[keycloak-user] IDP SAMLV2.0 with Salesforce
Bill Burke
bburke at redhat.com
Fri May 1 08:48:19 EDT 2015
You can map the SAML/OIDC assertion/token that is sent to your
applications however you want.
On 4/30/2015 9:23 PM, Raghu Prabhala wrote:
> Bill - That would be an issue for us as we cannot manipulate the values
> (especially username) sent by an external IDP which is the authoritative
> source of user information. We will have to figure out another way,
> perhaps, an internal KC user attribute that can be made unique to
> prevent name clashes.
>
> Thanks,
> Raghu
> ------------------------------------------------------------------------
> *From:* Bill Burke <bburke at redhat.com>
> *To:* Henk Laracker <Henk.Laracker at planonsoftware.com>;
> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Sent:* Thursday, April 30, 2015 7:26 PM
> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce
>
> Right now, the username is prefixed with the broker name. THis is to
> avoid name clashes if you are brokering multiple IDPS (i.e. multiple
> social providers).
>
> On 4/30/2015 2:51 PM, Henk Laracker wrote:
> > Hi Bill,
> >
> > Thank you this worked out! I user is created with my name
> > saml.henk.laracker at p <mailto:saml.henk.laracker at p>***n.nl , do you
> have any idee why the “saml” prefix
> > is added?
> >
> >
> > Henk
> >
> > On 30/04/15 18:44, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
> >
> >> Ok, I was able to get this to work. The problem was I had to set a
> >> "profile" for the connected app on Salesforce. I added a "System
> >> Adminstrator" profile to the Connected App and it worked.
> >>
> >> I'm not sure how to upload a app certificate yet. Not sure what format
> >> Salesforce is looking for.
> >>
> >> On 4/30/2015 11:39 AM, Bill Burke wrote:
> >>> I set up a salesforce example and looked at the login response SAML
> >>> document. Looks like no assertion data is being sent back at all by
> >>> salesforce.
> >>>
> >>> On 4/30/2015 9:43 AM, Bill Burke wrote:
> >>>> i have no idea. Basically this error is stating that the login
> >>>> response
> >>>> saml document has no assertions within it. If there are no
> assertions,
> >>>> then there has been no identity data sent.
> >>>>
> >>>> I'm looking now, but can you send me a link on how to set up
> Salesforce
> >>>> as an IDP? Is one able to set up a free account and such?
> >>>>
> >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
> >>>>> Hi Bill,
> >>>>>
> >>>>> I don¹t know why I missed that, thanks! Salesforce respons know with
> >>>>> the
> >>>>> correct login page. After logging in in Salesforce, I¹m redirected to
> >>>>> keycloak again with a internal error:
> >>>>>
> >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException:
> >>>>> Could not
> >>>>> process response from SAML identity provider.
> >>>>> at
> >>>>>
> >>>>>
> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
> >>>>> ndpo
> >>>>> int.java:299)
> >>>>> at
> >>>>>
> >>>>>
> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn
> >>>>> dpoi
> >>>>> nt.java:343)
> >>>>> at
> >>>>>
> >>>>>
> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java
> >>>>> :169
> >>>>> )
> >>>>> at
> >>>>>
> >>>>>
> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117
> >>>>> )
> >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >>>>> [rt.jar:1.8.0_45]
> >>>>> at
> >>>>>
> >>>>>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
> >>>>> va:6
> >>>>> 2) [rt.jar:1.8.0_45]
> >>>>> at
> >>>>>
> >>>>>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
> >>>>> rImp
> >>>>> l.java:43) [rt.jar:1.8.0_45]
> >>>>> at java.lang.reflect.Method.invoke(Method.java:497)
> [rt.jar:1.8.0_45]
> >>>>> at
> >>>>>
> >>>>>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja
> >>>>> va:1
> >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
> >>>>> at
> >>>>>
> >>>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe
> >>>>> thod
> >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
> >>>>> at
> >>>>>
> >>>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo
> >>>>> ker.
> >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
> >>>>> at
> >>>>>
> >>>>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
> >>>>> ourc
> >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
> >>>>> at
> >>>>>
> >>>>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
> >>>>> voke
> >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
> >>>>> at
> >>>>>
> >>>>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
> >>>>> ourc
> >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
> >>>>> at
> >>>>>
> >>>>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
> >>>>> voke
> >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
> >>>>> at
> >>>>>
> >>>>>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc
> >>>>> her.
> >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
> >>>>> ... 39 more
> >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No
> >>>>> assertion from response.
> >>>>> at
> >>>>>
> >>>>>
> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint
> >>>>> .jav
> >>>>> a:309)
> >>>>> at
> >>>>>
> >>>>>
> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
> >>>>> ndpo
> >>>>> int.java:264)
> >>>>> ... 54 more
> >>>>>
> >>>>> Any idea?
> >>>>>
> >>>>> Henk
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
> >>>>>
> >>>>>> You want to chain keycloak server to Salesforce?
> >>>>>>
> >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to
> >>>>>> Salesforce, you;ll see after you create it, an Export button. Click
> >>>>>> that. That will create an entity descriptor with all the
> information
> >>>>>> you need.
> >>>>>>
> >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> I like to use Salesforce as Identity Provider, the metadata
> >>>>>>> provided by
> >>>>>>> salesforce can be imported.
> >>>>>>> But I need to specify the Service Provider in salesforce, I have to
> >>>>>>> fill
> >>>>>>> in a couple of fields, but two of them I don¹t understand (and are
> >>>>>>> mandatory). Does someone have any clue
> >>>>>>>
> >>>>>>> 1. entity id , remark of salesforce : get this value from your
> >>>>>>> serviceprovider
> >>>>>>> 2. ACS URL, remark of slaesforce : The assertion consumer
> >>>>>>> service. Get
> >>>>>>> this value from your service provider.
> >>>>>>>
> >>>>>>> I have tried a lot of values but every-time I click the saml button
> >>>>>>> on
> >>>>>>> my app, it redirects to salesforce but I get a page with the
> error :
> >>>>>>> Error: Unable to resolve request into a Service Provider
> >>>>>>>
> >>>>>>> Henk
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> keycloak-user mailing list
> >>>>>>> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Bill Burke
> >>>>>> JBoss, a division of Red Hat
> >>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>
>
>
> >>>>>> _______________________________________________
> >>>>>> keycloak-user mailing list
> >>>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >>>>
> >>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com <http://bill.burkecentral.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list