function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Mr SamlMr Saml 

Anyone actually got SAML SSO working?

I haven't had much luck getting SSO to work with my SAML assertion. Has anyone got this to work? If so, what does your saml response look like?  I signed my assertion and I believe everything is correct, yet the login history gives me "Failed: Assertion Invalid"

Any ideas?

Thank you.
Best Answer chosen by Admin (Salesforce Developers) 
jongleejonglee

You need to have an Issuer element under Response, just like the one you have under Assertion.

 

 

 

Jong

Salesforce.com

All Answers

jongleejonglee
What does your SAML look like?  I can take a look...


Mr SamlMr Saml
Thanks.  Any hints are appreciated.

<samlp:Response Recipient="https://login.salesforce.com" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1" ResponseID="_a1c2e1b980d4d92b4847c2199bdd40ea" IssueInstant="2008-11-06T19:20:02.781+09:00">
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_894ab4a0628ec3e0dc930eb632254b21" IssueInstant="2008-11-06T19:20:02.406+09:00" Issuer="https://mrsaml.com" MajorVersion="1" MinorVersion="1">
<saml:Conditions NotBefore="2008-11-05T19:20:02.406+09:00" NotOnOrAfter="2008-11-07T19:20:02.406+09:00"/>
<saml:AuthenticationStatement AuthenticationInstant="2008-11-06T19:20:02.406+09:00" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>mr@mrsaml.com</saml:NameIdentifier>
</saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>1gkUq3rO8z4+5vG6UpBHeG2Y0KQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Q7C/MysMrqzueix2FcnzC4QJYj0pqwPdSatJ8p1xkeIuY+Bi7WIqlCzMq4BM0vq9AHueNXvzAX4w
Cp1K7PDZZqs7akiI84A2uWne2saQlTruvS0FO2ogBndY7LagBAscLAyGEOkG2hQgSgswAmJjydX9
kuxJvpcDSlma2OMCo5Y=
</ds:SignatureValue>
</ds:Signature>
</saml:Assertion>

</samlp:Response>
Mr SamlMr Saml
Formatting:
 
Code:
<samlp:Response Recipient="https://login.salesforce.com" 
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
 MajorVersion="1" MinorVersion="1"
ResponseID="_a1c2e1b980d4d92b4847c2199bdd40ea"
IssueInstant="2008-11-06T19:20:02.781+09:00"> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_894ab4a0628ec3e0dc930eb632254b21"
IssueInstant="2008-11-06T19:20:02.406+09:00"
Issuer="https://mrsaml.com"
MajorVersion="1" MinorVersion="1"> <saml:Conditions NotBefore="2008-11-05T19:20:02.406+09:00"
NotOnOrAfter="2008-11-07T19:20:02.406+09:00"/> <saml:AuthenticationStatement
AuthenticationInstant="2008-11-06T19:20:02.406+09:00"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>mr@mrsaml.com</saml:NameIdentifier>
</saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:AuthenticationStatement> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>1gkUq3rO8z4+5vG6UpBHeG2Y0KQ=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Q7C/MysMrqzueix2FcnzC4QJYj0pqwPdSatJ8p1xkeIuY+Bi7WIqlCzMq4BM0vq9AHueNXvzAX4w Cp1K7PDZZqs7akiI84A2uWne2saQlTruvS0FO2ogBndY7LagBAscLAyGEOkG2hQgSgswAmJjydX9 kuxJvpcDSlma2OMCo5Y= </ds:SignatureValue> </ds:Signature> </saml:Assertion> </samlp:Response>

 

jongleejonglee
According the Browser-Post profile spec, the SAMLResponse element must be signed, you are only signing the Assertion which is optional, but not sign the entire SAMLResponse element.  Look at the login history, are you getting Signature Invalid error?  If not, there might be other things went wrong.

thanks
Jong
jongleejonglee
Looking closer to your SAML, it looks like you are using .net.  I am seeing another problem.

core spec:

"
5.4.4 Transforms
Signatures in SAML messages SHOULD NOT contain transforms other than the enveloped signature
transform (with the identifier http://www.w3.org/2000/09/xmldsig#enveloped-signature) or the exclusive
canonicalization transforms (with the identifier http://www.w3.org/2001/10/xml-exc-c14n# or
http://www.w3.org/2001/10/xml-exc-c14n#WithComments).
"

The c14n method you are using is:

            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

jongleejonglee
Oops, wrong post.  please ignore my last message.  Yeah, please sign the SAMLResponse.

thanks
Jong
jongleejonglee
For the record, the requirement of Canonicalization Method is

5.4.3 Canonicalization Method
SAML implementations SHOULD use Exclusive Canonicalization [Excl-C14N], with or without comments,
both in the <ds:CanonicalizationMethod> element of <ds:SignedInfo>, and as a
<ds:Transform> algorithm. Use of Exclusive Canonicalization ensures that signatures created over
SAML messages embedded in an XML context can be verified independent of that context.

I haven't validated if it actually works to use

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

But it should be using

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>


Mr SamlMr Saml
I appreciate your help.  I tried with and without signing the assertion, and I also updated the Canonicalization Method to xml-exc-c14n# with no luck.

The "Login History" for the user shows a failed login attempt, with an error of: "Failed: Assertion Invalid."  According to the SalesForce documentation:

Assertion Invalid
An assertion is not valid. For example, the <Subject> element of an assertion might be missing.


Here is my SAML response without a signed Assertion.
Code:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2008-11-11T15:41:35.828+09:00" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com" ResponseID="_0bc35086b20ed4fba5289e98687e0c76">
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_381723d188cef3de7920f18bc0dec8f6" IssueInstant="2008-11-11T15:41:36.062+09:00" Issuer="https://mrsaml.com" MajorVersion="1" MinorVersion="1">
<saml:Conditions NotBefore="2008-11-10T15:41:36.062+09:00" NotOnOrAfter="2008-11-12T15:41:36.062+09:00"/>
<saml:AuthenticationStatement AuthenticationInstant="2008-11-11T15:41:36.062+09:00" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>mr@mrsaml.com</saml:NameIdentifier>
</saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:AuthenticationStatement>
</saml:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>dbhUz6MGvJcePmF22fi26la0gOM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
dHtMpBiMq6Nw+WskJFXSx2i0F2uUjvDeo6vOiMX1tMNLeSrx2myGEeGjqZco/BtT+oIA7d5g9TBl
mneOI87ccetgp+HNd5AjeKLdhfqWLEtkKOgso+Ob9Jj5ToQ2R+N2Imx9X65ot3xMWYzoxavycHEE
ORQS/qt61HbPY7iOCt0=
</ds:SignatureValue>
</ds:Signature>
</samlp:Response>

 

jongleejonglee
The signed SAMLResponse still does not look correct.  Signature element should appear before the status and assertion elements.
shanumanshanuman
In our organization we were tring to implement SSO. but so we were confussed about SAML assertion.

how to pass the SAML assertion from client application to salesforce. can i get client side sample code.

-sunil
jongleejonglee
Usually SAML is generated by the identity provider(a 3rdparty validates your client credential) then post it to Salesforce.com (we acted as a service provider per SAML terminology).   If you want to do this programmatically, take a look at OpenSAML -- an open source library.

thanks
Jong
shanumanshanuman
Thanks Jong for the response.

As per your suggestion, I gone through openSAML site and trying to understand.

Please share if you have any sample code related to salesforce using this open source library.

