Re: [keycloak-dev] Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
8:05 a.m.
On keycloak logs, I only see this error:
2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)
type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_token
This is a generic error and does not give any clue.
I used SAML tracer with firefox and there I see the following request in
RED:
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
Here are the contents for this request from SAML tracer (but its not giving
me any clue on what is wrong):
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
HTTP/1.1
Host: rashmiidp.cloud.com:9990
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101
Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=0.5,es-ES;q=0.3,en-US;q=0.2
Accept-Encoding: gzip, deflate
Cookie: KEYCLOAK_SESSION=saml-demo/6d25a0c6-7bb8-4cfc-b918-
e3384f9dfe72/1e3911dc-3237-4aee-ba56-07de530e00f7; KC_RESTART=
eyJhbGciOiJIUzI1NiJ9.eyJjcyI6ImI1M2QxOGJiLWQ3ODItND
ZhNS04YjY5LWQxM2IxMDVhMTc4NSIsImNpZCI6Imh0dHBzOi8vc2FtbC5zYW
xlc2ZvcmNlLmNvbSIsInB0eSI6InNhbWwiLCJydXJpIjoiaHR0cHM6Ly9yYX
NobWk3ODktZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tP3NvPTAwRDQxMDAwMD
AwNUwxNCIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7ImFjdGlvbl
9rZXkiOiJmNDBmYTJmYi01YTM0LTRmZDQtYTc2NC0xZDI5NWVlZDFmODIiLC
JSZWxheVN0YXRlIjoiLyIsIlNBTUxfUkVRVUVTVF9JRCI6Il8yQ0FBQUFWZE
ZCal9tTUU4d05ERXdNREF3TURBMFF6azJBQUFBeWszaE1mODBfdTJ5cGVpSX
pjVWNkQUtJWUFkeF9vNmN2Y0ZoMTE4QkcxWnFVRVQtREZJY29Wb1BqLUNheW
ZFV2FHLXRCLUo3YXhHUEhGaWdWbmV3MEREQUVlTTdJR21KcURuMmpUOUlPOD
VfT2pYTlVNQzlrbmV0cmRDcmpweDZCWTJjcWVCVWV0cldsb0JVaWhpMHBKMW
0tb2dBSmM1T1NDTXhIUkxpclNNR2FYRVhEeFpLVldadENfQTUwTFl6S1o2bm
o3XzZ1ekhIak9qa01kYnpoY2RTZlVZS0Q2bVRhNmtCRjlweTRwQTB4bHg1eG
RpN1M5OWc1d0xnSklmeVJ3Iiwic2FtbF9iaW5kaW5nIjoicG9zdCJ9fQ.
E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-7PFtY7JKNOLd-U; KEYCLOAK_IDENTITY=
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmNTQyYjY0Yy1iYTNhLT
RiY2ItYmE2OC0xZGEyZTY0ZGRjMTQiLCJleHAiOjE0NzE5NDg2NjAsIm5iZi
I6MCwiaWF0IjoxNDcxOTEyNjYwLCJpc3MiOiJodHRwOi8vcmFzaG1paWRwLm
Nsb3VkLmNvbTo5OTkwL2F1dGgvcmVhbG1zL3NhbWwtZGVtbyIsInN1YiI6Ij
ZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4LWUzMzg0ZjlkZmU3MiIsInNlc3Npb2
5fc3RhdGUiOiIxZTM5MTFkYy0zMjM3LTRhZWUtYmE1Ni0wN2RlNTMwZTAwZj
ciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.IfnQezJi5hCMHac2K3B9QnjWdx4SR7
F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8z9XY-u0hN4DLFePXjzLOl0UwYaZ0ySxm-l-
gUsCkveVzTPRMS98ekuTMlc-1fPI4h1tCRrVawW5zOgH7zc-
a03KK0WZJ6b3iuU49PGsDXmeiNb6aqG-BIrmSkfsjfXr4zB69PcY0EF3sse0jl
OkZXYBcmbH46b_fWm-p4hpyt6QnGvxanKOc2jtavkUPSo5UrQxmQ3-
ahfxqZOFAvRbeHys5RdUUHs5BBefjkE4p8teCeG0nNzpgJfgPHgMNsnjELrTSafTcq1AM-yV2UOWrYeh0sA;
testusergrid={}
HTTP/?.? 500 Internal Server Error
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Server: WildFly/10
X-Frame-Options: SAMEORIGIN
content-security-policy: frame-src 'self'
Date: Tue, 23 Aug 2016 00:37:56 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 2906
Does this give you any idea? Do you have any more suggestions?
On Mon, Aug 22, 2016 at 7:54 PM, Rashmi Singh <singhrasster(a)gmail.com>
wrote:
John, On keycloak logs, I only see this error:
2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)
type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_token
This is a generic error and does not give any clue.
I used SAML tracer with firefox and there I see the following request in
RED:
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
Here are the contents for this request from SAML tracer (but its not
giving me any clue on what is wrong):
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
HTTP/1.1
Host: rashmiidp.cloud.com:9990
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101
Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=0.5,es-ES;q=0.3,en-US;q=0.2
Accept-Encoding: gzip, deflate
Cookie: KEYCLOAK_SESSION=saml-demo/6d25a0c6-7bb8-4cfc-b918-
e3384f9dfe72/1e3911dc-3237-4aee-ba56-07de530e00f7; KC_RESTART=
eyJhbGciOiJIUzI1NiJ9.eyJjcyI6ImI1M2QxOGJiLWQ3ODItND
ZhNS04YjY5LWQxM2IxMDVhMTc4NSIsImNpZCI6Imh0dHBzOi8vc2FtbC5zYW
xlc2ZvcmNlLmNvbSIsInB0eSI6InNhbWwiLCJydXJpIjoiaHR0cHM6Ly9yYX
NobWk3ODktZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tP3NvPTAwRDQxMDAwMD
AwNUwxNCIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7ImFjdGlvbl
9rZXkiOiJmNDBmYTJmYi01YTM0LTRmZDQtYTc2NC0xZDI5NWVlZDFmODIiLC
JSZWxheVN0YXRlIjoiLyIsIlNBTUxfUkVRVUVTVF9JRCI6Il8yQ0FBQUFWZE
ZCal9tTUU4d05ERXdNREF3TURBMFF6azJBQUFBeWszaE1mODBfdTJ5cGVpSX
pjVWNkQUtJWUFkeF9vNmN2Y0ZoMTE4QkcxWnFVRVQtREZJY29Wb1BqLUNheW
ZFV2FHLXRCLUo3YXhHUEhGaWdWbmV3MEREQUVlTTdJR21KcURuMmpUOUlPOD
VfT2pYTlVNQzlrbmV0cmRDcmpweDZCWTJjcWVCVWV0cldsb0JVaWhpMHBKMW
0tb2dBSmM1T1NDTXhIUkxpclNNR2FYRVhEeFpLVldadENfQTUwTFl6S1o2bm
o3XzZ1ekhIak9qa01kYnpoY2RTZlVZS0Q2bVRhNmtCRjlweTRwQTB4bHg1eG
RpN1M5OWc1d0xnSklmeVJ3Iiwic2FtbF9iaW5kaW5nIjoicG9zdCJ9fQ.
E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-7PFtY7JKNOLd-U; KEYCLOAK_IDENTITY=
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmNTQyYjY0Yy1iYTNhLT
RiY2ItYmE2OC0xZGEyZTY0ZGRjMTQiLCJleHAiOjE0NzE5NDg2NjAsIm5iZi
I6MCwiaWF0IjoxNDcxOTEyNjYwLCJpc3MiOiJodHRwOi8vcmFzaG1paWRwLm
Nsb3VkLmNvbTo5OTkwL2F1dGgvcmVhbG1zL3NhbWwtZGVtbyIsInN1YiI6Ij
ZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4LWUzMzg0ZjlkZmU3MiIsInNlc3Npb2
5fc3RhdGUiOiIxZTM5MTFkYy0zMjM3LTRhZWUtYmE1Ni0wN2RlNTMwZTAwZj
ciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.IfnQezJi5hCMHac2K3B9QnjWdx4SR7
F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8z9XY-u0hN4DLFePXjzLOl0UwYaZ0ySxm-l-
gUsCkveVzTPRMS98ekuTMlc-1fPI4h1tCRrVawW5zOgH7zc-
a03KK0WZJ6b3iuU49PGsDXmeiNb6aqG-BIrmSkfsjfXr4zB69PcY0EF3sse0jl
OkZXYBcmbH46b_fWm-p4hpyt6QnGvxanKOc2jtavkUPSo5UrQxmQ3-
ahfxqZOFAvRbeHys5RdUUHs5BBefjkE4p8teCeG0nNzpgJfgPHgMNsnjELrTSafTcq1AM-yV2UOWrYeh0sA;
testusergrid={}
HTTP/?.? 500 Internal Server Error
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Server: WildFly/10
X-Frame-Options: SAMEORIGIN
content-security-policy: frame-src 'self'
Date: Tue, 23 Aug 2016 00:37:56 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 2906
Does this give you any idea? Do you have any more suggestions?
On Fri, Aug 19, 2016 at 7:52 AM, John Dennis <jdennis(a)redhat.com> wrote:
> On 08/18/2016 10:06 PM, Rashmi Singh wrote:
>
>> Hi,
>>
>> I have setup a Salesforce Saml SP in keycloak. So, I basically created a
>> new client from keycloak admin console for salesforce. This is how my SP
>> url looks like:
>>
>> rashmi789-dev-ed.my.salesforce.com
>> <http://rashmi789-dev-ed.my.salesforce.com>
>>
>> I edited the salesforce configuration settings to point it to the
>> keycloak IDP. So, when I access the SP:
>> http://rashmi789-dev-ed.my.salesforce.com
>>
>> I am successfully taken to the keycloak IDP page (where I have
>> configured my Authenticator). I enter my credentials there and am able
>> to login. But, now when I try to logout, I get the following error on
>> the web page:
>>
>> We're sorry ...
