[keycloak-user] IDP SAMLV2.0 with Salesforce

Henk Laracker Henk.Laracker at planonsoftware.com
Mon Jun 1 17:09:06 EDT 2015


Hi Bill,

I use the tomcat wrapper, with a saml 2.0 Identity provider configured in
keycloak. I added the "principal-attribute": “preferred_username” to the
json file. I’m just a starter in SAML, Mappers etc, is there no other way
to get the original email adres? Because I have no influence on the unique
identifier in the application, and this value is shown in the gui, which
doesn’t look nice with the prefix.

If there is no possibility, can you tell me what to patch to 1.2, to make
my own build.  

Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très
cordialement,

Henk Laracker


On 01/06/15 21:31, "Bill Burke" <bburke at redhat.com> wrote:

>Its in master, will be in next release.
>
>On 6/1/2015 3:06 PM, Henk Laracker wrote:
>> Hi Bill,
>>
>> Can you please help me out how I have to make a mapping so that I can
>> remove the prefix.
>>
>> Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen /
>>Très
>> cordialement,
>>
>> Henk Laracker
>>
>>
>>
>>
>> On 01/05/15 14:52, "Bill Burke" <bburke at redhat.com> wrote:
>>
>>> I'll add a username mapper.
>>>
>>> On 5/1/2015 8:48 AM, Bill Burke wrote:
>>>> You can map the SAML/OIDC assertion/token that is sent to your
>>>> applications however you want.
>>>>
>>>> On 4/30/2015 9:23 PM, Raghu Prabhala wrote:
>>>>> Bill - That would be an issue for us as we cannot manipulate the
>>>>>values
>>>>> (especially username) sent by an external IDP which is the
>>>>> authoritative
>>>>> source of user information. We will have to figure out another way,
>>>>> perhaps, an internal KC user attribute that can be made unique to
>>>>> prevent name clashes.
>>>>>
>>>>> Thanks,
>>>>> Raghu
>>>>>
>>>>> 
>>>>>----------------------------------------------------------------------
>>>>>--
>>>>> *From:* Bill Burke <bburke at redhat.com>
>>>>> *To:* Henk Laracker <Henk.Laracker at planonsoftware.com>;
>>>>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>>>>> *Sent:* Thursday, April 30, 2015 7:26 PM
>>>>> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce
>>>>>
>>>>> Right now, the username is prefixed with the broker name.  THis is to
>>>>> avoid name clashes if you are brokering multiple IDPS (i.e. multiple
>>>>> social providers).
>>>>>
>>>>> On 4/30/2015 2:51 PM, Henk Laracker wrote:
>>>>>    > Hi Bill,
>>>>>    >
>>>>>    > Thank you this worked out! I user is created with my name
>>>>>    > saml.henk.laracker at p <mailto:saml.henk.laracker at p>***n.nl , do
>>>>>you
>>>>> have any idee why the “saml” prefix
>>>>>    > is added?
>>>>>    >
>>>>>    >
>>>>>    > Henk
>>>>>    >
>>>>>    > On 30/04/15 18:44, "Bill Burke" <bburke at redhat.com
>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>>    >
>>>>>    >> Ok, I was able to get this to work.  The problem was I had to
>>>>>set
>>>>> a
>>>>>    >> "profile" for the connected app on Salesforce.  I added a
>>>>>"System
>>>>>    >> Adminstrator" profile to the Connected App and it worked.
>>>>>    >>
>>>>>    >> I'm not sure how to upload a app certificate yet.  Not sure
>>>>>what
>>>>> format
>>>>>    >> Salesforce is looking for.
>>>>>    >>
>>>>>    >> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>>>>    >>> I set up a salesforce example and looked at the login response
>>>>> SAML
>>>>>    >>> document.  Looks like no assertion data is being sent back at
>>>>> all by
>>>>>    >>> salesforce.
>>>>>    >>>
>>>>>    >>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>>>>    >>>> i have no idea.  Basically this error is stating that the
>>>>>login
>>>>>    >>>> response
>>>>>    >>>> saml document has no assertions within it.  If there are no
>>>>> assertions,
>>>>>    >>>> then there has been no identity data sent.
>>>>>    >>>>
>>>>>    >>>> I'm looking now, but can you send me a link on how to set up
>>>>> Salesforce
>>>>>    >>>> as an IDP?  Is one able to set up a free account and such?
>>>>>    >>>>
>>>>>    >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>>>    >>>>> Hi Bill,
>>>>>    >>>>>
>>>>>    >>>>> I don¹t know why I missed that, thanks! Salesforce respons
>>>>> know with
>>>>>    >>>>> the
>>>>>    >>>>> correct login page. After logging in in Salesforce, I¹m
>>>>> redirected to
>>>>>    >>>>> keycloak again with a internal error:
>>>>>    >>>>>
>>>>>    >>>>> Caused by:
>>>>> org.keycloak.broker.provider.IdentityBrokerException:
>>>>>    >>>>> Could not
>>>>>    >>>>> process response from SAML identity provider.
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAML
>>>>>E
>>>>>    >>>>> ndpo
>>>>>    >>>>> int.java:299)
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLE
>>>>>n
>>>>>    >>>>> dpoi
>>>>>    >>>>> nt.java:343)
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.jav
>>>>>a
>>>>>    >>>>> :169
>>>>>    >>>>> )
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:11
>>>>>7