Thx
sunil

jongleejonglee
The library has pretty good code sample and javadocs.

to generate a SAMLResponse, you can try to do something like this:

   SAMLResponse r = new SAMLResponse();
        SAMLAssertion a = new SAMLAssertion();
        SAMLAuthenticationStatement s = new SAMLAuthenticationStatement();
        SAMLSubject subject = new SAMLSubject(
                new SAMLNameIdentifier(ssoId, null, null),
                Collections.singleton(confirmationMethod), null, null
        );
        s.setSubject(subject);
        s.setAuthInstant(new Date());
        s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);
        a.addStatement(s);
        a.setId(assertionId);
        a.setIssuer(issuer);
        a.setNotBefore(notBefore);
        a.setNotOnOrAfter(notOnOrAfter);
        a.setIssueInstant(issueInstant);
     
        r.addAssertion(a);
        r.setId(getNewAssertionId());
        r.setRecipient(recipient);
        r.setIssueInstant(issueInstant);

     

s hanuman.ax416s hanuman.ax416
Thanks jonglee, i used your sample code and I created a SAML assertion using openSAML liberary
 
I tried to send this SAML assertion from my client application (through jsp) to salesforce.com site,
 
but I'm getting an error message saying that "identity provider failed. please contact to salesforce administrator".
 
Now jonglee, please let me know how can I proced further.
 
for passing this SAML to salesforce.com, please provide some guideline on this issue.
 
thanks
--sunil
jongleejonglee
I assume you configure SAML properly, i.e: Setup->Single Sign On Settings, yes?
where you upload the certificate and set the issuer, once you hit save, you should be able to get the recipient from the ui page.

So in turns, you need to pass all those parameters to your codes. 
shanumanshanuman
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11">

Thanks jonglee,

I received the Recipient URL after configuring the SAML, and I passed all configured parameters to the code, and generated a SAML assertion using the openSAML library.

I tried to send this SAML assertion from client application to salesforce.com site. But it is throwing same error message.
Login Error
Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your Salesforce administrator for more information.


I'm thinking that the problem is with certificate. but I’m not sure about this also.

I'm not understanding the exact problem.

Here I'm sending my client code. Please let me know for any changes.


<%@page language="java"%>
<%
String strResponse =

"<Response xmlns=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" IssueInstant=\"2008-12-18T11:43:32.054Z\" MajorVersion=\"1\" MinorVersion=\"1\" Recipient=\"Recipient URL\" ResponseID=\"_23ced5473142eef7cbfdae01c3dc8351\">

<Status><StatusCode Value=\"samlp:Success\"></StatusCode></Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:1.0:assertion\" AssertionID=\"_d48bfa6b0e8eebec222d87941160c876\" IssueInstant=\"2008-12-18T11:43:32.335Z\" Issuer=\"http://www.opensaml.org\" MajorVersion=\"1\" MinorVersion=\"1\"><Conditions NotBefore=\"2008-12-18T11:43:32.304Z\" NotOnOrAfter=\"2008-12-18T11:44:32.304Z\"></Conditions><AuthenticationStatement AuthenticationInstant=\"2008-12-18T11:43:32.257Z\" AuthenticationMethod=\"urn:oasis:names:tc:SAML:1.0:am:password\"><Subject><NameIdentifier>foo</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><AttributeStatement><Subject><NameIdentifier>foo</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName=\"CGUSERNAME\" AttributeNamespace=\"CGUSERURI\"><AttributeValue>xyz@yahoo.com(SSO USER)</AttributeValue></Attribute></AttributeStatement></ds:Signature></Assertion></Response>";
%>
<html>
<body>
<form name = "acsForm" action ="Recipient URL" method="post">
<input type = "hidden" name = "TARGET" value ="https://na6.salesforce.com/ideas/ideaList.apexp"/>
<input type="hidden" name="SAMLResponse" value="<%=strResponse%>" />
<input type = "submit" value = "Submit" />
</form>
</body>
</html>


Thanks

Sunil

jongleejonglee
The SAMLResponse post param needs to be base64 encoded.
shanumanshanuman
Hi Jonglee,

Here I'm sending the generation of SAML assertion code, and In the code itself i'm encoding the SAML Response.

SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();
        SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();
        SAMLResponse r = new SAMLResponse();
        SAMLAssertion a = new SAMLAssertion();
        SAMLAuthenticationStatement s = new SAMLAuthenticationStatement();
        SAMLSubject subject = new SAMLSubject(
                new SAMLNameIdentifier("foo", null, null),
                Collections.singleton(SAMLSubject.CONF_BEARER), null, null
                );       
        SAMLAttributeStatement attributeStmt = new SAMLAttributeStatement();
        SAMLSubject subject1 = new SAMLSubject(
                new SAMLNameIdentifier("foo", null, null),
                Collections.singleton(SAMLSubject.CONF_BEARER), null, null
                );
        SAMLAttribute attribute = new SAMLAttribute("CGUSERNAME","CGUSERURI",null,0, null);
        attribute.addValue("xyza@yahoo.com");
        attributeStmt.addAttribute(attribute);
        attributeStmt.setSubject(subject1);
       
        s.setSubject(subject);
        s.setAuthInstant(new Date());
        s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);
        a.addStatement(s);
        a.addStatement(attributeStmt);
        a.setId(idgen.getIdentifier());
        a.setIssuer("http://www.opensaml.org");
        a.setNotBefore(new Date());
        a.setNotOnOrAfter(new Date(System.currentTimeMillis() + 300000));

        //a.addCondition(new SAMLAudienceRestrictionCondition(Collections.singleton("https://saml.salesforce.com")));
        r.addAssertion(a);
        r.setId(idgen.getIdentifier());
        r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");
        //r.toStream(System.err);
        //System.err.println();

        a.sign(
            XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
            ks.getKey(alias,password),
            Arrays.asList(ks.getCertificateChain(alias))
            );
        r.sign(
            XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
            ks.getKey(alias,password),
            Arrays.asList(ks.getCertificateChain(alias))
            );
        assertTrue("SAMLResponse is not signed.",r.isSigned());
        //System.err.println("================ Generated Response ===============");
        //r.toStream(System.err);
        //System.err.println();

Here I'm encoding the SAML assetion into Base64.       

       
SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();

        //request.SAMLResponse = new String(r.toBase64());
        request.SAMLResponse = new String(Base64Coder.encodeString(r.toString()));

        SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(
                null,
                request,
                "https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",
                ReplayCacheFactory.getInstance(),
                null,
                1);
        assertTrue("SAMLResponse is not signed.",response.response.isSigned());
        response.assertion.verify(ks.getCertificate(alias));
        response.response.verify(ks.getCertificate(alias));
        System.err.println("================ Verified Response ===============");
        response.response.toStream(System.err);
        System.err.println();


but still i'm facing the same error message.
Please let me know for further changes in the code.

Thanks
Sunil

jongleejonglee
Did you check the Login History to see if any entries there?  If so, it should tell you more info about the error.  If not, it means we can't extract the user from your SAML assertion-- from your code and sample assertion, it seems you are trying to use Username as the subject in the attribute location.
Could you please provide the config from your saml settings page to see if it matches what you are trying to do here?

thanks
Jong
shanumanshanuman
Hi Jonglee,

The SSO problem has been resolved, its working fine.

Thanks a lot, for the helpful tips.

I need one more favor from you, How do I implement SSO for custom portals?

Please help me on this.

Once again Thanks Jonglee.

--sunil


jongleejonglee
We don't currently support SAML for portal user.  But I think we will in the near future.

thanks
Jong
mannsandeepmannsandeep

Hi Jonglee, I do have same issue with SAML. I have created one java file to create saml assertion and other jsp to pass it to salesforce. But nothing is working. The SAMLBrowserProfileFactory.getinstance() method throw null pointer exception. I tried to replace opensaml jar but it did not help.

 

Please check my code below and suggest if I am doing any thing wrong.

