Re: [keycloak-user] IDP SAMLV2.0 with Salesforce

I'll add a username mapper. On 5/1/2015 8:48 AM, Bill Burke wrote: > You can map the SAML/OIDC assertion/token that is sent to your > applications however you want. > > On 4/30/2015 9:23 PM, Raghu Prabhala wrote: >> Bill - That would be an issue for us as we cannot manipulate the values >> (especially username) sent by an external IDP which is the >>authoritative >> source of user information. We will have to figure out another way, >> perhaps, an internal KC user attribute that can be made unique to >> prevent name clashes. >> >> Thanks, >> Raghu >> >>------------------------------------------------------------------------ >> *From:* Bill Burke <bburke(a)redhat.com&gt; >> *To:* Henk Laracker <Henk.Laracker(a)planonsoftware.com>; >> &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; >> *Sent:* Thursday, April 30, 2015 7:26 PM >> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce >> >> Right now, the username is prefixed with the broker name. THis is to >> avoid name clashes if you are brokering multiple IDPS (i.e. multiple >> social providers). >> >> On 4/30/2015 2:51 PM, Henk Laracker wrote: >> > Hi Bill, >> > >> > Thank you this worked out! I user is created with my name >> > saml.henk.laracker@p <mailto:saml.henk.laracker@p>***n.nl , do you >> have any idee why the “saml” prefix >> > is added? >> > >> > >> > Henk >> > >> > On 30/04/15 18:44, "Bill Burke" <bburke(a)redhat.com >> <mailto:bburke@redhat.com>> wrote: >> > >> >> Ok, I was able to get this to work. The problem was I had to set >>a >> >> "profile" for the connected app on Salesforce. I added a "System >> >> Adminstrator" profile to the Connected App and it worked. >> >> >> >> I'm not sure how to upload a app certificate yet. Not sure what >>format >> >> Salesforce is looking for. >> >> >> >> On 4/30/2015 11:39 AM, Bill Burke wrote: >> >>> I set up a salesforce example and looked at the login response >>SAML >> >>> document. Looks like no assertion data is being sent back at >>all by >> >>> salesforce. >> >>> >> >>> On 4/30/2015 9:43 AM, Bill Burke wrote: >> >>>> i have no idea. Basically this error is stating that the login >> >>>> response >> >>>> saml document has no assertions within it. If there are no >> assertions, >> >>>> then there has been no identity data sent. >> >>>> >> >>>> I'm looking now, but can you send me a link on how to set up >> Salesforce >> >>>> as an IDP? Is one able to set up a free account and such? >> >>>> >> >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote: >> >>>>> Hi Bill, >> >>>>> >> >>>>> I don¹t know why I missed that, thanks! Salesforce respons >>know with >> >>>>> the >> >>>>> correct login page. After logging in in Salesforce, I¹m >>redirected to >> >>>>> keycloak again with a internal error: >> >>>>> >> >>>>> Caused by: >>org.keycloak.broker.provider.IdentityBrokerException: >> >>>>> Could not >> >>>>> process response from SAML identity provider. >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE >> >>>>> ndpo >> >>>>> int.java:299) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn >> >>>>> dpoi >> >>>>> nt.java:343) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java >> >>>>> :169 >> >>>>> ) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117 >> >>>>> ) >> >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>Method) >> >>>>> [rt.jar:1.8.0_45] >> >>>>> at >> >>>>> >> >>>>> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja >> >>>>> va:6 >> >>>>> 2) [rt.jar:1.8.0_45] >> >>>>> at >> >>>>> >> >>>>> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso >> >>>>> rImp >> >>>>> l.java:43) [rt.jar:1.8.0_45] >> >>>>> at java.lang.reflect.Method.invoke(Method.java:497) >> [rt.jar:1.8.0_45] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja >> >>>>> va:1 >> >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe >> >>>>> thod >> >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo >> >>>>> ker. >> >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res >> >>>>> ourc >> >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn >> >>>>> voke >> >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res >> >>>>> ourc >> >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn >> >>>>> voke >> >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc >> >>>>> her. >> >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> ... 39 more >> >>>>> Caused by: >>org.keycloak.broker.provider.IdentityBrokerException: No >> >>>>> assertion from response. >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint >> >>>>> .jav >> >>>>> a:309) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE >> >>>>> ndpo >> >>>>> int.java:264) >> >>>>> ... 54 more >> >>>>> >> >>>>> Any idea? >> >>>>> >> >>>>> Henk >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> On 30/04/15 14:31, "Bill Burke" <bburke(a)redhat.com >> <mailto:bburke@redhat.com>> wrote: >> >>>>> >> >>>>>> You want to chain keycloak server to Salesforce? >> >>>>>> >> >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that >>points to >> >>>>>> Salesforce, you;ll see after you create it, an Export button. >> Click >> >>>>>> that. That will create an entity descriptor with all the >> information >> >>>>>> you need. >> >>>>>> >> >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: >> >>>>>>> Hi, >> >>>>>>> >> >>>>>>> I like to use Salesforce as Identity Provider, the metadata >> >>>>>>> provided by >> >>>>>>> salesforce can be imported. >> >>>>>>> But I need to specify the Service Provider in salesforce, I >>have to >> >>>>>>> fill >> >>>>>>> in a couple of fields, but two of them I don¹t understand >>(and are >> >>>>>>> mandatory). Does someone have any clue >> >>>>>>> >> >>>>>>> 1. entity id , remark of salesforce : get this value >>from your >> >>>>>>> serviceprovider >> >>>>>>> 2. ACS URL, remark of slaesforce : The assertion >>consumer >> >>>>>>> service. Get >> >>>>>>> this value from your service provider. >> >>>>>>> >> >>>>>>> I have tried a lot of values but every-time I click the saml >>button >> >>>>>>> on >> >>>>>>> my app, it redirects to salesforce but I get a page with the >> error : >> >>>>>>> Error: Unable to resolve request into a Service Provider >> >>>>>>> >> >>>>>>> Henk >> >>>>>>> >> >>>>>>> >> >>>>>>> _______________________________________________ >> >>>>>>> keycloak-user mailing list >> >>>>>>> keycloak-user(a)lists.jboss.org >> <mailto:keycloak-user@lists.jboss.org> >> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> Bill Burke >> >>>>>> JBoss, a division of Red Hat >> >>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/> >> >> >> >> >>>>>> _______________________________________________ >> >>>>>> keycloak-user mailing list >> >>>>>> keycloak-user(a)lists.jboss.org >><mailto:keycloak-user@lists.jboss.org> >> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>>> >> >>>> >> >>> >> >> >> >> -- >> >> Bill Burke >> >> JBoss, a division of Red Hat >> >> http://bill.burkecentral.com <http://bill.burkecentral.com/> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user(a)lists.jboss.org >><mailto:keycloak-user@lists.jboss.org> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com <http://bill.burkecentral.com/> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user