Re: [keycloak-dev] Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page

Thursday, 25 August 2016

Yup, you're right:

https://success.salesforce.com/ideaView?id=08730000000DjseAAC

Ok, this is going to sound weird, but it should work.

Register a logout URL for keycloak at salesforce.com as

*http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/ 
<http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>op...

**

Replace <encoded-url> as a URL encoded version of the URL you want 
keycloak to redirect the browser after logout.

Next, you'll have to go into the Client tab in the Keycloak admin 
console and add that redirect uri to the list of allowed redirect 
uris.   This is a bit of a hack, but it should work.

On 8/25/16 10:22 AM, Rashmi Singh wrote:
...
 When I do a logout, my SAML tracer show this request:

 *GET 
 http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml 
 HTTP/1.1*
 **
 And clicking this request just shows the HTTP tab. It does not even 
 show the SAML tab. So, it looks like Salefroce does not send SAML 
 request for logout. That was the reason, I was asking if there is 
 another way to do the user sign out from keycloak. That is, in instead 
 of the above URL we use a different url (some keycloak URL) that would 
 sign out the user. Or some other alternative?

 On Thu, Aug 25, 2016 at 12:17 AM, Bill Burke <bburke(a)redhat.com 
 <mailto:bburke@redhat.com>> wrote:

     My guess is that Salesforce is not signing the logout request and
     Keycloak expects it to be signed, but can't really know unless you
     post your SAML tracer. Also, Edit your standalone.xml config file
     (really depending on how you've booted keycloak).  Search for
     "logging:3.0".  IN that section, turn on debug logging for keycloak:

                 <logger category="org.keycloak">
                     <level name="DEBUG"/>
                 </logger>

     That may shed some light on things.

     On 8/24/16 12:33 PM, Rashmi Singh wrote:
>     Here is how my SP Metadata looks like:
>
>     <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
>     entityID="https://saml.salesforce.com
>     <https://saml.salesforce.com/>">
>         <SPSSODescriptor AuthnRequestsSigned="true"
>                
>     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
>     urn:oasis:names:tc:SAML:1.1:protocolhttp://schemas.xmlsoap.org/ws/2003/07...
>     <http://schemas.xmlsoap.org/ws/2003/07/secext>">
>     <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
>             </NameIDFormat>
>             <SingleLogoutService
>     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>     Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
>    
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"/...
>             <AssertionConsumerService
>     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>     Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
>     <https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"
>                     index="1" isDefault="true" />
>             <KeyDescriptor use="signing">
>                 <dsig:KeyInfo
>     xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
>     <http://www.w3.org/2000/09/xmldsig#>">
>                     <dsig:X509Data>
>     <dsig:X509Certificate>
>    
MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5jLjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxlc2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJtS/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+zwjrKd9ZsCS3GltV2GBFD+YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1nHlTXBICJQDo87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIarWTfr2w0SNFNPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQhnymqeoVgLMSb3UTS8J9R1RmQi+kisC39NAzVwQjM1X677cdQt0FaF6GlZ97vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpSk9eynNGp1JI/6mIv3ECAwEAAaOCAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY2UuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvRR9+5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8sxHhgEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6krwPonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/EBxPdcPxeMK70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKNKZq5hcoUP/sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen
>     </dsig:X509Certificate>
>                     </dsig:X509Data>
>                 </dsig:KeyInfo>
>             </KeyDescriptor>
>         </SPSSODescriptor>
>     </EntityDescriptor>
>
>     On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis(a)redhat.com
>     <mailto:jdennis@redhat.com>> wrote:
>
>         On 08/23/2016 06:04 PM, Rashmi Singh wrote:
>
>             Looking more closely into this, it seems like Salesforce
>             does not
>             support SAML logout.
>
>             In Salesforce, where I did the configuration for "SAML
>             Single Sign-On
>             Settings", there is the following field:
>
>             Identity Provider Logout URL:
>             I had specified this as:
>             http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>            
<http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>
>
>             But, since Salesforce does not seem to support SAML
>             logout, is it
>             possible to specify some keycloak URL in this field that
>             would logout
>             the user? It seems like the URL I specify in this field
>             gets invoked but
>             then Salesforce is not really sending a SAML logout
>             request and I just
>             get an error as indicated earlier. So, I was thinking if
>             there is some
>             keycloak URL that we can specify in this field that would
>             logout the user?
>
>             If there is no such URL support, is there an alternative
>             to solve this
>             issue since Salesforce does not seem to handle the single
>             logout?
>
>
>         Why do you draw the conclusion Salesforce does not support
>         logout? That does not seem to be indicated from this document:
>
>        
http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_sin...
>        
<http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_sin...
>
>         What is the SP metadata you used?
>
>
>         -- 
>         John
>
>
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
     _______________________________________________ keycloak-dev
     mailing list keycloak-dev(a)lists.jboss.org
     <mailto:keycloak-dev@lists.jboss.org>
     https://lists.jboss.org/mailman/listinfo/keycloak-dev
     <https://lists.jboss.org/mailman/listinfo/keycloak-dev> 

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Re: [keycloak-dev] Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page