 

SAMLAssertionCreator.java

----------------------------

 

package com;

//import COM.rsa.*;

import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;

import org.opensaml.provider.*;
import org.opensaml.ReplayCacheFactory;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLBrowserProfile;
import org.opensaml.SAMLBrowserProfileFactory;
import org.opensaml.SAMLIdentifier;
import org.opensaml.SAMLIdentifierFactory;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLBrowserProfile.BrowserProfileResponse;

import javax.xml.namespace.QName;

 

//import weblogic.xml.crypto.dsig.api.XMLSignature;

import com.rsa.certj.xml.dsig.XMLSignature;

public class SAMLAssertionCreator {
public BrowserProfileResponse createSAML() throws IOException
{
 try
 {
  System.out.println("I am i SAMLASSErtionCreator++++");
 SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();
 System.out.println("I am i SAMLASSErtionCreator2222222222");
    SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();
    System.out.println("I am i SAMLASSErtionCreator3333333333");
    SAMLResponse r = new SAMLResponse();
    SAMLAssertion a = new SAMLAssertion();
    SAMLAuthenticationStatement s = new SAMLAuthenticationStatement();
    SAMLSubject subject = new SAMLSubject(
            new SAMLNameIdentifier("foo", null, null),
            Collections.singleton(SAMLSubject.CONF_BEARER), null, null
            );       
    System.out.println("I am i SAMLASSErtionCreator444444444444444");
    SAMLAttributeStatement attributeStmt = new SAMLAttributeStatement();
    SAMLSubject subject1 = new SAMLSubject(
            new SAMLNameIdentifier("foo", null, null),
            Collections.singleton(SAMLSubject.CONF_BEARER), null, null
            );
    SAMLAttribute attribute = new SAMLAttribute("CGUSERNAME","CGUSERURI",null,0, null);
    attribute.addValue("xyza@yahoo.com");
    attributeStmt.addAttribute(attribute);
    attributeStmt.setSubject(subject1);
   
    s.setSubject(subject);
    s.setAuthInstant(new Date());
    s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);
    a.addStatement(s);
    a.addStatement(attributeStmt);
    a.setId(idgen.getIdentifier());
    a.setIssuer("http://www.opensaml.org");
    a.setNotBefore(new Date());
    a.setNotOnOrAfter(new Date(System.currentTimeMillis() + 300000));

    //a.addCondition(new SAMLAudienceRestrictionCondition(Collections.singleton("https://saml.salesforce.com")));
    r.addAssertion(a);
    r.setId(idgen.getIdentifier());
    r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");
    //r.toStream(System.err);
    //System.err.println();
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
   
   char[] pwd={'t','e','s','t','k','e','y','p','a','s','s'};
    a.sign(
        //XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
      
      XMLSignature.RSA_SIGNATURE_ALGORITHM,
            ks.getKey("testalias",pwd),
        Arrays.asList(ks.getCertificateChain("testalias"))
        );
    r.sign(
      XMLSignature.RSA_SIGNATURE_ALGORITHM,
        ks.getKey("testalias",pwd),
        Arrays.asList(ks.getCertificateChain("testalias"))
        );
    //assertTrue("SAMLResponse is not signed.",r.isSigned());
    //System.err.println("================ Generated Response ===============");
    //r.toStream(System.err);
    //System.err.println();


    SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();

    request.SAMLResponse = new String(r.toBase64());
    //request.SAMLResponse = new String(Base64Coder.encodeString(r.toString()));

    SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(
            null,
            request,
            "https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",
            ReplayCacheFactory.getInstance(),
            null,
            1);
   // assertTrue("SAMLResponse is not signed.",response.response.isSigned());
    response.assertion.verify(ks.getCertificate("testalias"));
    response.response.verify(ks.getCertificate("testalias"));
    System.err.println("================ Verified Response ===============");
    response.response.toStream(System.err);
    System.err.println();
    return response;
 }catch(Exception e)
 {
  e.printStackTrace();
 }
 return null;
}
}

and JSP file is

 

 

 

<%@ page import="org.opensaml.SAMLBrowserProfile"%>

<%@ page import="com.SAMLAssertionCreator"%><%@

page language="java" contentType="text/html; charset=ISO-8859-1"

pageEncoding="ISO-8859-1"%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

 

<%

 

 

System.out.println("11111111111111111");

SAMLAssertionCreator samlCr = new SAMLAssertionCreator();System.out.println(

"222222222222222222222");

SAMLBrowserProfile.BrowserProfileResponse objSAML = (SAMLBrowserProfile.BrowserProfileResponse)samlCr.createSAML();

System.out.println("3333333333333333333333");

if(objSAML!=null)

{

System.out.println("444444444444444444");

System.out.println("+++++++++++++++++"+objSAML.response.getAssertions()+"++++++++++"+objSAML.response.getId());

}

else

{

System.out.println("555555555555555555555555555"); System.out.println("+++++++++++++++++");

}

System.out.println("66666666666666666666");

session.setAttribute("SAMLOBJ",objSAML);

%>

<html>

 

<head>

 <html>

<body><

form name = "acsForm" action ="https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=" method="post">

<input type = "hidden" name = "TARGET" value ="https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA="/>

<%

System.out.println("777777777777");

%>

<input type="hidden" name="SAMLResponse" value="<%=objSAML%>" />

<input type = "submit" value = "Submit" /></

form>

</body></

html>

 

 

I really appreciate if you can help me in this ..thanks

Sandeep

jongleejonglee
Exactly what is the error, e.g: stack trace of the NPE?
mannsandeepmannsandeep

Hi Jonglee, first error is Null Pointer exception at

SAMLBrowserProfile profile =  SAMLBrowserProfileFactory.getInstance(); and i m using opensaml.jar

thanks

Sandeep

jongleejonglee

NPE occurs on SAMLBrowserProfileFactory.getInstance()?  That seems odd.  How could that be?  Do you mind post the complete statcktrace?

 

thanks

Jong

mannsandeepmannsandeep

hi jong, yeah it's odd. i generate another log .please see below . the line number 41 is 'SAMLBrowserProfileFactory.getInstance' ..can you send me opensaml.jar at sandeep.mann@gmail.com so that i try with that too..

 

java.lang.NullPointerException
        at org.opensaml.SAMLBrowserProfileFactory.getInstance(Unknown Source)
        at org.opensaml.SAMLBrowserProfileFactory.getInstance(Unknown Source)
        at com.SAMLAssertionCreator.createSAML(SAMLAssertionCreator.java:41)
        at jsp_servlet._admin.__auth._jspService(__auth.java:111)
        at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
        at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226)
        at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
        at weblogic.servlet.internal.ServletStubImpl.onAddToMapException(ServletStubImpl.java:394)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:309)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3395)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(Unknown Source)
        at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2140)
        at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2046)
        at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)

 

jongleejonglee

Are you using this one?

 

http://shibboleth.internet2.edu/downloads/opensaml/java/1.1b/

jongleejonglee

Or you can build it from source, I just tried it:

 

1) svn co https://svn.middleware.georgetown.edu/java-opensaml1

 

 

2) cd java-opensaml1/tags/Rel_1_1_FINAL_B

 

3) ant

 

"

create-jar:
      [jar] Building jar: /home/jonglee/projects/saml/java-opensaml1/tags/Rel_1_1_FINAL_B/dist/opensaml-1.1.jar

dist:

BUILD SUCCESSFUL
Total time: 12 seconds
"

mannsandeepmannsandeep

Hi Jong,

I tried with new 'opensaml-1.1.jar' file too but got same null exception. Can you tell me all steps which we have to do to implement SSO. Do we need any configuration file too?

 

right now i have coded one jsp and one java file as i attached before and done nothing other than that. I am trying to pass assertion from application appA to salesforce.

 

Let me know if I am missing any step.

