crimson_sails
Reputation: 203
KeyCloak as IDP to Salesforce SP - SP initiated SSO not working
I am new to KeyCloak, and am trying to configure it as a SAML IDP to a SalesForce client. IDP initiated SSO flow works fine. I am directed to the Salesforce home page correctly post-authentication. However, SP initiated SSO gives me a JSON output instead of the Keycloak login page.
This is the URL that SalesForce is redirecting to (masked IP): http://10.99.xxx.xxx:8080/auth/realms/test?SAMLRequest=... SAML tracer indicates a valid SAML authentication request.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://f-corpcont--dev.my.salesforce.com?so=00D3K000000lOS"
Destination="http://10.99.xxx.xxx:8080/auth/realms/test"
ID="_2CAAAAXJxZQlkME8wswMDAwMDAwMDA2AAAA3kJle3T1o4lEOE9QztKYIVXwLjlHOcfEaw-7mLWvYqmEiPv5SS32lT0WcQIbjXTP-qO779xPjACwqlhiGs9ZM8ZmltHZd6stzimY1Br3b1_5PqBgWxExV7R1FAAxZ914_3s8rViWWGxmKKGFN94OG2WBh3SMPF3WwGagDIZLRKtSpcGIDCGkuYERb_DR0LgOflx-C0kF7XqKdtU8OTTbk0HpoCKQ8oRh58Mai1eFlqgKf50rdGsFQmCQa-Sg0-JyZg"
IssueInstant="2020-05-04T19:39:22.807Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://f-corpcont--dev.my.salesforce.com</saml:Issuer>
</samlp:AuthnRequest>
The JSON output I see in my browser is:
{
"realm": "test",
"public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqHobhU5mQ2itvVfkDWm64sLgT9dfoCNm137ul+A7YRNSXk5g0JEGxoZLVdicRQUx0mr4z6BEM+LN/mztSsigG0aQIqUY8y1un33kBk5gE6W3jaFDX6Rsap/lcXIoO7Jl/pzjAxf3R8RyMMhFQ4Hi1rHl2wSXMWfeNLaoLrzy+LEG1KNZpfhbfG1HUa5fEYpI0sSWEEgcP3faEy2JWOJrfJrcS1tezDD+7x4u+fTUJt0M8vsIjMDAX9UUu+JXnG901a15drj9UjYJyiMJTFQt3Rdrxv96XZa93fKyB36an5GDZWPiwEehtjAJ4mQ0oo0v/TmevoJwZd7YTvClQIDAQAB",
"token-service": "http://10.99.xxx.xxx:8080/auth/realms/test/protocol/openid-connect",
"account-service": "http://10.99.xxx.xxx:8080/auth/realms/test/account",
"tokens-not-before": 0
}
Any pointers would be appreciated
Upvotes: 1
Views: 3384
Answers (1)
Jan Garaj
Reputation: 28646
You have used wrong URL for SAML request. Wrong:
http://10.99.xxx.xxx:8080/auth/realms/test?SAMLRequest=
Correct:
http://10.99.xxx.xxx:8080/auth/realms/test/protocol/saml?SAMLRequest=
Upvotes: 2
Related Questions
- Keycloak as a Service Provider - setting up a signing certificate
- Keycloak: Invalid SAML Response by External IdP
- Connecting keycloak with Active Directory with SAML IDP sends empty response
- Keycloak integration with an IDP and SSO
- Keycloak SAML IdP gives invalidFederatedIdentityActionMessage after login
- idp initiated sso using keycloak
- SAML 2.0 IDP with OIDC client, can I have IDP initiated SSO?
- Keycloak "Unexpected error when handling authentication request to identity provider"
- SSO with keycloak
- IDP Initiated SSO not working in spring security SAML sample app