>>>>>    >>>>> )
>>>>>    >>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>> Method)
>>>>>    >>>>> [rt.jar:1.8.0_45]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
>>>>>a
>>>>>    >>>>> va:6
>>>>>    >>>>> 2) [rt.jar:1.8.0_45]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
>>>>>o
>>>>>    >>>>> rImp
>>>>>    >>>>> l.java:43) [rt.jar:1.8.0_45]
>>>>>    >>>>>     at java.lang.reflect.Method.invoke(Method.java:497)
>>>>> [rt.jar:1.8.0_45]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.j
>>>>>a
>>>>>    >>>>> va:1
>>>>>    >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceM
>>>>>e
>>>>>    >>>>> thod
>>>>>    >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInv
>>>>>o
>>>>>    >>>>> ker.
>>>>>    >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Re
>>>>>s
>>>>>    >>>>> ourc
>>>>>    >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorI
>>>>>n
>>>>>    >>>>> voke
>>>>>    >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Re
>>>>>s
>>>>>    >>>>> ourc
>>>>>    >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorI
>>>>>n
>>>>>    >>>>> voke
>>>>>    >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat
>>>>>c
>>>>>    >>>>> her.
>>>>>    >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     ... 39 more
>>>>>    >>>>> Caused by:
>>>>> org.keycloak.broker.provider.IdentityBrokerException: No
>>>>>    >>>>> assertion from response.
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoin
>>>>>t
>>>>>    >>>>> .jav
>>>>>    >>>>> a:309)
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAML
>>>>>E
>>>>>    >>>>> ndpo
>>>>>    >>>>> int.java:264)
>>>>>    >>>>>     ... 54 more
>>>>>    >>>>>
>>>>>    >>>>> Any idea?
>>>>>    >>>>>
>>>>>    >>>>> Henk
>>>>>    >>>>>
>>>>>    >>>>>
>>>>>    >>>>>
>>>>>    >>>>>
>>>>>    >>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com
>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>>    >>>>>
>>>>>    >>>>>> You want to chain keycloak server to Salesforce?
>>>>>    >>>>>>
>>>>>    >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that
>>>>> points to
>>>>>    >>>>>> Salesforce, you;ll see after you create it, an Export
>>>>>button.
>>>>> Click
>>>>>    >>>>>> that.  That will create an entity descriptor with all the
>>>>> information
>>>>>    >>>>>> you need.
>>>>>    >>>>>>
>>>>>    >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>>    >>>>>>> Hi,
>>>>>    >>>>>>>
>>>>>    >>>>>>> I like to use Salesforce as Identity Provider, the
>>>>>metadata
>>>>>    >>>>>>> provided by
>>>>>    >>>>>>> salesforce can be imported.
>>>>>    >>>>>>> But I need to specify the Service Provider in salesforce,
>>>>>I
>>>>> have to
>>>>>    >>>>>>> fill
>>>>>    >>>>>>> in a couple of fields, but two of them I don¹t understand
>>>>> (and are
>>>>>    >>>>>>> mandatory). Does someone have any clue
>>>>>    >>>>>>>
>>>>>    >>>>>>>      1. entity id , remark of salesforce : get this value
>>>> >from your
>>>>>    >>>>>>>        serviceprovider
>>>>>    >>>>>>>      2. ACS URL, remark of slaesforce : The assertion
>>>>> consumer
>>>>>    >>>>>>> service. Get
>>>>>    >>>>>>>        this value from your service provider.
>>>>>    >>>>>>>
>>>>>    >>>>>>> I have tried a lot of values but every-time I click the
>>>>>saml
>>>>> button
>>>>>    >>>>>>> on
>>>>>    >>>>>>> my app, it redirects to salesforce but I get a page with
>>>>>the
>>>>> error :
>>>>>    >>>>>>> Error: Unable to resolve request into a Service Provider
>>>>>    >>>>>>>
>>>>>    >>>>>>> Henk
>>>>>    >>>>>>>
>>>>>    >>>>>>>
>>>>>    >>>>>>> _______________________________________________
>>>>>    >>>>>>> keycloak-user mailing list
>>>>>    >>>>>>> keycloak-user at lists.jboss.org
>>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>>    >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>    >>>>>>>
>>>>>    >>>>>>
>>>>>    >>>>>> --
>>>>>    >>>>>> Bill Burke
>>>>>    >>>>>> JBoss, a division of Red Hat
>>>>>    >>>>>> http://bill.burkecentral.com
>>>>><http://bill.burkecentral.com/>
>>>>>
>>>>>
>>>>>
>>>>>    >>>>>> _______________________________________________
>>>>>    >>>>>> keycloak-user mailing list
>>>>>    >>>>>> keycloak-user at lists.jboss.org
>>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>>    >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>    >>>>>
>>>>>    >>>>
>>>>>    >>>
>>>>>    >>
>>>>>    >> --
>>>>>    >> Bill Burke
>>>>>    >> JBoss, a division of Red Hat
>>>>>    >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>>>    >> _______________________________________________
>>>>>    >> keycloak-user mailing list
>>>>>    >> keycloak-user at lists.jboss.org
>>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>>    >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>    >
>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>-- 
>Bill Burke
>JBoss, a division of Red Hat
>http://bill.burkecentral.com




More information about the keycloak-user mailing list