Thanks

Sandeep

jongleejonglee
As far as I know, there should not need any additional configuration for OpenSAML 1.1(please read their doc though).  To work with SFDC, you just need to create SAMLResponse and post that and no need for creating the profile.  Now one step at a time, try to remove the offending getInstance() call since you don't really need it to produce the SAML response.  Also, try this on a standalone env without involving the app server.
mannsandeepmannsandeep

after removing the getinstance() method, now i m facing issue while setting the QName in SAMLAttribute

 Plz see below for error message

 

java.lang.NoSuchMethodError: org.opensaml.SAMLAttribute.setType(Ljavax/xml/namespace/QName;)V

at com.SAMLAssertionCreator.createSAML(SAMLAssertionCreator.java:63)

at jsp_servlet._admin.__auth._jspService(__auth.java:111)

at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)

at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226)

at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)

Truncated. see log file for complete stacktrace

 

first i used 'SAMLAttribute attribute = new SAMLAttribute("abc","abc",null,0, null);'  but that i got error that there is not such method means constructor having 4 entry paramter though i passed 5 parameter. and that time error message was

 

java.lang.NoSuchMethodError: org.opensaml.SAMLAttribute.<init>(Ljava/lang/String;Ljava/lang/String;Ljavax/xml/namespace/QName;JLjava/util/Coll

ection;)V

at com.SAMLAssertionCreator.createSAML(SAMLAssertionCreator.java:60)

at jsp_servlet._admin.__auth._jspService(__auth.java:111)

at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)

at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226)

at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)

Truncated. see log file for complete stacktrace

 

 

what do u suggest should i remove this call too....

jongleejonglee

It seems to be a class loading issue.  I recalled weblogic was bundling open saml jar in the distribution.  So you can try to place opensaml jar in front of weblogic.jar/weblogicaux.jar to see if it works.  Another workaround is to remove attributes from the saml assertion for now since you can just use subject to pass in SFDC identity without using attributes...

 

 

mannsandeepmannsandeep

I avoid that and got saml login error at SFDC

now I am passing following things in subject and those are configured in sfdc too:
------------------------------------------------------------------
SAMLSubject subject = new SAMLSubject(
            new SAMLNameIdentifier("sandeep@yahoo.com", null, null),
            Collections.singleton(SAMLSubject.CONF_SENDER_VOUCHES), null, null
            );
and tried this too

SAMLSubject subject = new SAMLSubject(
            new SAMLNameIdentifier("sandeep@yahoo.com", null, null),
            Collections.singleton(SAMLSubject.CONF_BEARER), null, null
            );

also please tell what should come here


a.setIssuer("http://www.opensaml.org"); --> will it be ISSUER URL from my weblogic server.
-------------------------------------------------------------------

Another thing right now i return SAMLBrowserProfile.BrowserProfileRequest base64 encoded instace at jsp.
but will i not need that 'SAMLBrowserProfile.BrowserProfileResponse' instance(remember i was not

able to work with getinstance()method)

thanks
sandeep

jongleejonglee

1) According to SAML 1.1 Browser Post Profile, the subject confirmation must be bearer.

 

2) The issuer must match the one you defined in SFDC settings ---> Setup/Security Controls/Single-Sign-On-Settings, where you need to define issuer after enabling the SAML.

 

3) I think the getInstance() NPE is caused by the opensaml jar bundled in WLS, so you can probably verify it by prepending the opensaml jar in front of weblogic.jar.  I don't see why you need to  SAMLBrowserProfile.BrowserProfileRequest since you can just post the SAMLResponse.toBase64() to SFDC.

 

4) As I recalled, WLS has out-of-the-box support for SAML 1.1 brower post.  But I don't remember the details now.  Maybe something you can also explore as an alternative to writing your own jsp to the post the SAMLResponse.

 

 

mannsandeepmannsandeep
I have taken care of steps which you said. I tried with new certificate but getCertificateChain give NPE now. I changed the certificate again but still give same error. Though entry is there in jks file.. any suggestions...
jongleejonglee

I don't see you load the keystore file, from your codes post ealier:

 

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
   
   char[] pwd={'t','e','s','t','k','e','y','p','a','s','s'};
    a.sign(
        //XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
      
      XMLSignature.RSA_SIGNATURE_ALGORITHM,
            ks.getKey("testalias",pwd),
        Arrays.asList(ks.getCertificateChain("testalias")
        );

 

I would expect something like:

 

// get user password and file input stream
char[] password = getPassword();
java.io.FileInputStream fis =
new java.io.FileInputStream("keyStoreName");
ks.load(fis, password);
fis.close();

 

see http://java.sun.com/j2se/1.5.0/docs/api/java/security/KeyStore.html

mannsandeepmannsandeep
Thanks Jong... I changed the keystroke part. I saw assertion fail log at sfdc. Probably, i need to certificate side now.. i think it should work now.. Thanks for your most valuable suggestions...
SalesforceSSOSalesforceSSO

Hey Jonglee,

 

from where do we get

import com.rsa.certj.xml.dsig files.is it a jar or something.

 

I am trying to implement SSO from corporate site to Salesforce. The only thing which is concerning certificate is, I have to upload certificate to SFDC and then get the recipient url. then add that url to assertion creator class. Correct me if I am wrong. we are planning to use our own certificate, no third party.

 

Thanks

SalesforceSSOSalesforceSSO

Hi All,

 

I really need your help. I am trying to send assertion from our intranet to Salesforce using SSO. I am using simple JSP and Java class with Tomcat. I took the code from the same forum. I think they are using it with weblogic. I need help with the RSA Certj package. Any help would be appreciated.

 

Thanks.

jongleejonglee

I really don't think you need the RSA certj library. You can simply use jdk classes to read/load a x509 cert from a keystore or even just a file.

 

Jong

SalesforceSSOSalesforceSSO

Hi Jong,

 

its not able to find 

 

import com.rsa.certj.xml.dsig.XMLSignature;

 

that's why it is giving error

 

          XMLSignature.RSA_SIGNATURE_ALGORITHM,
                ks.getKey("testalias",pwd),
            Arrays.asList(ks.getCertificateChain("testalias")
            );
        r.sign(
          XMLSignature.RSA_SIGNATURE_ALGORITHM,
            ks.getKey("testalias",pwd),
            Arrays.asList(ks.getCertificateChain("testalias")
            );
        assertTrue("SAMLResponse is not signed.",r.isSigned());

 

my other question is (although I might sound dumb)

what all info from certificates I need to pass into this class. where do we use .per file.

 

Thanks,

 Your help is highly appreciated

 

--------------------- my code -----------------

 

 

 

package com.SSOTest;

import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;

import org.opensaml.provider.*;
import org.opensaml.ReplayCacheFactory;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLBrowserProfile;
import org.opensaml.SAMLBrowserProfileFactory;
import org.opensaml.SAMLIdentifier;
import org.opensaml.SAMLIdentifierFactory;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLBrowserProfile.BrowserProfileResponse;

import javax.xml.namespace.QName;

import com.rsa.certj.xml.dsig.XMLSignature;

public class SAMLAssertionCreator {
    public BrowserProfileResponse createSAML() throws IOException
    {
     try
     {
        SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();
        SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();
        SAMLResponse r = new SAMLResponse();
        SAMLAssertion a = new SAMLAssertion();
        SAMLAuthenticationStatement s = new SAMLAuthenticationStatement();
        SAMLSubject subject = new SAMLSubject(
                new SAMLNameIdentifier("foo", null, null),
                Collections.singleton(SAMLSubject.CONF_BEARER), null, null
                );       
        SAMLAttributeStatement attributeStmt = new SAMLAttributeStatement();
        SAMLSubject subject1 = new SAMLSubject(
                new SAMLNameIdentifier("foo", null, null),
                Collections.singleton(SAMLSubject.CONF_BEARER), null, null
                );
        SAMLAttribute attribute = new SAMLAttribute("CGUSERNAME","CGUSERURI",null,0, null);
        attribute.addValue("xyza@yahoo.com");
        attributeStmt.addAttribute(attribute);
        attributeStmt.setSubject(subject1);
       
        s.setSubject(subject);
        s.setAuthInstant(new Date());
        s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);
        a.addStatement(s);
        a.addStatement(attributeStmt);
        a.setId(idgen.getIdentifier());
        a.setIssuer("http://www.xyz.com");
        a.setNotBefore(new Date());
        a.setNotOnOrAfter(new Date(System.currentTimeMillis() + 300000));

