Re: [keycloak-user] IDP SAMLV2.0 with Salesforce

You can map the SAML/OIDC assertion/token that is sent to your applications however you want. On 4/30/2015 9:23 PM, Raghu Prabhala wrote: > Bill - That would be an issue for us as we cannot manipulate the values > (especially username) sent by an external IDP which is the authoritative > source of user information. We will have to figure out another way, > perhaps, an internal KC user attribute that can be made unique to > prevent name clashes. > > Thanks, > Raghu > ------------------------------------------------------------------------ > *From:* Bill Burke <bburke(a)redhat.com&gt; > *To:* Henk Laracker <Henk.Laracker(a)planonsoftware.com>; > &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; > *Sent:* Thursday, April 30, 2015 7:26 PM > *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce > > Right now, the username is prefixed with the broker name. THis is to > avoid name clashes if you are brokering multiple IDPS (i.e. multiple > social providers). > > On 4/30/2015 2:51 PM, Henk Laracker wrote: > > Hi Bill, > > > > Thank you this worked out! I user is created with my name > > saml.henk.laracker@p <mailto:saml.henk.laracker@p>***n.nl , do you > have any idee why the “saml” prefix > > is added? > > > > > > Henk > > > > On 30/04/15 18:44, "Bill Burke" <bburke(a)redhat.com > <mailto:bburke@redhat.com>> wrote: > > > >> Ok, I was able to get this to work. The problem was I had to set a > >> "profile" for the connected app on Salesforce. I added a "System > >> Adminstrator" profile to the Connected App and it worked. > >> > >> I'm not sure how to upload a app certificate yet. Not sure what format > >> Salesforce is looking for. > >> > >> On 4/30/2015 11:39 AM, Bill Burke wrote: > >>> I set up a salesforce example and looked at the login response SAML > >>> document. Looks like no assertion data is being sent back at all by > >>> salesforce. > >>> > >>> On 4/30/2015 9:43 AM, Bill Burke wrote: > >>>> i have no idea. Basically this error is stating that the login > >>>> response > >>>> saml document has no assertions within it. If there are no > assertions, > >>>> then there has been no identity data sent. > >>>> > >>>> I'm looking now, but can you send me a link on how to set up > Salesforce > >>>> as an IDP? Is one able to set up a free account and such? > >>>> > >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote: > >>>>> Hi Bill, > >>>>> > >>>>> I don¹t know why I missed that, thanks! Salesforce respons know with > >>>>> the > >>>>> correct login page. After logging in in Salesforce, I¹m redirected to > >>>>> keycloak again with a internal error: > >>>>> > >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: > >>>>> Could not > >>>>> process response from SAML identity provider. > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE > >>>>> ndpo > >>>>> int.java:299) > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn > >>>>> dpoi > >>>>> nt.java:343) > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java > >>>>> :169 > >>>>> ) > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117 > >>>>> ) > >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>>>> [rt.jar:1.8.0_45] > >>>>> at > >>>>> > >>>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja > >>>>> va:6 > >>>>> 2) [rt.jar:1.8.0_45] > >>>>> at > >>>>> > >>>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso > >>>>> rImp > >>>>> l.java:43) [rt.jar:1.8.0_45] > >>>>> at java.lang.reflect.Method.invoke(Method.java:497) > [rt.jar:1.8.0_45] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja > >>>>> va:1 > >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe > >>>>> thod > >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo > >>>>> ker. > >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res > >>>>> ourc > >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn > >>>>> voke > >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res > >>>>> ourc > >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn > >>>>> voke > >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc > >>>>> her. > >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> ... 39 more > >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No > >>>>> assertion from response. > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint > >>>>> .jav > >>>>> a:309) > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE > >>>>> ndpo > >>>>> int.java:264) > >>>>> ... 54 more > >>>>> > >>>>> Any idea? > >>>>> > >>>>> Henk > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> On 30/04/15 14:31, "Bill Burke" <bburke(a)redhat.com > <mailto:bburke@redhat.com>> wrote: > >>>>> > >>>>>> You want to chain keycloak server to Salesforce? > >>>>>> > >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to > >>>>>> Salesforce, you;ll see after you create it, an Export button. Click > >>>>>> that. That will create an entity descriptor with all the > information > >>>>>> you need. > >>>>>> > >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> I like to use Salesforce as Identity Provider, the metadata > >>>>>>> provided by > >>>>>>> salesforce can be imported. > >>>>>>> But I need to specify the Service Provider in salesforce, I have to > >>>>>>> fill > >>>>>>> in a couple of fields, but two of them I don¹t understand (and are > >>>>>>> mandatory). Does someone have any clue > >>>>>>> > >>>>>>> 1. entity id , remark of salesforce : get this value from your > >>>>>>> serviceprovider > >>>>>>> 2. ACS URL, remark of slaesforce : The assertion consumer > >>>>>>> service. Get > >>>>>>> this value from your service provider. > >>>>>>> > >>>>>>> I have tried a lot of values but every-time I click the saml button > >>>>>>> on > >>>>>>> my app, it redirects to salesforce but I get a page with the > error : > >>>>>>> Error: Unable to resolve request into a Service Provider > >>>>>>> > >>>>>>> Henk > >>>>>>> > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> keycloak-user mailing list > >>>>>>> keycloak-user(a)lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>>>> > >>>>>> > >>>>>> -- > >>>>>> Bill Burke > >>>>>> JBoss, a division of Red Hat > >>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/> > > > > >>>>>> _______________________________________________ > >>>>>> keycloak-user mailing list > >>>>>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > >>>> > >>> > >> > >> -- > >> Bill Burke > >> JBoss, a division of Red Hat > >> http://bill.burkecentral.com <http://bill.burkecentral.com/> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com <http://bill.burkecentral.com/> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >