<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Yup, you're right:</p>
    <p><a class="moz-txt-link-freetext" href="https://success.salesforce.com/ideaView?id=08730000000DjseAAC">https://success.salesforce.com/ideaView?id=08730000000DjseAAC</a></p>
    <p>Ok, this is going to sound weird, but it should work.</p>
    <p>Register a logout URL for keycloak at salesforce.com as <br>
    </p>
    <p><b><a moz-do-not-send="true"
href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml">http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/</a>openid-connect?redirect_uri=&lt;encoded-url&gt;</b></p>
    <p></p>
    <pre id="txt"><b>
</b></pre>
    <p>Replace &lt;encoded-url&gt; as a URL encoded version of the URL
      you want keycloak to redirect the browser after logout.</p>
    <p>Next, you'll have to go into the Client tab in the Keycloak admin
      console and add that redirect uri to the list of allowed redirect
      uris.   This is a bit of a hack, but it should work.<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 8/25/16 10:22 AM, Rashmi Singh
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAJ0vL+Jx876BUJEXFJ=hM48OdkRHfpDUfkfVY_h5sOZAztDTNw@mail.gmail.com"
      type="cite">
      <div dir="ltr">When I do a logout, my SAML tracer show this
        request:
        <div><br>
        </div>
        <div>
          <pre id="txt"><b>GET <a moz-do-not-send="true" href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml">http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml</a> HTTP/1.1</b></pre>
          <pre id="txt"><b>
</b></pre>
          <pre id="txt"><font face="arial, sans-serif"><span style="white-space:normal">And clicking this request just shows the HTTP tab. It does not even show the SAML tab. So, it looks like Salefroce does not send SAML request for logout. That was the reason, I was asking if there is another way to do the user sign out from keycloak. That is, in instead of the above URL we use a different url (some keycloak URL) that would sign out the user. Or some other alternative?</span></font></pre>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Aug 25, 2016 at 12:17 AM, Bill
          Burke <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <p>My guess is that Salesforce is not signing the logout
                request and Keycloak expects it to be signed, but can't
                really know unless you post your SAML tracer. Also, 
                Edit your standalone.xml config file (really depending
                on how you've booted keycloak).  Search for
                "logging:3.0".  IN that section, turn on debug logging
                for keycloak:</p>
              <p>            &lt;logger category="org.keycloak"&gt;<br>
                                &lt;level name="DEBUG"/&gt;<br>
                            &lt;/logger&gt;</p>
              <p><br>
              </p>
              <p>That may shed some light on things.<br>
              </p>
              <div>
                <div class="h5"> <br>
                  <div>On 8/24/16 12:33 PM, Rashmi Singh wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div class="h5">
                    <div dir="ltr"><span style="font-size:12.8px">Here
                        is how my SP Metadata looks like:</span>
                      <div style="font-size:12.8px"><br>
                      </div>
                      <div style="font-size:12.8px">
                        <div>&lt;EntityDescriptor
                          xmlns="urn:oasis:names:tc:SAML<wbr>:2.0:metadata"
                          entityID="<a moz-do-not-send="true"
                            href="https://saml.salesforce.com/"
                            target="_blank">https://saml.salesfo<wbr>rce.com</a>"&gt;</div>
                        <div>    &lt;SPSSODescriptor
                          AuthnRequestsSigned="true"</div>
                        <div>            protocolSupportEnumeration="ur<wbr>n:oasis:names:tc:SAML:2.0:prot<wbr>ocol
                          urn:oasis:names:tc:SAML:1.1:pr<wbr>otocol<a
                            moz-do-not-send="true"
                            href="http://schemas.xmlsoap.org/ws/2003/07/secext"
                            target="_blank">http://schemas.xmlsoap.<wbr>org/ws/2003/07/secext</a>"&gt;</div>
                        <div>       