        //a.addCondition(new SAMLAudienceRestrictionCondition(Collections.singleton("https://saml.salesforce.com"));
        r.addAssertion(a);
        r.setId(idgen.getIdentifier());
        r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");
        //r.toStream(System.err);
        //System.err.println();
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
       
//       char[] pwd={'t','e','s','t','k','e','y','p','a','s','s'};
        a.sign(
            //XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
          
          XMLSignature.RSA_SIGNATURE_ALGORITHM,
                ks.getKey("testalias",pwd),
            Arrays.asList(ks.getCertificateChain("testalias")
            );
        r.sign(
          XMLSignature.RSA_SIGNATURE_ALGORITHM,
            ks.getKey("testalias",pwd),
            Arrays.asList(ks.getCertificateChain("testalias")
            );
        assertTrue("SAMLResponse is not signed.",r.isSigned());
        //System.err.println("================ Generated Response ===============");
        //r.toStream(System.err);
        //System.err.println();
         
       // get user password and file input stream   
       //   char[] password = getPassword();   
       //   java.io.FileInputStream fis = new java.io.FileInputStream("keyStoreName");   
       //   ks.load(fis, password);   
       //   fis.close();

        SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();

      //  request.SAMLResponse = new String(r.toBase64());
        request.SAMLResponse = new String(Base64Coder.encodeString(r.toString()));

        SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(
                null,
                request,
                "https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",
                ReplayCacheFactory.getInstance(),
                null,
                1);
        assertTrue("SAMLResponse is not signed.",response.response.isSigned());
        response.assertion.verify(ks.getCertificate("testalias"));
        response.response.verify(ks.getCertificate("testalias"));
        System.err.println("================ Verified Response ===============");
        response.response.toStream(System.err);
        System.err.println();
        return response;
     }catch(Exception e)
     {
      e.printStackTrace();
     }
     return null;
    }
}
 

jongleejonglee
You probably should not use

import com.rsa.certj.xml.dsig.XMLSignature;

 

but the Signatureclass from open-saml.  Your code seems to use keystore to load the cert. If you prefer, you can directly load the cert from perm/der file -- I think that's the .per you are referring to.

SalesforceSSOSalesforceSSO

Thanks. There is no signature class in opensaml 1.1. I might be downloading wrong opensaml1.1.jar then. Infact the jar I am using doesn't have org.opensaml.xml package. I have 3 files, .crt,.cer,.pem.  I tried hard finding documentation for SAML 1.1, so that I can code but couldn't get anything.I am not sure how to use these files.

 

java.io.FileInputStream fis = new java.io.FileInputStream("sf.pem");
BufferedInputStream bis = new BufferedInputStream(fis);

fis.close();

a.sign(
XMLSignature.RSA_SIGNATURE_ALGORITHM,
bis.toString(),
Arrays.asList(ks.getCertificateChain("testalias")
);

r.sign(
XMLSignature.RSA_SIGNATURE_ALGORITHM,
bis.toString(),
Arrays.asList(ks.getCertificateChain("testalias")
);

assertTrue("SAMLResponse is not signed.",r.isSigned());



SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();

request.SAMLResponse = new String(Base64Coder.encodeString(r.toString()));

SAMLBrowserProfile.BrowserProfileResponse response = profile.receive( null, request,
"https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",
ReplayCacheFactory.getInstance(), null, 1);

assertTrue("SAMLResponse is not signed.",response.response.isSigned());

response.assertion.verify(ks.getCertificate("testalias"));
response.response.verify(ks.getCertificate("testalias"));
 

jongleejonglee

You can try download 1.1 library from https://spaces.internet2.edu/display/OpenSAML/Home/

 

In fact, open saml 1.1 is deprecated, I think you can try out 2.0.  It seems they have some doc to get you started.  Another way is to look at their tests, it will give you ideas how to do it as well.

SalesforceSSOSalesforceSSO

Thanks Jonglee.

I used XMLSignature class xmlsec.jar from apache 

 

I got 3 files

 

.per - containing private key - This will be read by our java program

.crt - containing public key - I think this will be uploaded in Salesforce.com and not used in Java program.

.cer - containing certificate - I think this will be read by our java program as well.

 

Can you please help if I am right.

 

java.io.FileInputStream fis = new java.io.FileInputStream("sf.per"); java.io.BufferedInputStream bis = new java.io.BufferedInputStream(fis);

fis.close();

 

a.sign(

//XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,

// XMLSignature.RSA_SIGNATURE_ALGORITHM,

XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,

bis.toString(),

Arrays.asList(ks.getCertificateChain("testalias")) *** what to do here if I am reading from certificate

);

r.sign(

// XMLSignature.RSA_SIGNATURE_ALGORITHM,

XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,

bis.toString(),

Arrays.asList(ks.getCertificateChain("testalias")) *** what to do here if I am reading from certificate

);

 

response.assertion.verify(ks.getCertificate(bis.toString())); *** what to do here if I am reading from certificate

 

Thanks for all the help.

jongleejonglee
Salesforce does not require you to include the x509 certificate in your signed saml response/assertion.  So it's optional to include the cert in the sign method.  so for simplicity, you can pass null in the 3rd argument, but if you want to pass the cert anyway, you need to read the certificate file and covert that into List<java.security.cert.Certificate>.  Reading the opensaml javadoc or take a look at their test sample will help.
SalesforceSSOSalesforceSSO

Thanks.

 

In the sign method, the second argument requires private key. In verify method, it requires public key as argument. The private key can be retrieved from .pem file. the public key can be retrieved from .cer file.

 

the above information I got is from reading few places on internet, I might be totally wrong. Please feel free to correct me.

 

BufferedReader in = new BufferedReader(new java.io.FileReader("SFSign.pem"));

String line, encodedPrivateKey;

 

encodedPrivateKey = "";

 

line = in.readLine();

while (line != null) {encodedPrivateKey += line + "\r\n";

line = in.readLine();

}

in.close();

// Remove the markers from the data

encodedPrivateKey = encodedPrivateKey.replace("-----BEGIN RSA PRIVATE KEY-----", "");encodedPrivateKey = encodedPrivateKey.replace("-----END RSA PRIVATE KEY-----", "");

encodedPrivateKey = encodedPrivateKey.trim();

 

this is string but the sign method requires key.

 

how to retrieve public private keys from .pem, .cer

jongleejonglee

Google seems to be our friend.  I am typing "read private key in java" on the search box, and I got plenty info, including this one:

 

http://forums.sun.com/thread.jspa?threadID=5175986

SalesforceSSOSalesforceSSO
package com.SSOTest;

 

public class SAMLAssertionCreator { 

public BrowserProfileResponse createSAML() throws IOException  

{

try

{

SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();

SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();

SAMLResponse r = new SAMLResponse();

SAMLAssertion a = new SAMLAssertion();SAMLAuthenticationStatement s =

new SAMLAuthenticationStatement();

SAMLSubject subject = new SAMLSubject(

new SAMLNameIdentifier("user@mail.com", null, null),

Collections.singleton(SAMLSubject.CONF_BEARER), null, null

);

 

s.setSubject(subject);

s.setAuthInstant(new Date());

s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);

a.addStatement(s);

a.setId(idgen.getIdentifier());

a.setIssuer("http://www.mail.com");

a.setNotBefore(new Date());a.setNotOnOrAfter(

new Date(System.currentTimeMillis() + 300000));

 

//a.addCondition(new SAMLAudienceRestrictionCondition(Collections.singleton("https://saml.salesforce.com"));

r.addAssertion(a);

r.setId(idgen.getIdentifier());

r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");

r.toDOM();

 

String privKeyFile = "SFSign.pem";

String alias = "testalias";

char[] password = "pwd".toCharArray();

 

java.io.FileInputStream fis = new java.io.FileInputStream("SFSign.cer");

//java.io.BufferedInputStream bis = new java.io.BufferedInputStream(fis);

 

// read private key PEM file

java.io.DataInputStream dis = new java.io.DataInputStream(new FileInputStream(privKeyFile)); 

byte[] privKeyBytes = new byte[(int)privKeyFile.length()];

dis.read(privKeyBytes);

dis.close();

 

KeyFactory keyFactory = KeyFactory.getInstance("RSA");

BASE64Decoder b64 = new BASE64Decoder();

 

// decode private key

PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(b64.decodeBuffer(privKeyBytes.toString()));

RSAPrivateKey privKey = (RSAPrivateKey) keyFactory.generatePrivate(privSpec);

 

CertificateFactory cf = CertificateFactory.getInstance("X.509");

X509Certificate cert = (X509Certificate)cf.generateCertificate(fis);

fis.close();

 

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

ks.setCertificateEntry(alias, cert);

 

a.sign(

Signature.getInstance("MD5withRSA").toString(),

//ks.getKey(alias,password),

privKey,

//Arrays.asList(ks.getCertificateChain(alias))

null

);

r.sign(

Signature.getInstance("MD5withRSA").toString(),

privKey,

null

);

assertTrue("SAMLResponse is not signed.",r.isSigned());

 

 

r.verify(ks.getCertificate(alias));

SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();

 

request.SAMLResponse = new String(r.toBase64());

 

SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(

null,

request,

"https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",

ReplayCacheFactory.getInstance(),

null,

1);

assertTrue("SAMLResponse is not signed.",response.response.isSigned());

response.assertion.verify(ks.getCertificate(alias));response.

response.verify(ks.getCertificate(alias));

System.err.println("================ Verified Response ===============");

response.response.toStream(System.err);

System.err.println();

return response;}catch(Exception e)

{

e.printStackTrace();

}

return null;

}

}

 

 

Message Edited by SalesforceSSO on 03-31-2009 01:21 PM
SalesforceSSOSalesforceSSO

jsp file ------

 

<%@ page import="org.opensaml.SAMLBrowserProfile"%>

<%@ page import="com.SSOTest.SAMLAssertionCreator"%>

 

<%@page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

 

<%

System.out.println("Start");

SAMLAssertionCreator samlCr = new SAMLAssertionCreator();

System.out.println("After SAMLAssertionCreator");  

SAMLBrowserProfile.BrowserProfileResponse objSAML = (SAMLBrowserProfile.BrowserProfileResponse)samlCr.createSAML();

System.out.println("After SAMLBrowserProfile");

 

if(objSAML!=null){

System.out.println("objSAML is null : " + objSAML.response.getAssertions() +"....." + objSAML.response.getId());

}

else{ System.out.println("objSAML is not null");

}

 

System.out.println("After the loop");

session.setAttribute("SAMLOBJ",objSAML);

%>

<html>

<body><

form name="acsForm" action="https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=" method="post"> <input type="hidden" name="TARGET" value="https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=" />

<input type="hidden" name="SAMLResponse" value="<%=objSAML%>" />

<input type="submit" value="Submit" />

</form></

body>

</html>

 

 

when I am trying to run this, I am getting

java.lang.NoClassDefFoundError: org/opensaml/SAMLStatement. not sure why?

 

 

I have 3 files

1. SFSign.pem - private key

2. SFSign.cer - certificate with public key uploaded on Salesforce.com

3. org.crt - trusted root certificate from the organization.

 

My question is

 

in sign method we need private key as second argument, in verify method we need public key.

is it possible that I just read file 1 in keystore and get the public key for verify or do I need to load both file 1 and file 2 as I have done in the code above. Do I need file 3 somewhere for the assertion or it is not at all required.

 

Thanks for all help. agg_rajat@yahoo.com

Message Edited by SalesforceSSO on 03-31-2009 01:16 PM
jongleejonglee
You need to check your classpath to make sure you include the opensaml jar to fix the ClassNotFoundException.  Now you actually don't need to do verify on your jsp -- that's the receiving end(service provider)'s job to verify the signature, as the sender(identity provider), you only need to sign.
SalesforceSSOSalesforceSSO

Thanks. we just need to sign, then will we still use alias and password for the private key during signing. if yes, how?

 

SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();

SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();

SAMLResponse r = new SAMLResponse();

SAMLAssertion a = new SAMLAssertion();SAMLAuthenticationStatement s =

new SAMLAuthenticationStatement();

SAMLSubject subject = new SAMLSubject(

new SAMLNameIdentifier(user@mail.com, null, null),

Collections.singleton(SAMLSubject.CONF_BEARER), null, null

);

 

s.setSubject(subject);

s.setAuthInstant(new Date());s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);

a.addStatement(s);

a.setId(idgen.getIdentifier());

a.setIssuer("http://www.mail.com");

a.setNotBefore(new Date());a.setNotOnOrAfter(

new Date(System.currentTimeMillis() + 300000));

 

r.addAssertion(a);

r.setId(idgen.getIdentifier());

r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");

r.toDOM();

 

String privKeyFile = "SFSign.pem";

String alias = "SFSign";

char[] password = "password".toCharArray();

 

// read private key PEM file

java.io.DataInputStream dis = new java.io.DataInputStream(new FileInputStream(privKeyFile)); byte[] privKeyBytes = new byte[(int)privKeyFile.length()];

dis.read(privKeyBytes);

dis.close();

 

KeyFactory keyFactory = KeyFactory.getInstance("RSA");BASE64Decoder b64 = new BASE64Decoder();

 

// decode private key

PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(b64.decodeBuffer(privKeyBytes.toString()));

RSAPrivateKey privKey = (RSAPrivateKey) keyFactory.generatePrivate(privSpec);

 

a.sign(

Signature.getInstance("MD5withRSA").toString(),

privKey,

null

);

r.sign(

Signature.getInstance("MD5withRSA").toString(),

privKey,

null

);

assertTrue("SAMLResponse is not signed.",r.isSigned());

 

SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();request.SAMLResponse = new String(r.toBase64());

SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(

null,

request,

"https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",

ReplayCacheFactory.getInstance(),

null,

1);

assertTrue("SAMLResponse is not signed.",response.response.isSigned());

 

System.err.println("================ Verified Response ===============");response.

response.toStream(System.err);

System.err.println();

return response;

SalesforceSSOSalesforceSSO

I am working on SAML assertion. I have a private key abc.pem. I want to read this file and sign the assertion. The code I found on the internet is what I have written. I might be wrong, but somehow I think this code is for generation private key from a public key, which is what I don't want. I already have a private key, alias and its password. I just want to read it from file and sign the assertion. You help would be greatly appreciated.

 

String privKeyFile = "abc.pem";
	    String alias = "test";
	    char[] password = "pwd".toCharArray();
         
	    // read private key PEM file
         java.io.DataInputStream dis = new java.io.DataInputStream(new FileInputStream(privKeyFile));
         byte[] privKeyBytes = new byte[(int)privKeyFile.length()];
         dis.readFully(privKeyBytes);
         dis.close();
         
         KeyFactory keyFactory = KeyFactory.getInstance("RSA");
         BASE64Decoder b64 = new BASE64Decoder();
         
         // decode private key
         PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(b64.decodeBuffer(privKeyBytes.toString()));
         RSAPrivateKey privKey = (RSAPrivateKey) keyFactory.generatePrivate(privSpec); 
         samlassertion.sign(
	    		Signature.getInstance("MD5withRSA").toString(),
	    		privKey,
	               null
	        );
alok1078alok1078

Hi Sandeep,

 

I am facing the same issue (java.lang.NullPointerException while calling the SAMLBrowserProfileFactory.getInstance() method). Could you please let me know if you got it resolved? Was it a jar file issue? If yes, from where did you download the currect version of jar file to make it working? Please help!

 

Thanks,

Alok

jongleejonglee

try this to load the private key from file:

 

http://www.javadocexamples.com/java/security/spec/java.security.spec.PKCS8EncodedKeySpec.html

 

 

mannsandeepmannsandeep

Alok,

 

I used same jar 'opensaml-1.1.jar' only. If you need then i can send the jar files. Send me ur email id.

jongleejonglee

I recalled the problem is you using opensaml 1.1 with weblogic server which bundled its own version. so you need to modify the startWeblogic.sh to prepend your version before weblogic.jar...

 

 

alok1078alok1078
Thanks Sandeep! I got the correct jar file and proceeded.
alok1078alok1078

Hi,

 

I am getting the following exception. I used the same code as posted above with the pem file. Do I need to modify the pem file? Please advise.

 

java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : null

at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(Unknown Source)

at java.security.KeyFactory.generatePrivate(Unknown Source)

at com.SSOTest.SAMLAssertionCreator.createSAML(SAMLAssertionCreator.java:99)

at org.apache.jsp.NCRSalesCentral_jsp._jspService(org.apache.jsp.NCRSalesCentral_jsp:56)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)at org.apache.jasper.servlet.JspServletWrapper.service(

JspServletWrapper.java:322)

at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:291)at org.apache.jasper.servlet.JspServlet.service(

JspServlet.java:241)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(

ApplicationFilterChain.java:252)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)at org.apache.catalina.core.StandardWrapperValve.invoke(

StandardWrapperValve.java:213)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)at org.apache.catalina.core.StandardHostValve.invoke(

StandardHostValve.java:126)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)at org.apache.catalina.core.StandardEngineValve.invoke(

StandardEngineValve.java:107)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)at org.apache.coyote.http11.Http11Processor.process(

Http11Processor.java:856)

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(

PoolTcpEndpoint.java:527)

at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(

ThreadPool.java:684)

at java.lang.Thread.run(Unknown Source)

Caused by: java.security.InvalidKeyException: IOException : null

at sun.security.pkcs.PKCS8Key.decode(Unknown Source)

at sun.security.pkcs.PKCS8Key.decode(Unknown Source)

at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(Unknown Source)

at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(Unknown Source)

at sun.security.rsa.RSAKeyFactory.generatePrivate(Unknown Source)

... 24 more

alok1078alok1078
Hi Sandeep, I still have issues with the jar file. Please send me the correct file at alok1078@google.com.
alok1078alok1078

Hi SalesforceSSO,

 

I am trying with the same code you posted with a pem file and getting the exception (posted in previous post). Please let me know if it is working for you now. Do we have to put the key in keystore first?

 

Thanks,

Alok

mannsandeepmannsandeep
Alok, I got undelievered message from google mailbox server. Is your email id correct?
alok1078alok1078
Sorry it was incorrect. Plz send it to alok1078@gmail.com
SAMLIssSAMLIss

Hello SHanuman , Jonglee,

 

got struck while working with SAML.

 

I am getting login failed error while posting it to Salesforce. Can you please help. login history has no enteries. looks like its not able to get username.

 

<%@ page import="org.opensaml.SAMLBrowserProfile"%>

<%@ page import="com.sso.SAMLAssertionCreator"%>

 

<%@page language="java" contentType="text/html; charset=ISO-8859-1"

pageEncoding="ISO-8859-1"%>

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

 

<%

SAMLAssertionCreator samlCr = new SAMLAssertionCreator();

SAMLBrowserProfile.BrowserProfileResponse objSAML = (SAMLBrowserProfile.BrowserProfileResponse) samlCr.createSAML();

session.setAttribute("SAMLOBJ", objSAML);

%>

<html>

<body><

form name="acsForm" action="https://cs3.salesforce.com" method="post"> <input type="hidden" name="TARGET" value="https://cs3.salesforce.com" />

<input type="hidden" name="SAMLResponse" value="<%=objSAML%>" />

<input type="submit" value="Submit" /></form> </body>

</html>

 

 

Federated single sign-on using SAML:

SAML EnabledCheckedSAML Version1.1
SAML User ID TypeUsername               Issuerhttp://www.xyz.com
SAML User ID LocationSubjectIdentity Provider CertificateEMAILADDRESS=abc@xyz.com, CN=SFSignCert, O=xyz, ST=XX, C=US
Expiration: 29 Mar 2019
Recipient URLhttps://cs3.salesforce.com

 

<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2009-04-30T16:19:29.738Z" MajorVersion="1" MinorVersion="1" Recipient="https://cs3.salesforce.com" ResponseID="_c5226ab7546137e707d44a9c6bd935cf"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"></ds:SignatureMethod>

<ds:Reference URI="#_c5226ab7546137e707d44a9c6bd935cf">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>

<ds:DigestValue>g5E85emP02skn6lHjlnVafBCCFs=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>

KL2ggRD5iTQVYA9Wdqc1iNt16Dw12fvqO+96CT8GUzObQ+fd/9ces/yT+lxS0PTZYPt9KelkO/jy

PrV9DUFZj37PxNI1vvhT6ZSA1XY1GsooN7nlUdu+tou7a3ZvdCz4CeN0mFCUL7RrH99fmHNgIT4o

s3ZCx4fbstXCFfqomcM=

</ds:SignatureValue>

</ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_0383e17ba54b53140ad122a4bb68255c" IssueInstant="2009-04-30T16:19:30.049Z" Issuer="http://www.xyz.com" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2009-04-30T16:19:30.028Z" NotOnOrAfter="2009-04-30T16:24:30.028Z"></Conditions><AuthenticationStatement AuthenticationInstant="2009-04-30T16:19:29.928Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier>abc@xyz.com</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>

<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>

<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"></ds:SignatureMethod>

<ds:Reference URI="#_0383e17ba54b53140ad122a4bb68255c">

<ds:Transforms>

<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>

</ds:Transforms>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>

<ds:DigestValue>dYcFbFuLH3CjTTvxxqzaXTKqMSc=</ds:DigestValue>

</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>

MB665iHEbaPF23TNqUdtIUllx0BqepfrzB6pNBejWS+49S5dd1g+qcCTK7SqtF/IHQ9xm7jzyfAR

KVzV4/f1e8C5+6y9WBaeCiUCbSfymZ9PQn1/1goJCyd/+jlPvPi3SKj0J4gmnveQQLrUG4dYtkbm

peCFzICrMBisOuDKb1U=

</ds:SignatureValue>

</ds:Signature></Assertion></Response>

Message Edited by SAMLIss on 04-30-2009 09:37 AM
MJ_ARIAMJ_ARIA

Has anyone got the 'TARGET' field working with SAML 2.0 so that it accepts the startURL, logoutURL, and ssoStartPage?

