Re: [keycloak-user] IDP SAMLV2.0 with Salesforce

Its in master, will be in next release. On 6/1/2015 3:06 PM, Henk Laracker wrote: > Hi Bill, > > Can you please help me out how I have to make a mapping so that I can > remove the prefix. > > Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / >Très > cordialement, > > Henk Laracker > > > > > On 01/05/15 14:52, "Bill Burke" <bburke(a)redhat.com&gt; wrote: > >> I'll add a username mapper. >> >> On 5/1/2015 8:48 AM, Bill Burke wrote: >>> You can map the SAML/OIDC assertion/token that is sent to your >>> applications however you want. >>> >>> On 4/30/2015 9:23 PM, Raghu Prabhala wrote: >>>> Bill - That would be an issue for us as we cannot manipulate the >>>>values >>>> (especially username) sent by an external IDP which is the >>>> authoritative >>>> source of user information. We will have to figure out another way, >>>> perhaps, an internal KC user attribute that can be made unique to >>>> prevent name clashes. >>>> >>>> Thanks, >>>> Raghu >>>> >>>> >>>>---------------------------------------------------------------------- >>>>-- >>>> *From:* Bill Burke <bburke(a)redhat.com&gt; >>>> *To:* Henk Laracker <Henk.Laracker(a)planonsoftware.com>; >>>> &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; >>>> *Sent:* Thursday, April 30, 2015 7:26 PM >>>> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce >>>> >>>> Right now, the username is prefixed with the broker name. THis is to >>>> avoid name clashes if you are brokering multiple IDPS (i.e. multiple >>>> social providers). >>>> >>>> On 4/30/2015 2:51 PM, Henk Laracker wrote: >>>> > Hi Bill, >>>> > >>>> > Thank you this worked out! I user is created with my name >>>> > saml.henk.laracker@p <mailto:saml.henk.laracker@p>***n.nl , do >>>>you >>>> have any idee why the “saml” prefix >>>> > is added? >>>> > >>>> > >>>> > Henk >>>> > >>>> > On 30/04/15 18:44, "Bill Burke" <bburke(a)redhat.com >>>> <mailto:bburke@redhat.com>> wrote: >>>> > >>>> >> Ok, I was able to get this to work. The problem was I had to >>>>set >>>> a >>>> >> "profile" for the connected app on Salesforce. I added a >>>>"System >>>> >> Adminstrator" profile to the Connected App and it worked. >>>> >> >>>> >> I'm not sure how to upload a app certificate yet. Not sure >>>>what >>>> format >>>> >> Salesforce is looking for. >>>> >> >>>> >> On 4/30/2015 11:39 AM, Bill Burke wrote: >>>> >>> I set up a salesforce example and looked at the login response >>>> SAML >>>> >>> document. Looks like no assertion data is being sent back at >>>> all by >>>> >>> salesforce. >>>> >>> >>>> >>> On 4/30/2015 9:43 AM, Bill Burke wrote: >>>> >>>> i have no idea. Basically this error is stating that the >>>>login >>>> >>>> response >>>> >>>> saml document has no assertions within it. If there are no >>>> assertions, >>>> >>>> then there has been no identity data sent. >>>> >>>> >>>> >>>> I'm looking now, but can you send me a link on how to set up >>>> Salesforce >>>> >>>> as an IDP? Is one able to set up a free account and such? >>>> >>>> >>>> >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote: >>>> >>>>> Hi Bill, >>>> >>>>> >>>> >>>>> I don¹t know why I missed that, thanks! Salesforce respons >>>> know with >>>> >>>>> the >>>> >>>>> correct login page. After logging in in Salesforce, I¹m >>>> redirected to >>>> >>>>> keycloak again with a internal error: >>>> >>>>> >>>> >>>>> Caused by: >>>> org.keycloak.broker.provider.IdentityBrokerException: >>>> >>>>> Could not >>>> >>>>> process response from SAML identity provider. >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAML >>>>E >>>> >>>>> ndpo >>>> >>>>> int.java:299) >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLE >>>>n >>>> >>>>> dpoi >>>> >>>>> nt.java:343) >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.jav >>>>a >>>> >>>>> :169 >>>> >>>>> ) >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:11 >>>>7 >>>> >>>>> ) >>>> >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>>> Method) >>>> >>>>> [rt.jar:1.8.0_45] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j >>>>a >>>> >>>>> va:6 >>>> >>>>> 2) [rt.jar:1.8.0_45] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess >>>>o >>>> >>>>> rImp >>>> >>>>> l.java:43) [rt.jar:1.8.0_45] >>>> >>>>> at java.lang.reflect.Method.invoke(Method.java:497) >>>> [rt.jar:1.8.0_45] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.j >>>>a >>>> >>>>> va:1 >>>> >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceM >>>>e >>>> >>>>> thod >>>> >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInv >>>>o >>>> >>>>> ker. >>>> >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Re >>>>s >>>> >>>>> ourc >>>> >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorI >>>>n >>>> >>>>> voke >>>> >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Re >>>>s >>>> >>>>> ourc >>>> >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorI >>>>n >>>> >>>>> voke >>>> >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat >>>>c >>>> >>>>> her. >>>> >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> >>>>> ... 39 more >>>> >>>>> Caused by: >>>> org.keycloak.broker.provider.IdentityBrokerException: No >>>> >>>>> assertion from response. >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoin >>>>t >>>> >>>>> .jav >>>> >>>>> a:309) >>>> >>>>> at >>>> >>>>> >>>> >>>>> >>>> >>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAML >>>>E >>>> >>>>> ndpo >>>> >>>>> int.java:264) >>>> >>>>> ... 54 more >>>> >>>>> >>>> >>>>> Any idea? >>>> >>>>> >>>> >>>>> Henk >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> On 30/04/15 14:31, "Bill Burke" <bburke(a)redhat.com >>>> <mailto:bburke@redhat.com>> wrote: >>>> >>>>> >>>> >>>>>> You want to chain keycloak server to Salesforce? >>>> >>>>>> >>>> >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that >>>> points to >>>> >>>>>> Salesforce, you;ll see after you create it, an Export >>>>button. >>>> Click >>>> >>>>>> that. That will create an entity descriptor with all the >>>> information >>>> >>>>>> you need. >>>> >>>>>> >>>> >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: >>>> >>>>>>> Hi, >>>> >>>>>>> >>>> >>>>>>> I like to use Salesforce as Identity Provider, the >>>>metadata >>>> >>>>>>> provided by >>>> >>>>>>> salesforce can be imported. >>>> >>>>>>> But I need to specify the Service Provider in salesforce, >>>>I >>>> have to >>>> >>>>>>> fill >>>> >>>>>>> in a couple of fields, but two of them I don¹t understand >>>> (and are >>>> >>>>>>> mandatory). Does someone have any clue >>>> >>>>>>> >>>> >>>>>>> 1. entity id , remark of salesforce : get this value >>> >from your >>>> >>>>>>> serviceprovider >>>> >>>>>>> 2. ACS URL, remark of slaesforce : The assertion >>>> consumer >>>> >>>>>>> service. Get >>>> >>>>>>> this value from your service provider. >>>> >>>>>>> >>>> >>>>>>> I have tried a lot of values but every-time I click the >>>>saml >>>> button >>>> >>>>>>> on >>>> >>>>>>> my app, it redirects to salesforce but I get a page with >>>>the >>>> error : >>>> >>>>>>> Error: Unable to resolve request into a Service Provider >>>> >>>>>>> >>>> >>>>>>> Henk >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> _______________________________________________ >>>> >>>>>>> keycloak-user mailing list >>>> >>>>>>> keycloak-user(a)lists.jboss.org >>>> <mailto:keycloak-user@lists.jboss.org> >>>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>>>>> >>>> >>>>>> >>>> >>>>>> -- >>>> >>>>>> Bill Burke >>>> >>>>>> JBoss, a division of Red Hat >>>> >>>>>> http://bill.burkecentral.com >>>><http://bill.burkecentral.com/> >>>> >>>> >>>> >>>> >>>>>> _______________________________________________ >>>> >>>>>> keycloak-user mailing list >>>> >>>>>> keycloak-user(a)lists.jboss.org >>>> <mailto:keycloak-user@lists.jboss.org> >>>> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>>> >>>> >>>> >>>> >>> >>>> >> >>>> >> -- >>>> >> Bill Burke >>>> >> JBoss, a division of Red Hat >>>> >> http://bill.burkecentral.com <http://bill.burkecentral.com/> >>>> >> _______________________________________________ >>>> >> keycloak-user mailing list >>>> >> keycloak-user(a)lists.jboss.org >>>> <mailto:keycloak-user@lists.jboss.org> >>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com <http://bill.burkecentral.com/> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com