Re: [keycloak-user] IDP Logout for SPs which don't support SAML Logout
A quick reminder to my query.
Regards,
Muein
On Tue, Jan 24, 2017 at 4:05 PM, Muein Muzamil <
shmuein+keycloak-dev(a)gmail.com> wrote:
Hi all,
We are using KeyCloak as IDP to support SAML authentication for different
SPs. Some of the SPs don't support SAML logout (such as Salesforce). They
only support setting up a GET Logout URL provided by the Identity
Provider.
https://success.salesforce.com/ideaView?id=08730000000DjseAAC
I came across this bug reported in Jira, which suggests to use OpenID
Connect protocol to logout as a workaround. https://issues.
jboss.org/browse/KEYCLOAK-3476 I tried that approach but it didn't work
for me.
I have added https://muein2-dev-ed.my.salesforce.com as a valid URI under
Salesforce SP and provided https://mueinidp.gemalto.com:
9443/auth/realms/O4ZR9N2V6U/protocol/openid-connect?
redirect_uri=https%3A%2F%2Fmuein2-dev-ed.my.salesforce.com as logout URL
in Salesforce. But when I tried to logout from Salesforce, it failed for me
with following exception.
2:32,165 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-1)
RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException:
RESTEASY003210: Could not find resource for full path: ht
//mueinidp.gemalto.com:9443/auth/realms/O4ZR9N2V6U/
protocol/openid-connect?redirect_uri=https%3A%2F%
2Fmuein2-dev-ed.my.salesforce.com
at org.jboss.resteasy.core.registry.SegmentNode.match(
SegmentNode.java:114)
at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(
LocatorRegistry.java:79)
1. Am I missing something here?
2. Also is there any plan to add a generic logout URL (as suggested in
KEYCLOAK-3476) which can be used for such SPs.
Regards,
Muein