>> Invalid Request
>>
>
> Is logout supported on both ends (i.e. SP and IdP)? The definition of
> support is in the metadata of each entity. Is there a SingleLogoutService
> binding with a valid location URL in each metadata? The vast majority of
> SAML problems are directly attributable to the metadata because that is
> what drives the conversation between the SP and IdP. You have access to
> both metadata because it was necessary to load the metadata in each party.
>
> If the problem is not the absence of SingleLogoutService then I would try
> tracing the flow. That is easy with the Firefox browser and the SAMLTracer
> add-on. That will let you see the exchange of messages and identify who the
> offending party is.
>
> So, single sign out does not seem to be working for me. What is the
>> issue? Is it a problem with the IDP logout url that I have configured?
>> What I have is:
>>
>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>
>>
>> my IDP Login URL is:
>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>
>> and that seem to be perfectly fine as I am able to login without any
>> issue. what is the issue with the logout I am seeing above when using a
>> Salesforce SP with keycloak? Please let me know if you need me to
>> provide more details.
>>
>
> This suggests the problem is not with the IdP. Keycloak uses the same URL
> for all services (don't assume this is always the case, it's just one
> implementation choice). If login to the same URL works a valid
> LogoutRequest to the same URL should also work, provided of course it a
> valid SAML Request. Are there any errors in the Keycloak log concerning
> invalid requests.
>
> Once again. using SAMLTracer will help nail down who is generating the
> error and what the content of the message was that induced it.
>
>
> Also, once this issue is resolved and I am able to logout successfully,
>> could you give some insights on how to customize the logout page?
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
> --
> John
>
5:04 p.m.
New subject: Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
Looking more closely into this, it seems like Salesforce does not support
SAML logout.
In Salesforce, where I did the configuration for "SAML Single Sign-On
Settings", there is the following field:
Identity Provider Logout URL:
I had specified this as:
http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
But, since Salesforce does not seem to support SAML logout, is it possible
to specify some keycloak URL in this field that would logout the user? It
seems like the URL I specify in this field gets invoked but then Salesforce
is not really sending a SAML logout request and I just get an error as
indicated earlier. So, I was thinking if there is some keycloak URL that we
can specify in this field that would logout the user?
If there is no such URL support, is there an alternative to solve this
issue since Salesforce does not seem to handle the single logout?
On Tue, Aug 23, 2016 at 8:05 AM, Rashmi Singh <singhrasster(a)gmail.com>
wrote:
On keycloak logs, I only see this error:
2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)
type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_token
This is a generic error and does not give any clue.
I used SAML tracer with firefox and there I see the following request in
RED:
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
Here are the contents for this request from SAML tracer (but its not
giving me any clue on what is wrong):
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
HTTP/1.1
Host: rashmiidp.cloud.com:9990
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101
Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=0.5,es-ES;q=0.3,en-US;q=0.2
Accept-Encoding: gzip, deflate
Cookie: KEYCLOAK_SESSION=saml-demo/6d25a0c6-7bb8-4cfc-b918-e3384f9df
e72/1e3911dc-3237-4aee-ba56-07de530e00f7; KC_RESTART=eyJhbGciOiJIUzI1NiJ
9.eyJjcyI6ImI1M2QxOGJiLWQ3ODItNDZhNS04YjY5LWQxM2IxMDVhMTc4NS
IsImNpZCI6Imh0dHBzOi8vc2FtbC5zYWxlc2ZvcmNlLmNvbSIsInB0eSI6In
NhbWwiLCJydXJpIjoiaHR0cHM6Ly9yYXNobWk3ODktZGV2LWVkLm15LnNhbG
VzZm9yY2UuY29tP3NvPTAwRDQxMDAwMDAwNUwxNCIsImFjdCI6IkFVVEhFTl