                          &lt;NameIDFormat&gt;urn:oasis:names:<wbr>tc:SAML:1.1:nameid-format:unsp<wbr>ecified</div>
                        <div>        &lt;/NameIDFormat&gt;</div>
                        <div>        &lt;SingleLogoutService
                          Binding="urn:oasis:names:tc:SA<wbr>ML:2.0:bindings:HTTP-POST"
                          Location="<a moz-do-not-send="true"
                            href="https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14"
                            target="_blank">https://rashmi789-de<wbr>v-ed.my.salesforce.com?so=00D4<wbr>10000005L14</a>"/&gt;</div>
                        <div>        &lt;AssertionConsumerService</div>
                        <div>               
                          Binding="urn:oasis:names:tc:SA<wbr>ML:2.0:bindings:HTTP-POST"
                          Location="<a moz-do-not-send="true"
                            href="https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14"
                            target="_blank">https://rashmi789-de<wbr>v-ed.my.salesforce.com?so=00D4<wbr>10000005L14</a>"</div>
                        <div>                index="1" isDefault="true"
                          /&gt;</div>
                        <div>        &lt;KeyDescriptor use="signing"&gt;</div>
                        <div>            &lt;dsig:KeyInfo xmlns:dsig="<a
                            moz-do-not-send="true"
                            href="http://www.w3.org/2000/09/xmldsig#"
                            target="_blank">http://www.w3.org/<wbr>2000/09/xmldsig#</a>"&gt;</div>
                        <div>                &lt;dsig:X509Data&gt;</div>
                        <div>                   
                          &lt;dsig:X509Certificate&gt;</div>
                        <div>MIIFYDCCBEigAwIBAgIQQ4KxN7E3aA<wbr>GP1rpwQm6gZzANBgkqhkiG9w0BAQUF<wbr>ADCBvDELMAkGA1UEBhMCVVMxFzAVBg<wbr>NVBAoTDlZlcmlTaWduLCBJbmMuMR8w<wbr>HQYDVQQLExZWZXJpU2lnbiBUcnVzdC<wbr>BOZXR3b3JrMTswOQYDVQQLEzJUZXJt<wbr>cyBvZiB1c2UgYXQgaHR0cHM6Ly93d3<wbr>cudmVyaXNpZ24uY29tL3JwYSAoYykx<wbr>MDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2<wbr>xhc3MgMyBJbnRlcm5hdGlvbmFsIFNl<wbr>cnZlciBDQSAtIEczMB4XDTEzMTAxOD<wbr>AwMDAwMFoXDTE3MTAxNzIzNTk1OVow<wbr>gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQ<wbr>QIEwpDYWxpZm9ybmlhMRYwFAYDVQQH<wbr>FA1TYW4gRnJhbmNpc2NvMR0wGwYDVQ<wbr>QKFBRTYWxlc2ZvcmNlLmNvbSwgSW5j<wbr>LjEVMBMGA1UECxQMQXBwbGljYXRpb2<wbr>5zMR0wGwYDVQQDFBRwcm94eS5zYWxl<wbr>c2ZvcmNlLmNvbTCCASIwDQYJKoZIhv<wbr>cNAQEBBQADggEPADCCAQoCggEBALJt<wbr>S/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEA<wbr>dgrdOFdRjsavTY+RviREe+<wbr>zwjrKd9ZsCS3GltV2GBFD+YxXzuptQ<wbr>r+ZUDC8Vwx+49WQ13D55nmoUJVcB1n<wbr>HlTXBICJQDo87cZ4AIViuSVkUfQRG7<wbr>BeMfKTMngyGdAOIsnSFwp1ONmRqaIa<wbr>rWTfr2w0SNFNPikW9rQjehAF/<wbr>eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQ<wbr>hnymqeoVgLMSb3UTS8J9R1RmQi+kis<wbr>C39NAzVwQjM1X677cdQt0FaF6GlZ97<wbr>vCH/rpNAJnAVwaWiRNQ32AR2X39rp8<wbr>DVpSk9eynNGp1JI/6mIv3ECAwEAAaO<wbr>CAYcwggGDMB8GA1UdEQQYMBaCFHByb<wbr>3h5LnNhbGVzZm9yY2UuY29tMAkGA1U<wbr>dEwQCMAAwDgYDVR0PAQH/BAQDAgWgM<wbr>CgGA1UdJQQhMB8GCCsGAQUFBwMBBgg<wbr>rBgEFBQcDAgYJYIZIAYb4QgQBMEMGA<wbr>1UdIAQ8MDowOAYKYIZIAYb4RQEHNjA<wbr>qMCgGCCsGAQUFBwIBFhxodHRwczovL<wbr>3d3dy52ZXJpc2lnbi5jb20vY3BzMB8<wbr>GA1UdIwQYMBaAFNebfNgioBX33a1fz<wbr>imbWMO8RgC1MEEGA1UdHwQ6MDgwNqA<wbr>0oDKGMGh0dHA6Ly9TVlJJbnRsLUczL<wbr>WNybC52ZXJpc2lnbi5jb20vU1ZSSW5<wbr>0bEczLmNybDByBggrBgEFBQcBAQRmM<wbr>GQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9<wbr>vY3NwLnZlcmlzaWduLmNvbTA8BggrB<wbr>gEFBQcwAoYwaHR0cDovL1NWUkludGw<wbr>tRzMtYWlhLnZlcmlzaWduLmNvbS9TV<wbr>lJJbnRsRzMuY2VyMA0GCSqGSIb3DQE<wbr>BBQUAA4IBAQAEMsL4HAd5uYW3j0SQF<wbr>X4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvR<wbr>R9+5zijYqlhe4ou1SL4WAWAsTKMTpK<wbr>z0CL1S9Npt0IcKmIWeRsjJKKznFa8s<wbr>xHhgEvm3O11a9uVfgvmnwn0VEpuTmG<wbr>vXvIUSAZ5q0CVDgzbGsrjWnZXllgO6<wbr>krwPonEg6MdFarA87bAkLCrLZ0HqWe<wbr>UVlf2ntfvR7kjr0trUM/EBxPdcPxeM<wbr>K70EJqku7GMEPOxkexTr2O0yD/<wbr>2lZM0il+AUuOboZDl0SyfjU0N7YIKN<wbr>KZq5hcoUP/sCpcReMNj0dAWeVYmADr<wbr>V7LlOVvndgHKcLrUydS/9obQHen</div>
                        <div>                   
                          &lt;/dsig:X509Certificate&gt;</div>
                        <div>                &lt;/dsig:X509Data&gt;</div>
                        <div>            &lt;/dsig:KeyInfo&gt;</div>
