Yup, you're right:
https://success.salesforce.com/ideaView?id=08730000000DjseAAC
Ok, this is going to sound weird, but it should work.
Register a logout URL for keycloak at salesforce.com as
http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/openid-connect?redirect_uri=<encoded-url>
Replace <encoded-url> as a URL encoded version of the URL you want keycloak to redirect the browser after logout.
Next, you'll have to go into the Client tab in the Keycloak admin
console and add that redirect uri to the list of allowed redirect
uris. This is a bit of a hack, but it should work.
When I do a logout, my SAML tracer show this request:
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml HTTP/1.1And clicking this request just shows the HTTP tab. It does not even show the SAML tab. So, it looks like Salefroce does not send SAML request for logout. That was the reason, I was asking if there is another way to do the user sign out from keycloak. That is, in instead of the above URL we use a different url (some keycloak URL) that would sign out the user. Or some other alternative?
On Thu, Aug 25, 2016 at 12:17 AM, Bill Burke <bburke@redhat.com> wrote:
______________________________My guess is that Salesforce is not signing the logout request and Keycloak expects it to be signed, but can't really know unless you post your SAML tracer. Also, Edit your standalone.xml config file (really depending on how you've booted keycloak). Search for "logging:3.0". IN that section, turn on debug logging for keycloak:
<logger category="org.keycloak">
<level name="DEBUG"/>
</logger>
That may shed some light on things.
On 8/24/16 12:33 PM, Rashmi Singh wrote:
Here is how my SP Metadata looks like:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.salesfo rce.com "><SPSSODescriptor AuthnRequestsSigned="true"protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:prot ocol urn:oasis:names:tc:SAML:1.1:pr otocolhttp://schemas.xmlsoap. org/ws/2003/07/secext "><NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unsp ecified </NameIDFormat><SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://rashmi789-de v-ed.my.salesforce.com?so=00D4 "/>10000005L14 <AssertionConsumerServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://rashmi789-de v-ed.my.salesforce.com?so=00D4 "10000005L14 index="1" isDefault="true" /><KeyDescriptor use="signing"><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig# "><dsig:X509Data><dsig:X509Certificate>MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUF ADCBvDELMAkGA1UEBhMCVVMxFzAVBg NVBAoTDlZlcmlTaWduLCBJbmMuMR8w HQYDVQQLExZWZXJpU2lnbiBUcnVzdC BOZXR3b3JrMTswOQYDVQQLEzJUZXJt cyBvZiB1c2UgYXQgaHR0cHM6Ly93d3 cudmVyaXNpZ24uY29tL3JwYSAoYykx MDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2 xhc3MgMyBJbnRlcm5hdGlvbmFsIFNl cnZlciBDQSAtIEczMB4XDTEzMTAxOD AwMDAwMFoXDTE3MTAxNzIzNTk1OVow gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQ QIEwpDYWxpZm9ybmlhMRYwFAYDVQQH FA1TYW4gRnJhbmNpc2NvMR0wGwYDVQ QKFBRTYWxlc2ZvcmNlLmNvbSwgSW5j LjEVMBMGA1UECxQMQXBwbGljYXRpb2 5zMR0wGwYDVQQDFBRwcm94eS5zYWxl c2ZvcmNlLmNvbTCCASIwDQYJKoZIhv cNAQEBBQADggEPADCCAQoCggEBALJt S/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEA dgrdOFdRjsavTY+RviREe+ zwjrKd9ZsCS3GltV2GBFD+YxXzuptQ r+ZUDC8Vwx+49WQ13D55nmoUJVcB1n HlTXBICJQDo87cZ4AIViuSVkUfQRG7 BeMfKTMngyGdAOIsnSFwp1ONmRqaIa rWTfr2w0SNFNPikW9rQjehAF/ eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQ hnymqeoVgLMSb3UTS8J9R1RmQi+kis C39NAzVwQjM1X677cdQt0FaF6GlZ97 vCH/rpNAJnAVwaWiRNQ32AR2X39rp8 DVpSk9eynNGp1JI/6mIv3ECAwEAAaO CAYcwggGDMB8GA1UdEQQYMBaCFHByb 3h5LnNhbGVzZm9yY2UuY29tMAkGA1U dEwQCMAAwDgYDVR0PAQH/BAQDAgWgM CgGA1UdJQQhMB8GCCsGAQUFBwMBBgg rBgEFBQcDAgYJYIZIAYb4QgQBMEMGA 1UdIAQ8MDowOAYKYIZIAYb4RQEHNjA qMCgGCCsGAQUFBwIBFhxodHRwczovL 3d3dy52ZXJpc2lnbi5jb20vY3BzMB8 GA1UdIwQYMBaAFNebfNgioBX33a1fz imbWMO8RgC1MEEGA1UdHwQ6MDgwNqA 0oDKGMGh0dHA6Ly9TVlJJbnRsLUczL WNybC52ZXJpc2lnbi5jb20vU1ZSSW5 0bEczLmNybDByBggrBgEFBQcBAQRmM GQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9 vY3NwLnZlcmlzaWduLmNvbTA8BggrB gEFBQcwAoYwaHR0cDovL1NWUkludGw tRzMtYWlhLnZlcmlzaWduLmNvbS9TV lJJbnRsRzMuY2VyMA0GCSqGSIb3DQE BBQUAA4IBAQAEMsL4HAd5uYW3j0SQF X4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvR R9+5zijYqlhe4ou1SL4WAWAsTKMTpK z0CL1S9Npt0IcKmIWeRsjJKKznFa8s xHhgEvm3O11a9uVfgvmnwn0VEpuTmG vXvIUSAZ5q0CVDgzbGsrjWnZXllgO6 krwPonEg6MdFarA87bAkLCrLZ0HqWe UVlf2ntfvR7kjr0trUM/EBxPdcPxeM K70EJqku7GMEPOxkexTr2O0yD/ 2lZM0il+AUuOboZDl0SyfjU0N7YIKN KZq5hcoUP/sCpcReMNj0dAWeVYmADr V7LlOVvndgHKcLrUydS/9obQHen </dsig:X509Certificate></dsig:X509Data></dsig:KeyInfo></KeyDescriptor></SPSSODescriptor></EntityDescriptor>
On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis@redhat.com> wrote:
On 08/23/2016 06:04 PM, Rashmi Singh wrote:
Looking more closely into this, it seems like Salesforce does not
support SAML logout.
In Salesforce, where I did the configuration for "SAML Single Sign-On
Settings", there is the following field:
Identity Provider Logout URL:
I had specified this as:
http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/proto col/saml
But, since Salesforce does not seem to support SAML logout, is it
possible to specify some keycloak URL in this field that would logout
the user? It seems like the URL I specify in this field gets invoked but
then Salesforce is not really sending a SAML logout request and I just
get an error as indicated earlier. So, I was thinking if there is some
keycloak URL that we can specify in this field that would logout the user?
If there is no such URL support, is there an alternative to solve this
issue since Salesforce does not seem to handle the single logout?
Why do you draw the conclusion Salesforce does not support logout? That does not seem to be indicated from this document:
http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/s alesforce_single_sign_on.pdf
What is the SP metadata you used?
--
John
_______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/ mailman/listinfo/keycloak-dev _________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/ mailman/listinfo/keycloak-dev