RJQ0FURSIsIm5vdGVzIjp7ImFjdGlvbl9rZXkiOiJmNDBmYTJmYi01YTM0LT
RmZDQtYTc2NC0xZDI5NWVlZDFmODIiLCJSZWxheVN0YXRlIjoiLyIsIlNBTU
xfUkVRVUVTVF9JRCI6Il8yQ0FBQUFWZEZCal9tTUU4d05ERXdNREF3TURBMF
F6azJBQUFBeWszaE1mODBfdTJ5cGVpSXpjVWNkQUtJWUFkeF9vNmN2Y0ZoMT
E4QkcxWnFVRVQtREZJY29Wb1BqLUNheWZFV2FHLXRCLUo3YXhHUEhGaWdWbm
V3MEREQUVlTTdJR21KcURuMmpUOUlPODVfT2pYTlVNQzlrbmV0cmRDcmpweD
ZCWTJjcWVCVWV0cldsb0JVaWhpMHBKMW0tb2dBSmM1T1NDTXhIUkxpclNNR2
FYRVhEeFpLVldadENfQTUwTFl6S1o2bmo3XzZ1ekhIak9qa01kYnpoY2RTZl
VZS0Q2bVRhNmtCRjlweTRwQTB4bHg1eGRpN1M5OWc1d0xnSklmeVJ3Iiwic2
FtbF9iaW5kaW5nIjoicG9zdCJ9fQ.E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-7PFtY7JKNOLd-U;
KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmNTQyYjY0Y
y1iYTNhLTRiY2ItYmE2OC0xZGEyZTY0ZGRjMTQiLCJleHAiOjE0NzE5NDg2N
jAsIm5iZiI6MCwiaWF0IjoxNDcxOTEyNjYwLCJpc3MiOiJodHRwOi8vcmFza
G1paWRwLmNsb3VkLmNvbTo5OTkwL2F1dGgvcmVhbG1zL3NhbWwtZGVtbyIsI
nN1YiI6IjZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4LWUzMzg0ZjlkZmU3MiIsI
nNlc3Npb25fc3RhdGUiOiIxZTM5MTFkYy0zMjM3LTRhZWUtYmE1Ni0wN2RlN
TMwZTAwZjciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.IfnQezJi5hCMHac2K3
B9QnjWdx4SR7F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8z9XY-u0hN4DLFePXjz
LOl0UwYaZ0ySxm-l-gUsCkveVzTPRMS98ekuTMlc-1fPI4h1tCRrVawW5zOg
H7zc-a03KK0WZJ6b3iuU49PGsDXmeiNb6aqG-BIrmSkfsjfXr4zB69PcY0EF
3sse0jlOkZXYBcmbH46b_fWm-p4hpyt6QnGvxanKOc2jtavkUPSo5UrQxmQ3
-ahfxqZOFAvRbeHys5RdUUHs5BBefjkE4p8teCeG0nNzpgJfgPHgMNsnjELrTSafTcq1AM-yV2UOWrYeh0sA;
testusergrid={}
HTTP/?.? 500 Internal Server Error
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Server: WildFly/10
X-Frame-Options: SAMEORIGIN
content-security-policy: frame-src 'self'
Date: Tue, 23 Aug 2016 00:37:56 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 2906
Does this give you any idea? Do you have any more suggestions?
On Mon, Aug 22, 2016 at 7:54 PM, Rashmi Singh <singhrasster(a)gmail.com>
wrote:
> John, On keycloak logs, I only see this error:
>
> 2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)
> type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
> ipAddress=192.168.99.1, error=invalid_token
>
> This is a generic error and does not give any clue.
>
> I used SAML tracer with firefox and there I see the following request in
> RED:
>
> GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
> Here are the contents for this request from SAML tracer (but its not
> giving me any clue on what is wrong):
>
> GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
> HTTP/1.1
> Host: rashmiidp.cloud.com:9990
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101
> Firefox/47.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=0.5,es-ES;q=0.3,en-US;q=0.2
> Accept-Encoding: gzip, deflate
> Cookie: KEYCLOAK_SESSION=saml-demo/6d25a0c6-7bb8-4cfc-b918-e3384f9df
> e72/1e3911dc-3237-4aee-ba56-07de530e00f7; KC_RESTART=eyJhbGciOiJIUzI1NiJ
> 9.eyJjcyI6ImI1M2QxOGJiLWQ3ODItNDZhNS04YjY5LWQxM2IxMDVhMTc4NS
> IsImNpZCI6Imh0dHBzOi8vc2FtbC5zYWxlc2ZvcmNlLmNvbSIsInB0eSI6In
> NhbWwiLCJydXJpIjoiaHR0cHM6Ly9yYXNobWk3ODktZGV2LWVkLm15LnNhbG
> VzZm9yY2UuY29tP3NvPTAwRDQxMDAwMDAwNUwxNCIsImFjdCI6IkFVVEhFTl
> RJQ0FURSIsIm5vdGVzIjp7ImFjdGlvbl9rZXkiOiJmNDBmYTJmYi01YTM0LT
> RmZDQtYTc2NC0xZDI5NWVlZDFmODIiLCJSZWxheVN0YXRlIjoiLyIsIlNBTU
> xfUkVRVUVTVF9JRCI6Il8yQ0FBQUFWZEZCal9tTUU4d05ERXdNREF3TURBMF
> F6azJBQUFBeWszaE1mODBfdTJ5cGVpSXpjVWNkQUtJWUFkeF9vNmN2Y0ZoMT
> E4QkcxWnFVRVQtREZJY29Wb1BqLUNheWZFV2FHLXRCLUo3YXhHUEhGaWdWbm
> V3MEREQUVlTTdJR21KcURuMmpUOUlPODVfT2pYTlVNQzlrbmV0cmRDcmpweD
> ZCWTJjcWVCVWV0cldsb0JVaWhpMHBKMW0tb2dBSmM1T1NDTXhIUkxpclNNR2
> FYRVhEeFpLVldadENfQTUwTFl6S1o2bmo3XzZ1ekhIak9qa01kYnpoY2RTZl
> VZS0Q2bVRhNmtCRjlweTRwQTB4bHg1eGRpN1M5OWc1d0xnSklmeVJ3Iiwic2
> FtbF9iaW5kaW5nIjoicG9zdCJ9fQ.E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-7PFtY7JKNOLd-U;
> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmNTQyYjY0Y
> y1iYTNhLTRiY2ItYmE2OC0xZGEyZTY0ZGRjMTQiLCJleHAiOjE0NzE5NDg2N
> jAsIm5iZiI6MCwiaWF0IjoxNDcxOTEyNjYwLCJpc3MiOiJodHRwOi8vcmFza
> G1paWRwLmNsb3VkLmNvbTo5OTkwL2F1dGgvcmVhbG1zL3NhbWwtZGVtbyIsI
> nN1YiI6IjZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4LWUzMzg0ZjlkZmU3MiIsI