                        <div>        &lt;/KeyDescriptor&gt;</div>
                        <div>    &lt;/SPSSODescriptor&gt;</div>
                        <div>&lt;/EntityDescriptor&gt;</div>
                      </div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Wed, Aug 24, 2016 at
                        11:30 AM, John Dennis <span dir="ltr">&lt;<a
                            moz-do-not-send="true"
                            href="mailto:jdennis@redhat.com"
                            target="_blank">jdennis@redhat.com</a>&gt;</span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex"><span>On 08/23/2016
                            06:04 PM, Rashmi Singh wrote:<br>
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex"> Looking more
                              closely into this, it seems like
                              Salesforce does not<br>
                              support SAML logout.<br>
                              <br>
                              In Salesforce, where I did the
                              configuration for "SAML Single Sign-On<br>
                              Settings", there is the following field:<br>
                              <br>
                              Identity Provider Logout URL:<br>
                              I had specified this as:<br>
                               <a moz-do-not-send="true"
href="http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml"
                                rel="noreferrer" target="_blank">http://rashmiidp.cloud.com:99<wbr>90/auth/realms/saml-demo/proto<wbr>col/saml</a><br>
                              <br>
                              But, since Salesforce does not seem to
                              support SAML logout, is it<br>
                              possible to specify some keycloak URL in
                              this field that would logout<br>
                              the user? It seems like the URL I specify
                              in this field gets invoked but<br>
                              then Salesforce is not really sending a
                              SAML logout request and I just<br>
                              get an error as indicated earlier. So, I
                              was thinking if there is some<br>
                              keycloak URL that we can specify in this
                              field that would logout the user?<br>
                              <br>
                              If there is no such URL support, is there
                              an alternative to solve this<br>
                              issue since Salesforce does not seem to
                              handle the single logout?<br>
                            </blockquote>
                            <br>
                          </span> Why do you draw the conclusion
                          Salesforce does not support logout? That does
                          not seem to be indicated from this document:<br>
                          <br>
                          <a moz-do-not-send="true"
href="http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_single_sign_on.pdf"
                            rel="noreferrer" target="_blank">http://resources.docs.salesfor<wbr>ce.com/202/18/en-us/sfdc/pdf/s<wbr>alesforce_single_sign_on.pdf</a><br>
                          <br>
                          What is the SP metadata you used?<span><font
                              color="#888888"><br>
                              <br>
                              <br>
                              -- <br>
                              John<br>
                            </font></span></blockquote>
                      </div>
                      <br>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                  </div>
                </div>
                <span class="">
                  <pre>______________________________<wbr>_________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a></pre>
    </span></blockquote>
    

  </div>


______________________________<wbr>_________________

keycloak-dev mailing list

<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>

<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a>
</blockquote></div>
</div>



</blockquote>
</body></html>