[keycloak-user] IDP Logout for SPs which don't support SAML Logout
Muein Muzamil
shmuein+keycloak-dev at gmail.com
Tue Jan 24 17:05:28 EST 2017
Hi all,
We are using KeyCloak as IDP to support SAML authentication for different
SPs. Some of the SPs don't support SAML logout (such as Salesforce). They
only support setting up a GET Logout URL provided by the Identity
Provider.
https://success.salesforce.com/ideaView?id=08730000000DjseAAC
I came across this bug reported in Jira, which suggests to use OpenID
Connect protocol to logout as a workaround.
https://issues.jboss.org/browse/KEYCLOAK-3476 I tried that approach but
it didn't work for me.
I have added https://muein2-dev-ed.my.salesforce.com as a valid URI under
Salesforce SP and provided
https://mueinidp.gemalto.com:9443/auth/realms/O4ZR9N2V6U/protocol/openid-connect?redirect_uri=https%3A%2F%2Fmuein2-dev-ed.my.salesforce.com
as
logout URL in Salesforce. But when I tried to logout from Salesforce, it
failed for me with following exception.
2:32,165 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-1)
RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException:
RESTEASY003210: Could not find resource for full path: ht
//
mueinidp.gemalto.com:9443/auth/realms/O4ZR9N2V6U/protocol/openid-connect?redirect_uri=https%3A%2F%2Fmuein2-dev-ed.my.salesforce.com
at
org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:114)
at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
at
org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
1. Am I missing something here?
2. Also is there any plan to add a generic logout URL (as suggested in
KEYCLOAK-3476) which can be used for such SPs.
Regards,
Muein
More information about the keycloak-user
mailing list