> nNlc3Npb25fc3RhdGUiOiIxZTM5MTFkYy0zMjM3LTRhZWUtYmE1Ni0wN2RlN
> TMwZTAwZjciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.IfnQezJi5hCMHac2K3
> B9QnjWdx4SR7F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8z9XY-u0hN4DLFePXjz
> LOl0UwYaZ0ySxm-l-gUsCkveVzTPRMS98ekuTMlc-1fPI4h1tCRrVawW5zOg
> H7zc-a03KK0WZJ6b3iuU49PGsDXmeiNb6aqG-BIrmSkfsjfXr4zB69PcY0EF
> 3sse0jlOkZXYBcmbH46b_fWm-p4hpyt6QnGvxanKOc2jtavkUPSo5UrQxmQ3
>
-ahfxqZOFAvRbeHys5RdUUHs5BBefjkE4p8teCeG0nNzpgJfgPHgMNsnjELrTSafTcq1AM-yV2UOWrYeh0sA;
> testusergrid={}
>
> HTTP/?.? 500 Internal Server Error
> Cache-Control: no-store, must-revalidate, max-age=0
> X-Powered-By: Undertow/1
> Server: WildFly/10
> X-Frame-Options: SAMEORIGIN
> content-security-policy: frame-src 'self'
> Date: Tue, 23 Aug 2016 00:37:56 GMT
> Connection: keep-alive
> X-Content-Type-Options: nosniff
> Content-Type: text/html;charset=utf-8
> Content-Length: 2906
>
>
> Does this give you any idea? Do you have any more suggestions?
>
>
> On Fri, Aug 19, 2016 at 7:52 AM, John Dennis <jdennis(a)redhat.com> wrote:
>
>> On 08/18/2016 10:06 PM, Rashmi Singh wrote:
>>
>>> Hi,
>>>
>>> I have setup a Salesforce Saml SP in keycloak. So, I basically created a
>>> new client from keycloak admin console for salesforce. This is how my SP
>>> url looks like:
>>>
>>> rashmi789-dev-ed.my.salesforce.com
>>> <http://rashmi789-dev-ed.my.salesforce.com>
>>>
>>> I edited the salesforce configuration settings to point it to the
>>> keycloak IDP. So, when I access the SP:
>>> http://rashmi789-dev-ed.my.salesforce.com
>>>
>>> I am successfully taken to the keycloak IDP page (where I have
>>> configured my Authenticator). I enter my credentials there and am able
>>> to login. But, now when I try to logout, I get the following error on
>>> the web page:
>>>
>>> We're sorry ...
>>> Invalid Request
>>>
>>
>> Is logout supported on both ends (i.e. SP and IdP)? The definition of
>> support is in the metadata of each entity. Is there a SingleLogoutService
>> binding with a valid location URL in each metadata? The vast majority of
>> SAML problems are directly attributable to the metadata because that is
>> what drives the conversation between the SP and IdP. You have access to
>> both metadata because it was necessary to load the metadata in each party.
>>
>> If the problem is not the absence of SingleLogoutService then I would
>> try tracing the flow. That is easy with the Firefox browser and the
>> SAMLTracer add-on. That will let you see the exchange of messages and
>> identify who the offending party is.
>>
>> So, single sign out does not seem to be working for me. What is the
>>> issue? Is it a problem with the IDP logout url that I have configured?
>>> What I have is:
>>>
>>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>>
>>>
>>> my IDP Login URL is:
>>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>>
>>> and that seem to be perfectly fine as I am able to login without any
>>> issue. what is the issue with the logout I am seeing above when using a
>>> Salesforce SP with keycloak? Please let me know if you need me to
>>> provide more details.
>>>
>>
>> This suggests the problem is not with the IdP. Keycloak uses the same
>> URL for all services (don't assume this is always the case, it's just
one
>> implementation choice). If login to the same URL works a valid
>> LogoutRequest to the same URL should also work, provided of course it a
>> valid SAML Request. Are there any errors in the Keycloak log concerning
>> invalid requests.
>>
>> Once again. using SAMLTracer will help nail down who is generating the
>> error and what the content of the message was that induced it.
>>
>>
>> Also, once this issue is resolved and I am able to logout successfully,
>>> could you give some insights on how to customize the logout page?
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>
>> --
>> John
>>
>
>
11:30 a.m.
New subject: Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
On 08/23/2016 06:04 PM, Rashmi Singh wrote:
Looking more closely into this, it seems like Salesforce does not
support SAML logout.
