9:22 a.m.
When I do a logout, my SAML tracer show this request:
*GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
<http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>
HTTP/1.1*
And clicking this request just shows the HTTP tab. It does not even
show the SAML tab. So, it looks like Salefroce does not send SAML
request for logout. That was the reason, I was asking if there is
another way to do the user sign out from keycloak. That is, in instead
of the above URL we use a different url (some keycloak URL) that would
sign out the user. Or some other alternative?
On Thu, Aug 25, 2016 at 12:17 AM, Bill Burke <bburke(a)redhat.com> wrote:
My guess is that Salesforce is not signing the logout request and
Keycloak
expects it to be signed, but can't really know unless you post your SAML
tracer. Also, Edit your standalone.xml config file (really depending on
how you've booted keycloak). Search for "logging:3.0". IN that section,
turn on debug logging for keycloak:
<logger category="org.keycloak">
<level name="DEBUG"/>
</logger>
That may shed some light on things.
On 8/24/16 12:33 PM, Rashmi Singh wrote:
Here is how my SP Metadata looks like:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="
https://saml.salesforce.com">
<SPSSODescriptor AuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocolhttp://schemas.xmlsoap.
org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unsp
ecified
</NameIDFormat>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"/...
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUF
ADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8w
HQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJt
cyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykx
MDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNl
cnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVow
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
FA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5j
LjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxl
c2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJt
S/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+
zwjrKd9ZsCS3GltV2GBFD+YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1n
HlTXBICJQDo87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIa
rWTfr2w0SNFNPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQ
hnymqeoVgLMSb3UTS8J9R1RmQi+kisC39NAzVwQjM1X677cdQt0FaF6GlZ97
vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpSk9eynNGp1JI/6mIv3ECAwEAAaO
CAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY2UuY29tMAkGA1U
dEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQUFBwMBBgg
rBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjA
qMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8
GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA
0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW5
0bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9
vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGw
tRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQE
BBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvR
R9+5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8s
xHhgEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6
krwPonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/EBxPdcPxeM
K70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKN
KZq5hcoUP/sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</SPSSODescriptor>
</EntityDescriptor>
On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis(a)redhat.com> wrote:
> On 08/23/2016 06:04 PM, Rashmi Singh wrote:
>
>> Looking more closely into this, it seems like Salesforce does not
>> support SAML logout.
>>
>> In Salesforce, where I did the configuration for "SAML Single Sign-On
>> Settings", there is the following field:
>>
>> Identity Provider Logout URL:
>> I had specified this as:
>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>
>> But, since Salesforce does not seem to support SAML logout, is it
>> possible to specify some keycloak URL in this field that would logout
>> the user? It seems like the URL I specify in this field gets invoked but
>> then Salesforce is not really sending a SAML logout request and I just
>> get an error as indicated earlier. So, I was thinking if there is some
>> keycloak URL that we can specify in this field that would logout the
>> user?
>>
>> If there is no such URL support, is there an alternative to solve this
>> issue since Salesforce does not seem to handle the single logout?
>>
>
> Why do you draw the conclusion Salesforce does not support logout? That
> does not seem to be indicated from this document:
>
> http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/s
> alesforce_single_sign_on.pdf
>
> What is the SP metadata you used?
>
>
> --
> John
>
_______________________________________________
keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev