Bill - That would be an issue for us as we cannot manipulate the values (especially username) sent by an external IDP which is the authoritative source of user information. We will have to figure out another way, perhaps, an internal KC user attribute that can be made unique to prevent name clashes.

Thanks,
Raghu
 

From: Bill Burke <bburke@redhat.com>
To: Henk Laracker <Henk.Laracker@planonsoftware.com>; "keycloak-user@lists.jboss.org" <keycloak-user@lists.jboss.org>
Sent: Thursday, April 30, 2015 7:26 PM
Subject: Re: [keycloak-user] IDP SAMLV2.0 with Salesforce

Right now, the username is prefixed with the broker name.  THis is to
avoid name clashes if you are brokering multiple IDPS (i.e. multiple
social providers).

On 4/30/2015 2:51 PM, Henk Laracker wrote:
> Hi Bill,
>
> Thank you this worked out! I user is created with my name
> saml.henk.laracker@p***n.nl , do you have any idee why the “saml” prefix
> is added?
>
>
> Henk
>
> On 30/04/15 18:44, "Bill Burke" <bburke@redhat.com> wrote:
>
>> Ok, I was able to get this to work.  The problem was I had to set a
>> "profile" for the connected app on Salesforce.  I added a "System
>> Adminstrator" profile to the Connected App and it worked.
>>
>> I'm not sure how to upload a app certificate yet.  Not sure what format
>> Salesforce is looking for.
>>
>> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>> I set up a salesforce example and looked at the login response SAML
>>> document.  Looks like no assertion data is being sent back at all by
>>> salesforce.
>>>
>>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>>> i have no idea.  Basically this error is stating that the login
>>>> response
>>>> saml document has no assertions within it.  If there are no assertions,
>>>> then there has been no identity data sent.
>>>>
>>>> I'm looking now, but can you send me a link on how to set up Salesforce
>>>> as an IDP?  Is one able to set up a free account and such?
>>>>
>>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>>> Hi Bill,
>>>>>
>>>>> I don¹t know why I missed that, thanks! Salesforce respons know with
>>>>> the
>>>>> correct login page. After logging in in Salesforce, I¹m redirected to
>>>>> keycloak again with a internal error:
>>>>>
>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException:
>>>>> Could not
>>>>> process response from SAML identity provider.
>>>>>     at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>> ndpo
>>>>> int.java:299)
>>>>>     at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn
>>>>> dpoi
>>>>> nt.java:343)
>>>>>     at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java
>>>>> :169
>>>>> )
>>>>>     at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117
>>>>> )
>>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>> [rt.jar:1.8.0_45]
>>>>>     at
>>>>>
>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
>>>>> va:6
>>>>> 2) [rt.jar:1.8.0_45]
>>>>>     at
>>>>>
>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
>>>>> rImp
>>>>> l.java:43) [rt.jar:1.8.0_45]
>>>>>     at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
>>>>>     at
>>>>>
>>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja
>>>>> va:1
>>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>     at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe
>>>>> thod
>>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>     at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo
>>>>> ker.
>>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>     at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>> ourc
>>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>     at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>> voke
>>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>     at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>> ourc
>>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>     at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>> voke
>>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>     at
>>>>>
>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc
>>>>> her.
>>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>     ... 39 more
>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No
>>>>> assertion from response.
>>>>>     at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint
>>>>> .jav
>>>>> a:309)
>>>>>     at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>> ndpo
>>>>> int.java:264)
>>>>>     ... 54 more
>>>>>
>>>>> Any idea?
>>>>>
>>>>> Henk
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 30/04/15 14:31, "Bill Burke" <bburke@redhat.com> wrote:
>>>>>
>>>>>> You want to chain keycloak server to Salesforce?
>>>>>>
>>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to
>>>>>> Salesforce, you;ll see after you create it, an Export button.  Click
>>>>>> that.  That will create an entity descriptor with all the information
>>>>>> you need.
>>>>>>
>>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I like to use Salesforce as Identity Provider, the metadata
>>>>>>> provided by
>>>>>>> salesforce can be imported.
>>>>>>> But I need to specify the Service Provider in salesforce, I have to
>>>>>>> fill
>>>>>>> in a couple of fields, but two of them I don¹t understand (and are
>>>>>>> mandatory). Does someone have any clue
>>>>>>>
>>>>>>>      1. entity id , remark of salesforce : get this value from your
>>>>>>>        serviceprovider
>>>>>>>      2. ACS URL, remark of slaesforce : The assertion consumer
>>>>>>> service. Get
>>>>>>>        this value from your service provider.
>>>>>>>
>>>>>>> I have tried a lot of values but every-time I click the saml button
>>>>>>> on
>>>>>>> my app, it redirects to salesforce but I get a page with the error :
>>>>>>> Error: Unable to resolve request into a Service Provider
>>>>>>>
>>>>>>> Henk
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user@lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com



>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user@lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user