[keycloak-user] IDP SAMLV2.0 with Salesforce

Henk Laracker Henk.Laracker at planonsoftware.com
Thu May 28 17:23:00 EDT 2015 

Hi Bill,

Can you explain me how I configure this, I have Facebook as my ip. I like
to my my email adres and not Facebook:email at test.nl

Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très
cordialement,

Henk Laracker


On 01/05/15 14:48, "Bill Burke" <bburke at redhat.com> wrote:

>You can map the SAML/OIDC assertion/token that is sent to your
>applications however you want.
>
>On 4/30/2015 9:23 PM, Raghu Prabhala wrote:
>> Bill - That would be an issue for us as we cannot manipulate the values
>> (especially username) sent by an external IDP which is the authoritative
>> source of user information. We will have to figure out another way,
>> perhaps, an internal KC user attribute that can be made unique to
>> prevent name clashes.
>>
>> Thanks,
>> Raghu
>> ------------------------------------------------------------------------
>> *From:* Bill Burke <bburke at redhat.com>
>> *To:* Henk Laracker <Henk.Laracker at planonsoftware.com>;
>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>> *Sent:* Thursday, April 30, 2015 7:26 PM
>> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce
>>
>> Right now, the username is prefixed with the broker name.  THis is to
>> avoid name clashes if you are brokering multiple IDPS (i.e. multiple
>> social providers).
>>
>> On 4/30/2015 2:51 PM, Henk Laracker wrote:
>>  > Hi Bill,
>>  >
>>  > Thank you this worked out! I user is created with my name
>>  > saml.henk.laracker at p <mailto:saml.henk.laracker at p>***n.nl , do you
>> have any idee why the “saml” prefix
>>  > is added?
>>  >
>>  >
>>  > Henk
>>  >
>>  > On 30/04/15 18:44, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>  >
>>  >> Ok, I was able to get this to work.  The problem was I had to set a
>>  >> "profile" for the connected app on Salesforce.  I added a "System
>>  >> Adminstrator" profile to the Connected App and it worked.
>>  >>
>>  >> I'm not sure how to upload a app certificate yet.  Not sure what
>>format
>>  >> Salesforce is looking for.
>>  >>
>>  >> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>  >>> I set up a salesforce example and looked at the login response SAML
>>  >>> document.  Looks like no assertion data is being sent back at all
>>by
>>  >>> salesforce.
>>  >>>
>>  >>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>  >>>> i have no idea.  Basically this error is stating that the login
>>  >>>> response
>>  >>>> saml document has no assertions within it.  If there are no
>> assertions,
>>  >>>> then there has been no identity data sent.
>>  >>>>
>>  >>>> I'm looking now, but can you send me a link on how to set up
>> Salesforce
>>  >>>> as an IDP?  Is one able to set up a free account and such?
>>  >>>>
>>  >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>  >>>>> Hi Bill,
>>  >>>>>
>>  >>>>> I don¹t know why I missed that, thanks! Salesforce respons know
>>with
>>  >>>>> the
>>  >>>>> correct login page. After logging in in Salesforce, I¹m
>>redirected to
>>  >>>>> keycloak again with a internal error:
>>  >>>>>
>>  >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException:
>>  >>>>> Could not
>>  >>>>> process response from SAML identity provider.
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>  >>>>> ndpo
>>  >>>>> int.java:299)
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn
>>  >>>>> dpoi
>>  >>>>> nt.java:343)
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java
>>  >>>>> :169
>>  >>>>> )
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117
>>  >>>>> )
>>  >>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>Method)
>>  >>>>> [rt.jar:1.8.0_45]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
>>  >>>>> va:6
>>  >>>>> 2) [rt.jar:1.8.0_45]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
>>  >>>>> rImp
>>  >>>>> l.java:43) [rt.jar:1.8.0_45]
>>  >>>>>     at java.lang.reflect.Method.invoke(Method.java:497)
>> [rt.jar:1.8.0_45]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja
>>  >>>>> va:1
>>  >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe
>>  >>>>> thod
>>  >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo
>>  >>>>> ker.
>>  >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>  >>>>> ourc
>>  >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>  >>>>> voke
>>  >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>  >>>>> ourc
>>  >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>  >>>>> voke
>>  >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc
>>  >>>>> her.
>>  >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>  >>>>>     ... 39 more
>>  >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException:
>>No
>>  >>>>> assertion from response.
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint
>>  >>>>> .jav
>>  >>>>> a:309)
>>  >>>>>     at
>>  >>>>>
>>  >>>>>
>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>  >>>>> ndpo
>>  >>>>> int.java:264)
>>  >>>>>     ... 54 more
>>  >>>>>
>>  >>>>> Any idea?
>>  >>>>>
>>  >>>>> Henk
>>  >>>>>
>>  >>>>>
>>  >>>>>
>>  >>>>>
>>  >>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>  >>>>>
>>  >>>>>> You want to chain keycloak server to Salesforce?
>>  >>>>>>
>>  >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points
>>to
>>  >>>>>> Salesforce, you;ll see after you create it, an Export button.
>>Click
>>  >>>>>> that.  That will create an entity descriptor with all the
>> information
>>  >>>>>> you need.
>>  >>>>>>
>>  >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>  >>>>>>> Hi,
>>  >>>>>>>
>>  >>>>>>> I like to use Salesforce as Identity Provider, the metadata
>>  >>>>>>> provided by
>>  >>>>>>> salesforce can be imported.
>>  >>>>>>> But I need to specify the Service Provider in salesforce, I
>>have to
>>  >>>>>>> fill
>>  >>>>>>> in a couple of fields, but two of them I don¹t understand (and
>>are
>>  >>>>>>> mandatory). Does someone have any clue
>>  >>>>>>>
>>  >>>>>>>      1. entity id , remark of salesforce : get this value from
>>your
>>  >>>>>>>        serviceprovider
>>  >>>>>>>      2. ACS URL, remark of slaesforce : The assertion consumer
>>  >>>>>>> service. Get
>>  >>>>>>>        this value from your service provider.
>>  >>>>>>>
>>  >>>>>>> I have tried a lot of values but every-time I click the saml
>>button
>>  >>>>>>> on
>>  >>>>>>> my app, it redirects to salesforce but I get a page with the
>> error :
>>  >>>>>>> Error: Unable to resolve request into a Service Provider
>>  >>>>>>>
>>  >>>>>>> Henk
>>  >>>>>>>
>>  >>>>>>>
>>  >>>>>>> _______________________________________________
>>  >>>>>>> keycloak-user mailing list
>>  >>>>>>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>>  >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>  >>>>>>>
>>  >>>>>>
>>  >>>>>> --
>>  >>>>>> Bill Burke
>>  >>>>>> JBoss, a division of Red Hat
>>  >>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>
>>
>>
>>  >>>>>> _______________________________________________
>>  >>>>>> keycloak-user mailing list
>>  >>>>>> keycloak-user at lists.jboss.org
>><mailto:keycloak-user at lists.jboss.org>
>>  >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>  >>>>>
>>  >>>>
>>  >>>
>>  >>
>>  >> --
>>  >> Bill Burke
>>  >> JBoss, a division of Red Hat
>>  >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>  >> _______________________________________________
>>  >> keycloak-user mailing list
>>  >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>  >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>  >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>-- 
>Bill Burke
>JBoss, a division of Red Hat
>http://bill.burkecentral.com

More information about the keycloak-user mailing list