On 08/18/2016 10:06 PM, Rashmi Singh wrote:
Hi,
I have setup a Salesforce Saml SP in keycloak. So, I basically created a
new client from keycloak admin console for salesforce. This is how my SP
url looks like:
rashmi789-dev-ed.my.salesforce.com
<
http://rashmi789-dev-ed.my.salesforce.com>
I edited the salesforce configuration settings to point it to the
keycloak IDP. So, when I access the SP:
http://rashmi789-dev-ed.my.salesforce.com
I am successfully taken to the keycloak IDP page (where I have
configured my Authenticator). I enter my credentials there and am able
to login. But, now when I try to logout, I get the following error on
the web page:
We're sorry ...
Invalid Request
Is logout supported on both ends (i.e. SP and IdP)? The definition of
support is in the metadata of each entity. Is there a
SingleLogoutService binding with a valid location URL in each metadata?
The vast majority of SAML problems are directly attributable to the
metadata because that is what drives the conversation between the SP and
IdP. You have access to both metadata because it was necessary to load
the metadata in each party.
If the problem is not the absence of SingleLogoutService then I would
try tracing the flow. That is easy with the Firefox browser and the
SAMLTracer add-on. That will let you see the exchange of messages and
identify who the offending party is.
So, single sign out does not seem to be working for me. What is the
issue? Is it a problem with the IDP logout url that I have configured?
What I have is:
http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
my IDP Login URL is:
http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
and that seem to be perfectly fine as I am able to login without any
issue. what is the issue with the logout I am seeing above when using a
Salesforce SP with keycloak? Please let me know if you need me to
provide more details.
This suggests the problem is not with the IdP. Keycloak uses the same
URL for all services (don't assume this is always the case, it's just
one implementation choice). If login to the same URL works a valid
LogoutRequest to the same URL should also work, provided of course it a
valid SAML Request. Are there any errors in the Keycloak log concerning
invalid requests.
Once again. using SAMLTracer will help nail down who is generating the
error and what the content of the message was that induced it.
Also, once this issue is resolved and I am able to logout
successfully,
could you give some insights on how to customize the logout page?
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
John