[keycloak-dev] Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page

Rashmi Singh singhrasster at gmail.com
Wed Aug 24 12:33:32 EDT 2016


Here is how my SP Metadata looks like:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="
https://saml.salesforce.com">
    <SPSSODescriptor AuthnRequestsSigned="true"
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
urn:oasis:names:tc:SAML:1.1:protocolhttp://schemas.xmlsoap.org/ws/
2003/07/secext">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
        </NameIDFormat>
        <SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"/>
        <AssertionConsumerService
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://rashmi789-dev-ed.my.salesforce.com?so=00D410000005L14
<https://rashmi789-dev-ed.my.salesforce.com/?so=00D410000005L14>"
                index="1" isDefault="true" />
        <KeyDescriptor use="signing">
            <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                <dsig:X509Data>
                    <dsig:X509Certificate>
MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUF
ADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8w
HQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJt
cyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykx
MDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNl
cnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVow
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
FA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5j
LjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxl
c2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJtS/8tJmPZ/CKOz/
dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+zwjrKd9ZsCS3GltV2GBFD+
YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1nHlTXBICJQDo
87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIarWTfr2w0SNF
NPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQhnymqeoVgLMSb3UTS8J9R1RmQi+
kisC39NAzVwQjM1X677cdQt0FaF6GlZ97vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpS
k9eynNGp1JI/6mIv3ECAwEAAaOCAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY
2UuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQ
UFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAY
b4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb2
0vY3BzMB8GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHw
Q6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb2
0vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGG
h0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1
NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCS
qGSIb3DQEBBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvRR9+
5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8sxHh
gEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6krw
PonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/
EBxPdcPxeMK70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKNKZq5hcoUP/
sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen
                    </dsig:X509Certificate>
                </dsig:X509Data>
            </dsig:KeyInfo>
        </KeyDescriptor>
    </SPSSODescriptor>
</EntityDescriptor>

On Wed, Aug 24, 2016 at 11:30 AM, John Dennis <jdennis at redhat.com> wrote:

> On 08/23/2016 06:04 PM, Rashmi Singh wrote:
>
>> Looking more closely into this, it seems like Salesforce does not
>> support SAML logout.
>>
>> In Salesforce, where I did the configuration for "SAML Single Sign-On
>> Settings", there is the following field:
>>
>> Identity Provider Logout URL:
>> I had specified this as:
>>  http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>
>> But, since Salesforce does not seem to support SAML logout, is it
>> possible to specify some keycloak URL in this field that would logout
>> the user? It seems like the URL I specify in this field gets invoked but
>> then Salesforce is not really sending a SAML logout request and I just
>> get an error as indicated earlier. So, I was thinking if there is some
>> keycloak URL that we can specify in this field that would logout the user?
>>
>> If there is no such URL support, is there an alternative to solve this
>> issue since Salesforce does not seem to handle the single logout?
>>
>
> Why do you draw the conclusion Salesforce does not support logout? That
> does not seem to be indicated from this document:
>
> http://resources.docs.salesforce.com/202/18/en-us/sfdc/pdf/
> salesforce_single_sign_on.pdf
>
> What is the SP metadata you used?
>
>
> --
> John
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160824/29a36896/attachment-0001.html 


More information about the keycloak-dev mailing list