My guess is that Salesforce is not signing the logout request and Keycloak expects it to be signed, but can't really know unless you post your SAML tracer. Also,  Edit your standalone.xml config file (really depending on how you've booted keycloak).  Search for "logging:3.0".  IN that section, turn on debug logging for keycloak:

            <logger category="org.keycloak">
                <level name="DEBUG"/>
            </logger>


That may shed some light on things.


On 8/24/16 12:33 PM, Rashmi Singh wrote:
Here is how my SP Metadata looks like:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.salesforce.com">
    <SPSSODescriptor AuthnRequestsSigned="true"
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocolhttp://schemas.xmlsoap.org/ws/2003/07/secext">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
        </NameIDFormat>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14"/>
        <AssertionConsumerService
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14"
                index="1" isDefault="true" />
        <KeyDescriptor use="signing">
            <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                <dsig:X509Data>
                    <dsig:X509Certificate>
MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5jLjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxlc2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJtS/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+zwjrKd9ZsCS3GltV2GBFD+YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1nHlTXBICJQDo87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIarWTfr2w0SNFNPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQhnymqeoVgLMSb3UTS8J9R1RmQi+kisC39NAzVwQjM1X677cdQt0FaF6GlZ97vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpSk9eynNGp1JI/6mIv3ECAwEAAaOCAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY2UuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvRR9+5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8sxHhgEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6krwPonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/EBxPdcPxeMK70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKNKZq5hcoUP/sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen
                    </dsig:X509Certificate>
                </dsig:X509Data>
            </dsig:KeyInfo>
        </KeyDescriptor>
    </SPSSODescriptor>
</EntityDescriptor>

On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis@redhat.com> wrote:
On 08/23/2016 06:04 PM, Rashmi Singh wrote:
Looking more closely into this, it seems like Salesforce does not
support SAML logout.

In Salesforce, where I did the configuration for "SAML Single Sign-On
Settings", there is the following field:

Identity Provider Logout URL:
I had specified this as:
 http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml

But, since Salesforce does not seem to support SAML logout, is it
possible to specify some keycloak URL in this field that would logout
the user? It seems like the URL I specify in this field gets invoked but
then Salesforce is not really sending a SAML logout request and I just
get an error as indicated earlier. So, I was thinking if there is some
keycloak URL that we can specify in this field that would logout the user?

If there is no such URL support, is there an alternative to solve this
issue since Salesforce does not seem to handle the single logout?

 Why do you draw the conclusion Salesforce does not support logout? That does not seem to be indicated from this document:

http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_single_sign_on.pdf

What is the SP metadata you used?


--
John



_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev