[keycloak-user] IDP SAMLV2.0 with Salesforce

Bill Burke bburke at redhat.com
Thu Apr 30 19:26:35 EDT 2015 

Right now, the username is prefixed with the broker name.  THis is to
avoid name clashes if you are brokering multiple IDPS (i.e. multiple
social providers).

On 4/30/2015 2:51 PM, Henk Laracker wrote:
> Hi Bill,
> 
> Thank you this worked out! I user is created with my name
> saml.henk.laracker at p***n.nl , do you have any idee why the “saml” prefix
> is added?
> 
> 
> Henk
> 
> On 30/04/15 18:44, "Bill Burke" <bburke at redhat.com> wrote:
> 
>> Ok, I was able to get this to work.  The problem was I had to set a
>> "profile" for the connected app on Salesforce.  I added a "System
>> Adminstrator" profile to the Connected App and it worked.
>>
>> I'm not sure how to upload a app certificate yet.  Not sure what format
>> Salesforce is looking for.
>>
>> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>> I set up a salesforce example and looked at the login response SAML
>>> document.  Looks like no assertion data is being sent back at all by
>>> salesforce.
>>>
>>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>>> i have no idea.  Basically this error is stating that the login
>>>> response
>>>> saml document has no assertions within it.  If there are no assertions,
>>>> then there has been no identity data sent.
>>>>
>>>> I'm looking now, but can you send me a link on how to set up Salesforce
>>>> as an IDP?  Is one able to set up a free account and such?
>>>>
>>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>>> Hi Bill,
>>>>>
>>>>> I don¹t know why I missed that, thanks! Salesforce respons know with
>>>>> the
>>>>> correct login page. After logging in in Salesforce, I¹m redirected to
>>>>> keycloak again with a internal error:
>>>>>
>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException:
>>>>> Could not
>>>>> process response from SAML identity provider.
>>>>> 	at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>> ndpo
>>>>> int.java:299)
>>>>> 	at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn
>>>>> dpoi
>>>>> nt.java:343)
>>>>> 	at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java
>>>>> :169
>>>>> )
>>>>> 	at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117
>>>>> )
>>>>> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>> [rt.jar:1.8.0_45]
>>>>> 	at
>>>>>
>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
>>>>> va:6
>>>>> 2) [rt.jar:1.8.0_45]
>>>>> 	at
>>>>>
>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
>>>>> rImp
>>>>> l.java:43) [rt.jar:1.8.0_45]
>>>>> 	at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
>>>>> 	at
>>>>>
>>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja
>>>>> va:1
>>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> 	at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe
>>>>> thod
>>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> 	at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo
>>>>> ker.
>>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> 	at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>> ourc
>>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> 	at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>> voke
>>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> 	at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>> ourc
>>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> 	at
>>>>>
>>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>> voke
>>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> 	at
>>>>>
>>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc
>>>>> her.
>>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>> 	... 39 more
>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No
>>>>> assertion from response.
>>>>> 	at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint
>>>>> .jav
>>>>> a:309)
>>>>> 	at
>>>>>
>>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>> ndpo
>>>>> int.java:264)
>>>>> 	... 54 more
>>>>>
>>>>> Any idea?
>>>>>
>>>>> Henk
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com> wrote:
>>>>>
>>>>>> You want to chain keycloak server to Salesforce?
>>>>>>
>>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to
>>>>>> Salesforce, you;ll see after you create it, an Export button.  Click
>>>>>> that.  That will create an entity descriptor with all the information
>>>>>> you need.
>>>>>>
>>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I like to use Salesforce as Identity Provider, the metadata
>>>>>>> provided by
>>>>>>> salesforce can be imported.
>>>>>>> But I need to specify the Service Provider in salesforce, I have to
>>>>>>> fill
>>>>>>> in a couple of fields, but two of them I don¹t understand (and are
>>>>>>> mandatory). Does someone have any clue
>>>>>>>
>>>>>>>      1. entity id , remark of salesforce : get this value from your
>>>>>>>         serviceprovider
>>>>>>>      2. ACS URL, remark of slaesforce : The assertion consumer
>>>>>>> service. Get
>>>>>>>         this value from your service provider.
>>>>>>>
>>>>>>> I have tried a lot of values but every-time I click the saml button
>>>>>>> on
>>>>>>> my app, it redirects to salesforce but I get a page with the error :
>>>>>>> Error: Unable to resolve request into a Service Provider
>>>>>>>
>>>>>>> Henk
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>
>>
>> -- 
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list