In Salesforce, where I did the configuration for "SAML Single Sign-On
Settings", there is the following field:
Identity Provider Logout URL:
I had specified this as:
http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
But, since Salesforce does not seem to support SAML logout, is it
possible to specify some keycloak URL in this field that would logout
the user? It seems like the URL I specify in this field gets invoked but
then Salesforce is not really sending a SAML logout request and I just
get an error as indicated earlier. So, I was thinking if there is some
keycloak URL that we can specify in this field that would logout the user?
If there is no such URL support, is there an alternative to solve this
issue since Salesforce does not seem to handle the single logout?
Why do you draw the conclusion Salesforce does not support logout? That
does not seem to be indicated from this document:
http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_sin...
What is the SP metadata you used?
--
John
11:33 a.m.
New subject: Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
Here is how my SP Metadata looks like:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="
https://saml.salesforce.com">
<SPSSODescriptor AuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocolhttp://schemas.xmlsoap.org/ws/
2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"/...
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUF
ADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8w
HQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJt
cyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykx
MDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNl
cnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVow
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
FA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5j
LjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxl
c2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJtS/8tJmPZ/CKOz/
dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+zwjrKd9ZsCS3GltV2GBFD+
YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1nHlTXBICJQDo
87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIarWTfr2w0SNF
NPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQhnymqeoVgLMSb3UTS8J9R1RmQi+
kisC39NAzVwQjM1X677cdQt0FaF6GlZ97vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpS
k9eynNGp1JI/6mIv3ECAwEAAaOCAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY
2UuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQ
UFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAY
b4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb2
0vY3BzMB8GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHw
Q6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb2
0vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGG
h0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1
NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCS
qGSIb3DQEBBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvRR9+
5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8sxHh
gEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6krw
PonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/
EBxPdcPxeMK70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKNKZq5hcoUP/
sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</SPSSODescriptor>
</EntityDescriptor>
On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis(a)redhat.com> wrote:
On 08/23/2016 06:04 PM, Rashmi Singh wrote:
> Looking more closely into this, it seems like Salesforce does not
> support SAML logout.
>
> In Salesforce, where I did the configuration for "SAML Single Sign-On
> Settings", there is the following field:
>
> Identity Provider Logout URL:
> I had specified this as:
> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>
> But, since Salesforce does not seem to support SAML logout, is it
> possible to specify some keycloak URL in this field that would logout
> the user? It seems like the URL I specify in this field gets invoked but
> then Salesforce is not really sending a SAML logout request and I just
> get an error as indicated earlier. So, I was thinking if there is some
> keycloak URL that we can specify in this field that would logout the user?
>
> If there is no such URL support, is there an alternative to solve this
> issue since Salesforce does not seem to handle the single logout?
>
Why do you draw the conclusion Salesforce does not support logout? That
does not seem to be indicated from this document:
http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/
salesforce_single_sign_on.pdf
What is the SP metadata you used?
--
John
12:17 a.m.
New subject: Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
My guess is that Salesforce is not signing the logout request and
Keycloak expects it to be signed, but can't really know unless you post
your SAML tracer. Also, Edit your standalone.xml config file (really
depending on how you've booted keycloak). Search for "logging:3.0". IN
that section, turn on debug logging for keycloak:
<logger category="org.keycloak">
<level name="DEBUG"/>
</logger>
That may shed some light on things.
On 8/24/16 12:33 PM, Rashmi Singh wrote:
Here is how my SP Metadata looks like:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://saml.salesforce.com
<https://saml.salesforce.com/>">
<SPSSODescriptor AuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocolhttp://schemas.xmlsoap.org/ws/2003/07...
<http://schemas.xmlsoap.org/ws/2003/07/secext>">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"/...
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
<http://www.w3.org/2000/09/xmldsig#>">
<dsig:X509Data>
<dsig:X509Certificate>
MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5jLjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxlc2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJtS/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+zwjrKd9ZsCS3GltV2GBFD+YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1nHlTXBICJQDo87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIarWTfr2w0SNFNPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQhnymqeoVgLMSb3UTS8J9R1RmQi+kisC39NAzVwQjM1X677cdQt0FaF6GlZ97vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpSk9eynNGp1JI/6mIv3ECAwEAAaOCAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY2UuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvRR9+5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8sxHhgEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6krwPonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/EBxPdcPxeMK70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKNKZq5hcoUP/sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</SPSSODescriptor>
</EntityDescriptor>
On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis(a)redhat.com
<mailto:jdennis@redhat.com>> wrote:
On 08/23/2016 06:04 PM, Rashmi Singh wrote:
Looking more closely into this, it seems like Salesforce does not
support SAML logout.
In Salesforce, where I did the configuration for "SAML Single
Sign-On
Settings", there is the following field:
Identity Provider Logout URL:
I had specified this as:
http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
<http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>
But, since Salesforce does not seem to support SAML logout, is it
possible to specify some keycloak URL in this field that would
logout
the user? It seems like the URL I specify in this field gets
invoked but
then Salesforce is not really sending a SAML logout request
and I just
get an error as indicated earlier. So, I was thinking if there
is some
keycloak URL that we can specify in this field that would
logout the user?
If there is no such URL support, is there an alternative to
solve this
issue since Salesforce does not seem to handle the single logout?
