[keycloak-user] IDP SAMLV2.0 with Salesforce

Henk Laracker Henk.Laracker at planonsoftware.com
Fri May 1 08:53:06 EDT 2015 

Hi Bill,

I can understand why the prefix is needed, but is there a possibility to
send the username to the service provider without the prefix. If I
configure Facebook login and saml login, and I login with one of
configured logins with the same email adres, It would be nice that this is
one user for the backend. Or is my conclusion wrong. Know it are two
different users. 

Another question, does anybody know how to logout from salesforce and
redirect to your application. I use
https://keycloak-accdev.planoncloud.com/auth/realms/auth/tokens/logout?redi
rect_uri=https://auth-proddev.planoncloud.com in my application. In
keycloak Single Logout Service Url :
https://ciwwa-dev-ed.my.salesforce.com/secur/logout.jsp?retUrl=https://auth
-proddev.planoncloud.com

This doesn’t work, salesforce logouts but does not do the redirect. I also
like to ask if it is possible to take over the logout url from my initial
redirect.

Als the logout on salesforce does not have the right effect when I go back
to my main https://auth-proddev.planoncloud.com I’m still logged in.

Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très
cordialement,

Henk Laracker




On 01/05/15 01:26, "Bill Burke" <bburke at redhat.com> wrote:

>Right now, the username is prefixed with the broker name.  THis is to
>avoid name clashes if you are brokering multiple IDPS (i.e. multiple
>social providers).
>
>On 4/30/2015 2:51 PM, Henk Laracker wrote:
>> Hi Bill,
>> 
>> Thank you this worked out! I user is created with my name
>> saml.henk.laracker at p***n.nl , do you have any idee why the “saml” prefix
>> is added?
>> 
>> 
>> Henk
>> 
>> On 30/04/15 18:44, "Bill Burke" <bburke at redhat.com> wrote:
>> 
>>> Ok, I was able to get this to work.  The problem was I had to set a
>>> "profile" for the connected app on Salesforce.  I added a "System
>>> Adminstrator" profile to the Connected App and it worked.
>>>
>>> I'm not sure how to upload a app certificate yet.  Not sure what format
>>> Salesforce is looking for.
>>>
>>> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>>> I set up a salesforce example and looked at the login response SAML
>>>> document.  Looks like no assertion data is being sent back at all by
>>>> salesforce.
>>>>
>>>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>>>> i have no idea.  Basically this error is stating that the login
>>>>> response
>>>>> saml document has no assertions within it.  If there are no
>>>>>assertions,
>>>>> then there has been no identity data sent.
>>>>>
>>>>> I'm looking now, but can you send me a link on how to set up
>>>>>Salesforce
>>>>> as an IDP?  Is one able to set up a free account and such?
>>>>>
>>>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>>>> Hi Bill,
>>>>>>
>>>>>> I don¹t know why I missed that, thanks! Salesforce respons know with
>>>>>> the
>>>>>> correct login page. After logging in in Salesforce, I¹m redirected
>>>>>>to
>>>>>> keycloak again with a internal error:
>>>>>>
>>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException:
>>>>>> Could not
>>>>>> process response from SAML identity provider.
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAM
>>>>>>LE
>>>>>> ndpo
>>>>>> int.java:299)
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAML
>>>>>>En
>>>>>> dpoi
>>>>>> nt.java:343)
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.ja
>>>>>>va
>>>>>> :169
>>>>>> )
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:1
>>>>>>17
>>>>>> )
>>>>>> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>> [rt.jar:1.8.0_45]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
>>>>>>ja
>>>>>> va:6
>>>>>> 2) [rt.jar:1.8.0_45]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>>>>>>so
>>>>>> rImp
>>>>>> l.java:43) [rt.jar:1.8.0_45]
>>>>>> 	at java.lang.reflect.Method.invoke(Method.java:497)
>>>>>>[rt.jar:1.8.0_45]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.
>>>>>>ja
>>>>>> va:1
>>>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource
>>>>>>Me
>>>>>> thod
>>>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn
>>>>>>vo
>>>>>> ker.
>>>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
>>>>>>es
>>>>>> ourc
>>>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
>>>>>>In
>>>>>> voke
>>>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
>>>>>>es
>>>>>> ourc
>>>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
>>>>>>In
>>>>>> voke
>>>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
>>>>>>tc
>>>>>> her.
>>>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>> 	... 39 more
>>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No
>>>>>> assertion from response.
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoi
>>>>>>nt
>>>>>> .jav
>>>>>> a:309)
>>>>>> 	at
>>>>>>
>>>>>> 
>>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAM
>>>>>>LE
>>>>>> ndpo
>>>>>> int.java:264)
>>>>>> 	... 54 more
>>>>>>
>>>>>> Any idea?
>>>>>>
>>>>>> Henk
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com> wrote:
>>>>>>
>>>>>>> You want to chain keycloak server to Salesforce?
>>>>>>>
>>>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to
>>>>>>> Salesforce, you;ll see after you create it, an Export button.
>>>>>>>Click
>>>>>>> that.  That will create an entity descriptor with all the
>>>>>>>information
>>>>>>> you need.
>>>>>>>
>>>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I like to use Salesforce as Identity Provider, the metadata
>>>>>>>> provided by
>>>>>>>> salesforce can be imported.
>>>>>>>> But I need to specify the Service Provider in salesforce, I have
>>>>>>>>to
>>>>>>>> fill
>>>>>>>> in a couple of fields, but two of them I don¹t understand (and are
>>>>>>>> mandatory). Does someone have any clue
>>>>>>>>
>>>>>>>>      1. entity id , remark of salesforce : get this value from
>>>>>>>>your
>>>>>>>>         serviceprovider
>>>>>>>>      2. ACS URL, remark of slaesforce : The assertion consumer
>>>>>>>> service. Get
>>>>>>>>         this value from your service provider.
>>>>>>>>
>>>>>>>> I have tried a lot of values but every-time I click the saml
>>>>>>>>button
>>>>>>>> on
>>>>>>>> my app, it redirects to salesforce but I get a page with the
>>>>>>>>error :
>>>>>>>> Error: Unable to resolve request into a Service Provider
>>>>>>>>
>>>>>>>> Henk
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Bill Burke
>>>>>>> JBoss, a division of Red Hat
>>>>>>> http://bill.burkecentral.com
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>
>>>
>>> -- 
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>
>-- 
>Bill Burke
>JBoss, a division of Red Hat
>http://bill.burkecentral.com

More information about the keycloak-user mailing list