcmlTaWduLCBJbmMuMR8w<wbr>HQYDVQQLExZWZXJpU2lnbiBUcnVzdC<wbr>BOZXR3b3JrMTswOQYDVQQLEzJUZXJt<wbr>cyBvZiB1c2UgYXQgaHR0cHM6Ly93d3<wbr>cudmVyaXNpZ24uY29tL3JwYSAoYykx<wbr>MDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2<wbr>xhc3MgMyBJbnRlcm5hdGlvbmFsIFNl<wbr>cnZlciBDQSAtIEczMB4XDTEzMTAxOD<wbr>AwMDAwMFoXDTE3MTAxNzIzNTk1OVow<wbr>gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQ<wbr>QIEwpDYWxpZm9ybmlhMRYwFAYDVQQH<wbr>FA1TYW4gRnJhbmNpc2NvMR0wGwYDVQ<wbr>QKFBRTYWxlc2ZvcmNlLmNvbSwgSW5j<wbr>LjEVMBMGA1UECxQMQXBwbGljYXRpb2<wbr>5zMR0wGwYDVQQDFBRwcm94eS5zYWxl<wbr>c2ZvcmNlLmNvbTCCASIwDQYJKoZIhv<wbr>cNAQEBBQADggEPADCCAQoCggEBALJt<wbr>S/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEA<wbr>dgrdOFdRjsavTY+RviREe+<wbr>zwjrKd9ZsCS3GltV2GBFD+YxXzuptQ<wbr>r+ZUDC8Vwx+49WQ13D55nmoUJVcB1n<wbr>HlTXBICJQDo87cZ4AIViuSVkUfQRG7<wbr>BeMfKTMngyGdAOIsnSFwp1ONmRqaIa<wbr>rWTfr2w0SNFNPikW9rQjehAF/<wbr>eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQ<wbr>hnymqeoVgLMSb3UTS8J9R1RmQi+kis<wbr>C39NAzVwQjM1X677cdQt0FaF6GlZ97<wbr>vCH/rpNAJnAVwaWiRNQ32AR2X39rp8<wbr>DVpSk9eynNGp1JI/6mIv3ECAwEAAaO<wbr>CAYcwggGDMB8GA1UdEQQYMBaCFHByb<wbr>3h5LnNhbGVzZm9yY2UuY29tMAkGA1U<wbr>dEwQCMAAwDgYDVR0PAQH/BAQDAgWgM<wbr>CgGA1UdJQQhMB8GCCsGAQUFBwMBBgg<wbr>rBgEFBQcDAgYJYIZIAYb4QgQBMEMGA<wbr>1UdIAQ8MDowOAYKYIZIAYb4RQEHNjA<wbr>qMCgGCCsGAQUFBwIBFhxodHRwczovL<wbr>3d3dy52ZXJpc2lnbi5jb20vY3BzMB8<wbr>GA1UdIwQYMBaAFNebfNgioBX33a1fz<wbr>imbWMO8RgC1MEEGA1UdHwQ6MDgwNqA<wbr>0oDKGMGh0dHA6Ly9TVlJJbnRsLUczL<wbr>WNybC52ZXJpc2lnbi5jb20vU1ZSSW5<wbr>0bEczLmNybDByBggrBgEFBQcBAQRmM<wbr>GQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9<wbr>vY3NwLnZlcmlzaWduLmNvbTA8BggrB<wbr>gEFBQcwAoYwaHR0cDovL1NWUkludGw<wbr>tRzMtYWlhLnZlcmlzaWduLmNvbS9TV<wbr>lJJbnRsRzMuY2VyMA0GCSqGSIb3DQE<wbr>BBQUAA4IBAQAEMsL4HAd5uYW3j0SQF<wbr>X4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvR<wbr>R9+5zijYqlhe4ou1SL4WAWAsTKMTpK<wbr>z0CL1S9Npt0IcKmIWeRsjJKKznFa8s<wbr>xHhgEvm3O11a9uVfgvmnwn0VEpuTmG<wbr>vXvIUSAZ5q0CVDgzbGsrjWnZXllgO6<wbr>krwPonEg6MdFarA87bAkLCrLZ0HqWe<wbr>UVlf2ntfvR7kjr0trUM/EBxPdcPxeM<wbr>K70EJqku7GMEPOxkexTr2O0yD/<wbr>2lZM0il+AUuOboZDl0SyfjU0N7YIKN<wbr>KZq5hcoUP/sCpcReMNj0dAWeVYmADr<wbr>V7LlOVvndgHKcLrUydS/9obQHen</div>
<div>
</dsig:X509Certificate></div>
<div> </dsig:X509Data></div>
<div> </dsig:KeyInfo></div>
<div> </KeyDescriptor></div>
<div> </SPSSODescriptor></div>
<div></EntityDescriptor></div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 24, 2016 at
11:30 AM, John Dennis <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:jdennis@redhat.com"
target="_blank">jdennis@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span>On 08/23/2016
06:04 PM, Rashmi Singh wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> Looking more
closely into this, it seems like
Salesforce does not<br>
support SAML logout.<br>
<br>
In Salesforce, where I did the
configuration for "SAML Single Sign-On<br>
Settings", there is the following field:<br>
<br>
Identity Provider Logout URL:<br>
I had specified this as:<br>
<a moz-do-not-send="true"
href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml"
rel="noreferrer" target="_blank">http://rashmiidp.cloud.com:99<wbr>90/auth/realms/saml-demo/proto<wbr>col/saml</a><br>
<br>
But, since Salesforce does not seem to
support SAML logout, is it<br>
possible to specify some keycloak URL in
this field that would logout<br>
the user? It seems like the URL I specify
in this field gets invoked but<br>
then Salesforce is not really sending a
SAML logout request and I just<br>
get an error as indicated earlier. So, I
was thinking if there is some<br>
keycloak URL that we can specify in this
field that would logout the user?<br>
<br>
If there is no such URL support, is there
an alternative to solve this<br>
issue since Salesforce does not seem to
handle the single logout?<br>
</blockquote>
<br>
</span> Why do you draw the conclusion
Salesforce does not support logout? That does
not seem to be indicated from this document:<br>
<br>
<a moz-do-not-send="true"
href="http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_single_sign_on.pdf"
rel="noreferrer" target="_blank">http://resources.docs.salesfor<wbr>ce.com/202/18/en-us/sfdc/pdf/s<wbr>alesforce_single_sign_on.pdf</a><br>
<br>
What is the SP metadata you used?<span><font
color="#888888"><br>
<br>
<br>
-- <br>
John<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span class="">
<pre>______________________________<wbr>_________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a></pre>
</span></blockquote>
</div>
______________________________<wbr>_________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a>
</blockquote></div>
</div>
</blockquote>
</body></html>