Why do you draw the conclusion Salesforce does not support logout?
That does not seem to be indicated from this document:
http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_sin...
<http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_sin...
What is the SP metadata you used?
--
John
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:22 a.m.
New subject: Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
When I do a logout, my SAML tracer show this request:
*GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
<http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>
HTTP/1.1*
And clicking this request just shows the HTTP tab. It does not even
show the SAML tab. So, it looks like Salefroce does not send SAML
request for logout. That was the reason, I was asking if there is
another way to do the user sign out from keycloak. That is, in instead
of the above URL we use a different url (some keycloak URL) that would
sign out the user. Or some other alternative?
On Thu, Aug 25, 2016 at 12:17 AM, Bill Burke <bburke(a)redhat.com> wrote:
My guess is that Salesforce is not signing the logout request and
Keycloak
expects it to be signed, but can't really know unless you post your SAML
tracer. Also, Edit your standalone.xml config file (really depending on
how you've booted keycloak). Search for "logging:3.0". IN that section,
turn on debug logging for keycloak:
<logger category="org.keycloak">
<level name="DEBUG"/>
</logger>
That may shed some light on things.
On 8/24/16 12:33 PM, Rashmi Singh wrote:
Here is how my SP Metadata looks like:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="
https://saml.salesforce.com">
<SPSSODescriptor AuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocolhttp://schemas.xmlsoap.
org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unsp
ecified
</NameIDFormat>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"/...
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUF
ADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8w
HQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJt
cyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykx
MDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNl
cnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVow
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
FA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5j
LjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxl
c2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJt
S/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+
zwjrKd9ZsCS3GltV2GBFD+YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1n
HlTXBICJQDo87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIa
rWTfr2w0SNFNPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQ
hnymqeoVgLMSb3UTS8J9R1RmQi+kisC39NAzVwQjM1X677cdQt0FaF6GlZ97
vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpSk9eynNGp1JI/6mIv3ECAwEAAaO
CAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY2UuY29tMAkGA1U
dEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQUFBwMBBgg
rBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjA
qMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8
GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA
0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW5
0bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9
vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGw
tRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQE
BBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvR
R9+5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8s
xHhgEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6
krwPonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/EBxPdcPxeM
K70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKN
KZq5hcoUP/sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</SPSSODescriptor>
</EntityDescriptor>
On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis(a)redhat.com> wrote:
> On 08/23/2016 06:04 PM, Rashmi Singh wrote:
>
>> Looking more closely into this, it seems like Salesforce does not
>> support SAML logout.
>>
>> In Salesforce, where I did the configuration for "SAML Single Sign-On
>> Settings", there is the following field:
>>
>> Identity Provider Logout URL:
>> I had specified this as:
>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>
>> But, since Salesforce does not seem to support SAML logout, is it
>> possible to specify some keycloak URL in this field that would logout
>> the user? It seems like the URL I specify in this field gets invoked but
>> then Salesforce is not really sending a SAML logout request and I just
>> get an error as indicated earlier. So, I was thinking if there is some
>> keycloak URL that we can specify in this field that would logout the
>> user?
>>
>> If there is no such URL support, is there an alternative to solve this
>> issue since Salesforce does not seem to handle the single logout?
>>
>
> Why do you draw the conclusion Salesforce does not support logout? That
> does not seem to be indicated from this document:
>
> http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/s
> alesforce_single_sign_on.pdf
>
> What is the SP metadata you used?
>
>
> --
> John
>
_______________________________________________
keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:44 a.m.
New subject: Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
Yup, you're right:
https://success.salesforce.com/ideaView?id=08730000000DjseAAC
Ok, this is going to sound weird, but it should work.
Register a logout URL for keycloak at salesforce.com as
*http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/
<http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>op...
**
Replace <encoded-url> as a URL encoded version of the URL you want
keycloak to redirect the browser after logout.
Next, you'll have to go into the Client tab in the Keycloak admin
console and add that redirect uri to the list of allowed redirect
uris. This is a bit of a hack, but it should work.
On 8/25/16 10:22 AM, Rashmi Singh wrote:
When I do a logout, my SAML tracer show this request:
*GET
http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
HTTP/1.1*
**
And clicking this request just shows the HTTP tab. It does not even
show the SAML tab. So, it looks like Salefroce does not send SAML
request for logout. That was the reason, I was asking if there is
another way to do the user sign out from keycloak. That is, in instead
of the above URL we use a different url (some keycloak URL) that would
sign out the user. Or some other alternative?
On Thu, Aug 25, 2016 at 12:17 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
My guess is that Salesforce is not signing the logout request and
Keycloak expects it to be signed, but can't really know unless you
post your SAML tracer. Also, Edit your standalone.xml config file
(really depending on how you've booted keycloak). Search for
"logging:3.0". IN that section, turn on debug logging for keycloak:
<logger category="org.keycloak">
<level name="DEBUG"/>
</logger>
That may shed some light on things.
