[keycloak-user] IDP SAMLV2.0 with Salesforce

Bill Burke bburke at redhat.com
Thu Apr 30 12:44:07 EDT 2015


Ok, I was able to get this to work.  The problem was I had to set a 
"profile" for the connected app on Salesforce.  I added a "System 
Adminstrator" profile to the Connected App and it worked.

I'm not sure how to upload a app certificate yet.  Not sure what format 
Salesforce is looking for.

On 4/30/2015 11:39 AM, Bill Burke wrote:
> I set up a salesforce example and looked at the login response SAML
> document.  Looks like no assertion data is being sent back at all by
> salesforce.
>
> On 4/30/2015 9:43 AM, Bill Burke wrote:
>> i have no idea.  Basically this error is stating that the login response
>> saml document has no assertions within it.  If there are no assertions,
>> then there has been no identity data sent.
>>
>> I'm looking now, but can you send me a link on how to set up Salesforce
>> as an IDP?  Is one able to set up a free account and such?
>>
>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>> Hi Bill,
>>>
>>> I don¹t know why I missed that, thanks! Salesforce respons know with the
>>> correct login page. After logging in in Salesforce, I¹m redirected to
>>> keycloak again with a internal error:
>>>
>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: Could not
>>> process response from SAML identity provider.
>>> 	at
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo
>>> int.java:299)
>>> 	at
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoi
>>> nt.java:343)
>>> 	at
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:169
>>> )
>>> 	at
>>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117)
>>> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> [rt.jar:1.8.0_45]
>>> 	at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:6
>>> 2) [rt.jar:1.8.0_45]
>>> 	at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp
>>> l.java:43) [rt.jar:1.8.0_45]
>>> 	at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
>>> 	at
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:1
>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>> 	at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethod
>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>> 	at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.
>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>> 	at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc
>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>> 	at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke
>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>> 	at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc
>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>> 	at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke
>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>> 	at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.
>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>> 	... 39 more
>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No
>>> assertion from response.
>>> 	at
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint.jav
>>> a:309)
>>> 	at
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo
>>> int.java:264)
>>> 	... 54 more
>>>
>>> Any idea?
>>>
>>> Henk
>>>
>>>
>>>
>>>
>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com> wrote:
>>>
>>>> You want to chain keycloak server to Salesforce?
>>>>
>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to
>>>> Salesforce, you;ll see after you create it, an Export button.  Click
>>>> that.  That will create an entity descriptor with all the information
>>>> you need.
>>>>
>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>> Hi,
>>>>>
>>>>> I like to use Salesforce as Identity Provider, the metadata provided by
>>>>> salesforce can be imported.
>>>>> But I need to specify the Service Provider in salesforce, I have to fill
>>>>> in a couple of fields, but two of them I don¹t understand (and are
>>>>> mandatory). Does someone have any clue
>>>>>
>>>>>     1. entity id , remark of salesforce : get this value from your
>>>>>        serviceprovider
>>>>>     2. ACS URL, remark of slaesforce : The assertion consumer service. Get
>>>>>        this value from your service provider.
>>>>>
>>>>> I have tried a lot of values but every-time I click the saml button on
>>>>> my app, it redirects to salesforce but I get a page with the error :
>>>>> Error: Unable to resolve request into a Service Provider
>>>>>
>>>>> Henk
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list