[keycloak-user] IDP Logout for SPs which don't support SAML Logout
Muein Muzamil
shmuein+keycloak-dev at gmail.com
Thu Jan 26 17:21:49 EST 2017
A quick reminder to my query.
Regards,
Muein
On Tue, Jan 24, 2017 at 4:05 PM, Muein Muzamil <
shmuein+keycloak-dev at gmail.com> wrote:
> Hi all,
>
> We are using KeyCloak as IDP to support SAML authentication for different
> SPs. Some of the SPs don't support SAML logout (such as Salesforce). They
> only support setting up a GET Logout URL provided by the Identity
> Provider.
>
> https://success.salesforce.com/ideaView?id=08730000000DjseAAC
>
> I came across this bug reported in Jira, which suggests to use OpenID
> Connect protocol to logout as a workaround. https://issues.
> jboss.org/browse/KEYCLOAK-3476 I tried that approach but it didn't work
> for me.
>
> I have added https://muein2-dev-ed.my.salesforce.com as a valid URI under
> Salesforce SP and provided https://mueinidp.gemalto.com:
> 9443/auth/realms/O4ZR9N2V6U/protocol/openid-connect?
> redirect_uri=https%3A%2F%2Fmuein2-dev-ed.my.salesforce.com as logout URL
> in Salesforce. But when I tried to logout from Salesforce, it failed for me
> with following exception.
>
> 2:32,165 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-1)
> RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException:
> RESTEASY003210: Could not find resource for full path: ht
> //mueinidp.gemalto.com:9443/auth/realms/O4ZR9N2V6U/
> protocol/openid-connect?redirect_uri=https%3A%2F%
> 2Fmuein2-dev-ed.my.salesforce.com
> at org.jboss.resteasy.core.registry.SegmentNode.match(
> SegmentNode.java:114)
> at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
> at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(
> LocatorRegistry.java:79)
>
>
> 1. Am I missing something here?
> 2. Also is there any plan to add a generic logout URL (as suggested in
> KEYCLOAK-3476) which can be used for such SPs.
>
> Regards,
> Muein
>
More information about the keycloak-user
mailing list