On 8/24/16 12:33 PM, Rashmi Singh wrote:
> Here is how my SP Metadata looks like:
>
> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
> entityID="https://saml.salesforce.com
> <https://saml.salesforce.com/>">
> <SPSSODescriptor AuthnRequestsSigned="true"
>
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
> urn:oasis:names:tc:SAML:1.1:protocolhttp://schemas.xmlsoap.org/ws/2003/07...
> <http://schemas.xmlsoap.org/ws/2003/07/secext>">
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
> </NameIDFormat>
> <SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
>
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"/...
> <AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
> <https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"
> index="1" isDefault="true" />
> <KeyDescriptor use="signing">
> <dsig:KeyInfo
> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
> <http://www.w3.org/2000/09/xmldsig#>">
> <dsig:X509Data>
> <dsig:X509Certificate>
>
MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5jLjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxlc2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJtS/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+zwjrKd9ZsCS3GltV2GBFD+YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1nHlTXBICJQDo87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIarWTfr2w0SNFNPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQhnymqeoVgLMSb3UTS8J9R1RmQi+kisC39NAzVwQjM1X677cdQt0FaF6GlZ97vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpSk9eynNGp1JI/6mIv3ECAwEAAaOCAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY2UuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvRR9+5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8sxHhgEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6krwPonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/EBxPdcPxeMK70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKNKZq5hcoUP/sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen
> </dsig:X509Certificate>
> </dsig:X509Data>
> </dsig:KeyInfo>
> </KeyDescriptor>
> </SPSSODescriptor>
> </EntityDescriptor>
>
> On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis(a)redhat.com
> <mailto:jdennis@redhat.com>> wrote:
>
> On 08/23/2016 06:04 PM, Rashmi Singh wrote:
>
> Looking more closely into this, it seems like Salesforce
> does not
> support SAML logout.
>
> In Salesforce, where I did the configuration for "SAML
> Single Sign-On
> Settings", there is the following field:
>
> Identity Provider Logout URL:
> I had specified this as:
> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>
<http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>
>
> But, since Salesforce does not seem to support SAML
> logout, is it
> possible to specify some keycloak URL in this field that
> would logout
> the user? It seems like the URL I specify in this field
> gets invoked but
> then Salesforce is not really sending a SAML logout
> request and I just
> get an error as indicated earlier. So, I was thinking if
> there is some
> keycloak URL that we can specify in this field that would
> logout the user?
>
> If there is no such URL support, is there an alternative
> to solve this
> issue since Salesforce does not seem to handle the single
> logout?
>
>
> Why do you draw the conclusion Salesforce does not support
> logout? That does not seem to be indicated from this document:
>
>
http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_sin...
>
<http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/salesforce_sin...
>
> What is the SP metadata you used?
>
>
> --
> John
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
_______________________________________________ keycloak-dev
mailing list keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>
11:20 a.m.
New subject: Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
On 08/23/2016 09:05 AM, Rashmi Singh wrote:
On keycloak logs, I only see this error:
2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)
type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_token
This is a generic error and does not give any clue.
I used SAML tracer with firefox and there I see the following request in
RED:
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
<http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>
Here are the contents for this request from SAML tracer (but its not
giving me any clue on what is wrong):
You didn't post the SAML content from the SAMLTracer SAML tab.
--
John
11:27 a.m.
New subject: Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
John, Can you take a look at my last post? It seems like Salesforce is not
supporting Single logout. Is there some keycloak URL we can provide for the
field "Identity Provider Logout URL" on saleforce Single Sign on
Settings"
that would log the user out? Since, it seems like Salesforce is not even
sending a SAML request when doing a logout. Here is what I wrote yesterday:
"Looking more closely into this, it seems like Salesforce does not support
SAML logout.
In Salesforce, where I did the configuration for "SAML Single Sign-On
Settings", there is the following field:
Identity Provider Logout URL:
I had specified this as: http://rashmiidp.cloud.com:
9990/auth/realms/saml-demo/protocol/saml
But, since Salesforce does not seem to support SAML logout, is it possible
to specify some keycloak URL in this field that would logout the user? It
seems like the URL I specify in this field gets invoked but then Salesforce
is not really sending a SAML logout request and I just get an error as
indicated earlier. So, I was thinking if there is some keycloak URL that we
can specify in this field that would logout the user?
If there is no such URL support, is there an alternative to solve this
issue since Salesforce does not seem to handle the single logout?"
On Wed, Aug 24, 2016 at 11:20 AM, John Dennis <jdennis(a)redhat.com> wrote:
On 08/23/2016 09:05 AM, Rashmi Singh wrote:
> On keycloak logs, I only see this error:
>
> 2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)
> type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
> ipAddress=192.168.99.1, error=invalid_token
>
> This is a generic error and does not give any clue.
>
> I used SAML tracer with firefox and there I see the following request in
> RED:
>
> GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
> <http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml>
> Here are the contents for this request from SAML tracer (but its not
> giving me any clue on what is wrong):
>
You didn't post the SAML content from the SAMLTracer SAML tab.
--
John
3130
days inactive
3132
days old
8 comments
3 participants
participants (3)
-
Bill Burke -
John Dennis -
Rashmi Singh