[keycloak-user] IDP SAMLV2.0 with Salesforce

Bill Burke bburke at redhat.com
Mon May 4 07:59:04 EDT 2015 

Hey, do you know if Salesforce as an SP works if the IDP is localhost? 
Or did you have to test that outside a firewall?

On 5/4/2015 3:03 AM, Marek Posolda wrote:
> As far as I remember, it could be the certificate in CRT format exported
> from keystore file via "keytool -export" . At least that's what worked
> for me couple of years back when I did integration of Salesforce with
> Picketlink:
> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP
>
>
> Marek
>
> On 30.4.2015 17:39, Bill Burke wrote:
>> I set up a salesforce example and looked at the login response SAML
>> document.  Looks like no assertion data is being sent back at all by
>> salesforce.
>>
>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>> i have no idea.  Basically this error is stating that the login response
>>> saml document has no assertions within it.  If there are no assertions,
>>> then there has been no identity data sent.
>>>
>>> I'm looking now, but can you send me a link on how to set up Salesforce
>>> as an IDP?  Is one able to set up a free account and such?
>>>
>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>> Hi Bill,
>>>>
>>>> I don¹t know why I missed that, thanks! Salesforce respons know with
>>>> the
>>>> correct login page. After logging in in Salesforce, I¹m redirected to
>>>> keycloak again with a internal error:
>>>>
>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException:
>>>> Could not
>>>> process response from SAML identity provider.
>>>>     at
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo
>>>>
>>>> int.java:299)
>>>>     at
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoi
>>>>
>>>> nt.java:343)
>>>>     at
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:169
>>>>
>>>> )
>>>>     at
>>>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117)
>>>>
>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> [rt.jar:1.8.0_45]
>>>>     at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:6
>>>>
>>>> 2) [rt.jar:1.8.0_45]
>>>>     at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp
>>>>
>>>> l.java:43) [rt.jar:1.8.0_45]
>>>>     at java.lang.reflect.Method.invoke(Method.java:497)
>>>> [rt.jar:1.8.0_45]
>>>>     at
>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:1
>>>>
>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>     at
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethod
>>>>
>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>     at
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.
>>>>
>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>     at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc
>>>>
>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>     at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke
>>>>
>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>     at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc
>>>>
>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>     at
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke
>>>>
>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>     at
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.
>>>>
>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>     ... 39 more
>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No
>>>> assertion from response.
>>>>     at
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint.jav
>>>>
>>>> a:309)
>>>>     at
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo
>>>>
>>>> int.java:264)
>>>>     ... 54 more
>>>>
>>>> Any idea?
>>>>
>>>> Henk
>>>>
>>>>
>>>>
>>>>
>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com> wrote:
>>>>
>>>>> You want to chain keycloak server to Salesforce?
>>>>>
>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to
>>>>> Salesforce, you;ll see after you create it, an Export button.  Click
>>>>> that.  That will create an entity descriptor with all the information
>>>>> you need.
>>>>>
>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I like to use Salesforce as Identity Provider, the metadata
>>>>>> provided by
>>>>>> salesforce can be imported.
>>>>>> But I need to specify the Service Provider in salesforce, I have
>>>>>> to fill
>>>>>> in a couple of fields, but two of them I don¹t understand (and are
>>>>>> mandatory). Does someone have any clue
>>>>>>
>>>>>>     1. entity id , remark of salesforce : get this value from your
>>>>>>        serviceprovider
>>>>>>     2. ACS URL, remark of slaesforce : The assertion consumer
>>>>>> service. Get
>>>>>>        this value from your service provider.
>>>>>>
>>>>>> I have tried a lot of values but every-time I click the saml
>>>>>> button on
>>>>>> my app, it redirects to salesforce but I get a page with the error :
>>>>>> Error: Unable to resolve request into a Service Provider
>>>>>>
>>>>>> Henk
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list