You can map the SAML/OIDC assertion/token that is sent to your
applications however you want.
On 4/30/2015 9:23 PM, Raghu Prabhala wrote:
Bill - That would be an issue for us as we cannot manipulate the
values
(especially username) sent by an external IDP which is the authoritative
source of user information. We will have to figure out another way,
perhaps, an internal KC user attribute that can be made unique to
prevent name clashes.
Thanks,
Raghu
------------------------------------------------------------------------
*From:* Bill Burke <bburke(a)redhat.com>
*To:* Henk Laracker <Henk.Laracker(a)planonsoftware.com>;
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
*Sent:* Thursday, April 30, 2015 7:26 PM
*Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce
Right now, the username is prefixed with the broker name. THis is to
avoid name clashes if you are brokering multiple IDPS (i.e. multiple
social providers).
On 4/30/2015 2:51 PM, Henk Laracker wrote:
> Hi Bill,
>
> Thank you this worked out! I user is created with my name
> saml.henk.laracker@p <mailto:saml.henk.laracker@p>***n.nl , do you
have any idee why the “saml” prefix
> is added?
>
>
> Henk
>
> On 30/04/15 18:44, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
>
>> Ok, I was able to get this to work. The problem was I had to set a
>> "profile" for the connected app on Salesforce. I added a
"System
>> Adminstrator" profile to the Connected App and it worked.
>>
>> I'm not sure how to upload a app certificate yet. Not sure what format
>> Salesforce is looking for.
>>
>> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>> I set up a salesforce example and looked at the login response SAML
>>> document. Looks like no assertion data is being sent back at all by
>>> salesforce.
>>>
>>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>>> i have no idea. Basically this error is stating that the login
>>>> response
>>>> saml document has no assertions within it. If there are no
assertions,
>>>> then there has been no identity data sent.
>>>>
>>>> I'm looking now, but can you send me a link on how to set up
Salesforce
>>>> as an IDP? Is one able to set up a free account and such?
>>>>
>>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>>> Hi Bill,
>>>>>
>>>>> I don¹t know why I missed that, thanks! Salesforce respons know
with
>>>>> the
>>>>> correct login page. After logging in in Salesforce, I¹m redirected
to
>>>>> keycloak again with a internal error:
>>>>>
>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException:
>>>>> Could not
>>>>> process response from SAML identity provider.
>>>>> at
>>>>>
>>>>>
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>> ndpo
>>>>> int.java:299)
>>>>> at
>>>>>
>>>>>
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn
>>>>> dpoi
>>>>> nt.java:343)
>>>>> at
>>>>>
>>>>>
org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java
>>>>> :169
>>>>> )
>>>>> at
>>>>>
>>>>>
org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117
>>>>> )
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>> [rt.jar:1.8.0_45]
>>>>> at
>>>>>
>>>>>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
>>>>> va:6
>>>>> 2) [rt.jar:1.8.0_45]
>>>>> at
>>>>>
>>>>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
>>>>> rImp
>>>>> l.java:43) [rt.jar:1.8.0_45]
>>>>> at java.lang.reflect.Method.invoke(Method.java:497)
[rt.jar:1.8.0_45]
>>>>> at
>>>>>
>>>>>
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja
>>>>> va:1
>>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> at
>>>>>
>>>>>
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe
>>>>> thod
>>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> at
>>>>>
>>>>>
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo
>>>>> ker.
>>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> at
>>>>>
>>>>>
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>> ourc
>>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> at
>>>>>
>>>>>
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>> voke
>>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> at
>>>>>
>>>>>
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>> ourc
>>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> at
>>>>>
>>>>>
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>> voke
>>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> at
>>>>>
>>>>>
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc
>>>>> her.
>>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> ... 39 more
>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException:
No
>>>>> assertion from response.
>>>>> at
>>>>>
>>>>>
org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint
>>>>> .jav
>>>>> a:309)
>>>>> at
>>>>>
>>>>>
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>> ndpo
>>>>> int.java:264)
>>>>> ... 54 more
>>>>>
>>>>> Any idea?
>>>>>
>>>>> Henk
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 30/04/15 14:31, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
>>>>>
>>>>>> You want to chain keycloak server to Salesforce?
>>>>>>
>>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points
to
>>>>>> Salesforce, you;ll see after you create it, an Export button.
Click
>>>>>> that. That will create an entity descriptor with all the
information
>>>>>> you need.
>>>>>>
>>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I like to use Salesforce as Identity Provider, the
metadata
>>>>>>> provided by
>>>>>>> salesforce can be imported.
>>>>>>> But I need to specify the Service Provider in salesforce, I
have to
>>>>>>> fill
>>>>>>> in a couple of fields, but two of them I don¹t understand
(and are
>>>>>>> mandatory). Does someone have any clue
>>>>>>>
>>>>>>> 1. entity id , remark of salesforce : get this value
from your
>>>>>>> serviceprovider
>>>>>>> 2. ACS URL, remark of slaesforce : The assertion
consumer
>>>>>>> service. Get
>>>>>>> this value from your service provider.
>>>>>>>
>>>>>>> I have tried a lot of values but every-time I click the
saml button
>>>>>>> on
>>>>>>> my app, it redirects to salesforce but I get a page with
the
error :
>>>>>>> Error: Unable to resolve request into a Service Provider
>>>>>>>
>>>>>>> Henk
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>>
http://bill.burkecentral.com
<
http://bill.burkecentral.com/>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com <
http://bill.burkecentral.com/>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com <
http://bill.burkecentral.com/>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user