[keycloak-user] IDP SAMLV2.0 with Salesforce

Bill Burke bburke at redhat.com
Mon Jun 1 15:31:55 EDT 2015


Its in master, will be in next release.

On 6/1/2015 3:06 PM, Henk Laracker wrote:
> Hi Bill,
>
> Can you please help me out how I have to make a mapping so that I can
> remove the prefix.
>
> Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très
> cordialement,
>
> Henk Laracker
>
>
>
>
> On 01/05/15 14:52, "Bill Burke" <bburke at redhat.com> wrote:
>
>> I'll add a username mapper.
>>
>> On 5/1/2015 8:48 AM, Bill Burke wrote:
>>> You can map the SAML/OIDC assertion/token that is sent to your
>>> applications however you want.
>>>
>>> On 4/30/2015 9:23 PM, Raghu Prabhala wrote:
>>>> Bill - That would be an issue for us as we cannot manipulate the values
>>>> (especially username) sent by an external IDP which is the
>>>> authoritative
>>>> source of user information. We will have to figure out another way,
>>>> perhaps, an internal KC user attribute that can be made unique to
>>>> prevent name clashes.
>>>>
>>>> Thanks,
>>>> Raghu
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Bill Burke <bburke at redhat.com>
>>>> *To:* Henk Laracker <Henk.Laracker at planonsoftware.com>;
>>>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>>>> *Sent:* Thursday, April 30, 2015 7:26 PM
>>>> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce
>>>>
>>>> Right now, the username is prefixed with the broker name.  THis is to
>>>> avoid name clashes if you are brokering multiple IDPS (i.e. multiple
>>>> social providers).
>>>>
>>>> On 4/30/2015 2:51 PM, Henk Laracker wrote:
>>>>    > Hi Bill,
>>>>    >
>>>>    > Thank you this worked out! I user is created with my name
>>>>    > saml.henk.laracker at p <mailto:saml.henk.laracker at p>***n.nl , do you
>>>> have any idee why the “saml” prefix
>>>>    > is added?
>>>>    >
>>>>    >
>>>>    > Henk
>>>>    >
>>>>    > On 30/04/15 18:44, "Bill Burke" <bburke at redhat.com
>>>> <mailto:bburke at redhat.com>> wrote:
>>>>    >
>>>>    >> Ok, I was able to get this to work.  The problem was I had to set
>>>> a
>>>>    >> "profile" for the connected app on Salesforce.  I added a "System
>>>>    >> Adminstrator" profile to the Connected App and it worked.
>>>>    >>
>>>>    >> I'm not sure how to upload a app certificate yet.  Not sure what
>>>> format
>>>>    >> Salesforce is looking for.
>>>>    >>
>>>>    >> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>>>    >>> I set up a salesforce example and looked at the login response
>>>> SAML
>>>>    >>> document.  Looks like no assertion data is being sent back at
>>>> all by
>>>>    >>> salesforce.
>>>>    >>>
>>>>    >>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>>>    >>>> i have no idea.  Basically this error is stating that the login
>>>>    >>>> response
>>>>    >>>> saml document has no assertions within it.  If there are no
>>>> assertions,
>>>>    >>>> then there has been no identity data sent.
>>>>    >>>>
>>>>    >>>> I'm looking now, but can you send me a link on how to set up
>>>> Salesforce
>>>>    >>>> as an IDP?  Is one able to set up a free account and such?
>>>>    >>>>
>>>>    >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>>    >>>>> Hi Bill,
>>>>    >>>>>
>>>>    >>>>> I don¹t know why I missed that, thanks! Salesforce respons
>>>> know with
>>>>    >>>>> the
>>>>    >>>>> correct login page. After logging in in Salesforce, I¹m
>>>> redirected to
>>>>    >>>>> keycloak again with a internal error:
>>>>    >>>>>
>>>>    >>>>> Caused by:
>>>> org.keycloak.broker.provider.IdentityBrokerException:
>>>>    >>>>> Could not
>>>>    >>>>> process response from SAML identity provider.
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>    >>>>> ndpo
>>>>    >>>>> int.java:299)
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn
>>>>    >>>>> dpoi
>>>>    >>>>> nt.java:343)
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java
>>>>    >>>>> :169
>>>>    >>>>> )
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117
>>>>    >>>>> )
>>>>    >>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>> Method)
>>>>    >>>>> [rt.jar:1.8.0_45]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
>>>>    >>>>> va:6
