Re: [keycloak-dev] Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page

Thursday, 25 August 2016

My guess is that Salesforce is not signing the logout request and 
Keycloak expects it to be signed, but can't really know unless you post 
your SAML tracer. Also,  Edit your standalone.xml config file (really 
depending on how you've booted keycloak).  Search for "logging:3.0".  IN 
that section, turn on debug logging for keycloak:

             <logger category="org.keycloak">
                 <level name="DEBUG"/>
             </logger>

That may shed some light on things.

On 8/24/16 12:33 PM, Rashmi Singh wrote:
...
 Here is how my SP Metadata looks like:

 <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
 entityID="https://saml.salesforce.com
<https://saml.salesforce.com/>">
     <SPSSODescriptor AuthnRequestsSigned="true"

 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol 
 urn:oasis:names:tc:SAML:1.1:protocolhttp://schemas.xmlsoap.org/ws/2003/07... 
 <http://schemas.xmlsoap.org/ws/2003/07/secext>">

 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
         </NameIDFormat>
         <SingleLogoutService 
 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
 Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14 
 <https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"/...
         <AssertionConsumerService

 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
 Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14 
 <https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"
                 index="1" isDefault="true" />
         <KeyDescriptor use="signing">
             <dsig:KeyInfo 
 xmlns:dsig="http://www.w3.org/2000/09/xmldsig# 
 <http://www.w3.org/2000/09/xmldsig#>">
                 <dsig:X509Data>
                     <dsig:X509Certificate>

MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5jLjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxlc2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJtS/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+zwjrKd9ZsCS3GltV2GBFD+YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1nHlTXBICJQDo87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIarWTfr2w0SNFNPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQhnymqeoVgLMSb3UTS8J9R1RmQi+kisC39NAzVwQjM1X677cdQt0FaF6GlZ97vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpSk9eynNGp1JI/6mIv3ECAwEAAaOCAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY2UuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvRR9+5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8sxHhgEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6krwPonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/EBxPdcPxeMK70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKNKZq5hcoUP/sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen
                     </dsig:X509Certificate>
                 </dsig:X509Data>
             </dsig:KeyInfo>
         </KeyDescriptor>
     </SPSSODescriptor>
 </EntityDescriptor>

 On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis(a)redhat.com 
 <mailto:jdennis@redhat.com>> wrote:

     On 08/23/2016 06:04 PM, Rashmi Singh wrote:

         Looking more closely into this, it seems like Salesforce does not
         support SAML logout.

         In Salesforce, where I did the configuration for "SAML Single
         Sign-On
         Settings", there is the following field:

         Identity Provider Logout URL:
         I had specified this as:
         http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
         <http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>

         But, since Salesforce does not seem to support SAML logout, is it
         possible to specify some keycloak URL in this field that would
         logout
         the user? It seems like the URL I specify in this field gets
         invoked but
         then Salesforce is not really sending a SAML logout request
         and I just
         get an error as indicated earlier. So, I was thinking if there
         is some
         keycloak URL that we can specify in this field that would
         logout the user?

         If there is no such URL support, is there an alternative to
         solve this
         issue since Salesforce does not seem to handle the single logout?

     Why do you draw the conclusion Salesforce does not support logout?
     That does not seem to be indicated from this document:

http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_sin...

<http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_sin...

     What is the SP metadata you used?

     -- 
     John

 _______________________________________________
 keycloak-dev mailing list
 keycloak-dev(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-dev 

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Re: [keycloak-dev] Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page