>>>>    >>>>> 2) [rt.jar:1.8.0_45]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
>>>>    >>>>> rImp
>>>>    >>>>> l.java:43) [rt.jar:1.8.0_45]
>>>>    >>>>>     at java.lang.reflect.Method.invoke(Method.java:497)
>>>> [rt.jar:1.8.0_45]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja
>>>>    >>>>> va:1
>>>>    >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe
>>>>    >>>>> thod
>>>>    >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo
>>>>    >>>>> ker.
>>>>    >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>    >>>>> ourc
>>>>    >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>    >>>>> voke
>>>>    >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>    >>>>> ourc
>>>>    >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>    >>>>> voke
>>>>    >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc
>>>>    >>>>> her.
>>>>    >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     ... 39 more
>>>>    >>>>> Caused by:
>>>> org.keycloak.broker.provider.IdentityBrokerException: No
>>>>    >>>>> assertion from response.
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint
>>>>    >>>>> .jav
>>>>    >>>>> a:309)
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>    >>>>> ndpo
>>>>    >>>>> int.java:264)
>>>>    >>>>>     ... 54 more
>>>>    >>>>>
>>>>    >>>>> Any idea?
>>>>    >>>>>
>>>>    >>>>> Henk
>>>>    >>>>>
>>>>    >>>>>
>>>>    >>>>>
>>>>    >>>>>
>>>>    >>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com
>>>> <mailto:bburke at redhat.com>> wrote:
>>>>    >>>>>
>>>>    >>>>>> You want to chain keycloak server to Salesforce?
>>>>    >>>>>>
>>>>    >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that
>>>> points to
>>>>    >>>>>> Salesforce, you;ll see after you create it, an Export button.
>>>> Click
>>>>    >>>>>> that.  That will create an entity descriptor with all the
>>>> information
>>>>    >>>>>> you need.
>>>>    >>>>>>
>>>>    >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>    >>>>>>> Hi,
>>>>    >>>>>>>
>>>>    >>>>>>> I like to use Salesforce as Identity Provider, the metadata
>>>>    >>>>>>> provided by
>>>>    >>>>>>> salesforce can be imported.
>>>>    >>>>>>> But I need to specify the Service Provider in salesforce, I
>>>> have to
>>>>    >>>>>>> fill
>>>>    >>>>>>> in a couple of fields, but two of them I don¹t understand
>>>> (and are
>>>>    >>>>>>> mandatory). Does someone have any clue
>>>>    >>>>>>>
>>>>    >>>>>>>      1. entity id , remark of salesforce : get this value
>>> >from your
>>>>    >>>>>>>        serviceprovider
>>>>    >>>>>>>      2. ACS URL, remark of slaesforce : The assertion
>>>> consumer
>>>>    >>>>>>> service. Get
>>>>    >>>>>>>        this value from your service provider.
>>>>    >>>>>>>
>>>>    >>>>>>> I have tried a lot of values but every-time I click the saml
>>>> button
>>>>    >>>>>>> on
>>>>    >>>>>>> my app, it redirects to salesforce but I get a page with the
>>>> error :
>>>>    >>>>>>> Error: Unable to resolve request into a Service Provider
>>>>    >>>>>>>
>>>>    >>>>>>> Henk
>>>>    >>>>>>>
>>>>    >>>>>>>
>>>>    >>>>>>> _______________________________________________
>>>>    >>>>>>> keycloak-user mailing list
>>>>    >>>>>>> keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>    >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>    >>>>>>>
>>>>    >>>>>>
>>>>    >>>>>> --
>>>>    >>>>>> Bill Burke
>>>>    >>>>>> JBoss, a division of Red Hat
>>>>    >>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>>
>>>>
>>>>
>>>>    >>>>>> _______________________________________________
>>>>    >>>>>> keycloak-user mailing list
>>>>    >>>>>> keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>    >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>    >>>>>
>>>>    >>>>
>>>>    >>>
>>>>    >>
>>>>    >> --
>>>>    >> Bill Burke
>>>>    >> JBoss, a division of Red Hat
>>>>    >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>>    >> _______________________________________________
>>>>    >> keycloak-user mailing list
>>>>    >> keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>    >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>    >
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list