 

We set the value according to the docs for the as a TARGET field on the POST response:

<input type="hidden" name="TARGET" value="https://saml.salesforce.com/?startURL=https://na1.salesforce.com/001/o&logoutU
RL=http://admintools.aria.net/index.php/SignOn/logout">

 

But the starting URL still goes to https://na1.salesforce.com/home/home.jsp, and the logout URL is the default Salesforce logout URL.  

Is the documentation wrong in describing how to set these URLs for SSO?  Or are we missing something obvious?

 

Thanks for your help

jongleejonglee

Per SAML 2.0 spec, there is no TARGET post param avaiable to set those sso related paramaters, so in upcoming release(already available in cs0, cs2, and cs3 now and rest of the instances will be upgraded in June), we used SAML 2.0 attribute statement to pass in those values.

 

<pre>

 <saml:AttributeStatement>
<saml:Attribute Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">
http://jonglee-ws2:9000/qa/security/saml/saml20-gen.jsp
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="logoutURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
http://jonglee-ws2:9000/
</saml:AttributeValue>
</saml:Attribute> </saml:AttributeStatement>

 </pre>

 

thanks
Jong Lee

Salesforce.com

MJ_ARIAMJ_ARIA
ahh, thank you for that explanation.  that clears up our issue!
ExpoExpo

Hi Jong Lee and Salesforce SSO Guru's
 
We need your help in resolving the below error message

 

"Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your Salesforce administrator for more information. "

 

Below is the SAML assertion that is being posted

  <?xml version="1.0" ?>
- <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="b55010b709b8d8cf858e" IssueInstant="2009-06-11T10:01:10.892Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml:Issuer>http://www.abc.com</saml:Issuer>
- <samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
- <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="a40aa6e29fef4791da2c" IssueInstant="2009-06-11T10:01:10.830Z" Version="2.0">
  <saml:Issuer>http://www.abc.com</saml:Issuer>
- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <ds:Reference URI="#a40aa6e29fef4791da2c">
- <ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  </ds:Transforms>
  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <ds:DigestValue>lSo9/fOxK9pCMf6tt0qu0YELXSw=</ds:DigestValue>
  </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>SzN+Ui9mubjcS0ROWOKHx7dmcAEVMx4pz1=</ds:SignatureValue>
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:KeyName>ART_21</ds:KeyName>
  </ds:KeyInfo>
  </ds:Signature>
- <saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sample@abc.com</saml:NameID>
- <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
  <saml:SubjectConfirmationData NotOnOrAfter="2009-06-11T10:06:10.830Z" Recipient="https://login.salesforce.com" />
  </saml:SubjectConfirmation>
  </saml:Subject>
- <saml:Conditions NotBefore="2009-06-11T10:01:10.846Z" NotOnOrAfter="2009-06-11T10:06:10.846Z">
- <saml:AudienceRestriction>
  <saml:Audience>https://saml.salesforce.com</saml:Audience>
  </saml:AudienceRestriction>
  <saml:Condition>restrict IP</saml:Condition>
  <saml:OneTimeUse>use it once</saml:OneTimeUse>
  </saml:Conditions>
- <saml:AuthnStatement AuthnInstant="2009-06-11T10:01:10.846Z" SessionIndex="wMx9ZzhvB/wdd6UPZjFd1OjEAMQ=" SessionNotOnOrAfter="2009-06-11T10:01:13.846Z">
- <saml:AuthnContext>
  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
  </saml:AuthnContext>
  </saml:AuthnStatement>
  </saml:Assertion>
  </samlp:Response>

 

We also validated our SAML assertion in the SAML settings page and results are listed below

 

1. Validating the Status
  Ok
2. Checking that the assertion contains a reference to a user
  Ok
3. Looking for an Authentication Statement
  Ok
4. Looking for a Conditions statement
  Ok
5. Checking that the timestamps in the assertion are valid
  Ok
6. Checking that the Attribute namespace matches, if provided
  Unknown
7. Miscellaneous format confirmations
  Unknown
8. Confirming Issuer matches
  Ok
9. Confirming a Subject Confirmation was provided and contains valid timestamps
  Ok
10. Checking that the Audience matches, if provided
  Ok
11. Checking the Recipient
  Ok
12. Validating the Signature
  Ok

 

jongleejonglee

What does the Login History tell you?

If you did not get an entry, it means we can't resolve your username.  I saw your Recipeint URL is using "https://login.salesforce.com", it means you are putting SFDC username into the SUBJECT.  Mostly like the problem is

"sample@abc.com" is not a valid SFDC username.  Also you did not output the "Username or Federation ID" of the debug result, do you see that matches "sample@abc.com" -- the one you define in your assertion?

ExpoExpo

Jonglee

 

Thank you very much for getting back to us.

 

We do not have any entry in the login history.

 

We are using a valid user ID and we are able to logon to SFDC using the ID that has been specified in the assertion. However the same fails when we use the SAML assertion

 

 

 

Message Edited by Expo on 06-11-2009 08:44 AM
jongleejonglee
what does the login history tell you when you using SAML to login? 
ExpoExpo
We do not see any entry in the login history
jongleejonglee
that's what I expected since we failed to map the SAML subject to a valid user, now, what does the debug page tell you the "Username or Federation id"?  Does it match the one you specify in the SAML assertion?
ExpoExpo

 

The assertion validation page displays the valid SFDC User ID in the subject. We are not using the Federated ID option.

 

Subject: sample@abc.com

AssertionId: c4e9c837b58814a9f87f

__________________________________________

 

 

As per the document available in the below link the SAML Assertion Debugger is available in Setup -> Security Controls - >Single Sign-On Settings-> SAML Assertion Debugger.

 

https://tapp0.salesforce.com/help/doc/en/salesforce_single_sign_on.pdf

 

The Single Sign-On settings page only has the SAML Assertion Validator button and not the SAML Assertion Debugger button.

 

By debug are you referring to the SAML Assertion Validator results or SAML Assertion Debugger function which is not available

 

Message Edited by Expo on 06-12-2009 12:31 AM
Message Edited by Expo on 06-12-2009 12:32 AM
jongleejonglee
What instance is "sample@abc.com" on?  I saw you are using "https://login.salesforce.com" as the recipient url, so it must not be a sandbox user.
ExpoExpo

The sample@abc.com is the Development Edition Admin Id and when we login into SFDC we hit the below URL

https://c.ap1.visual.force.com/apex/Start_Here?sfdc.tabName=01r900000008XGa

 

 

jongleejonglee

It seems you are on "ap1" instance, and unfortunately, when I search "sample@abc.com", I can't locate your organization.  Could you please post your user id?  You can find the user id on the url when you visit the personal information page under setup.

 

thanks

Jong

ExpoExpo

Jong,

 

The Actual ID that we are using is david@sky.com. Thanks again for your assistance.

 

 

jongleejonglee

OK, I actaully can locate your record using david@sky.com.  Now if you put that into the SAML assertion insteadof "sample@abc.com", does it work?  The SAML assertion needs to be mapped to a valid SFDC user, either by using username like "david@sky.com" or you can set a federation id "sample@abc.com" in your user's page and change the SAML settings to accept federation id.

 

thanks

Jong

ExpoExpo

Jong,

 

We have tried all the options and we continue to get the same error message. I find it strange as our assertion validation is successfull. have sent you a PM.

 

Thanks

 

SAMLIssSAMLIss

Can you post or send PM with your code, so that I can have a look at it.

ExpoExpo
I have sent you a PM
ExpoExpo

Jonglee,

 

Kindly let us know if you need any futher information and we will be glad to provide the same.

 

Thanks

MJ_ARIAMJ_ARIA

Jong,

 

We have tested the attribute statement, and it works for logoutURL, but the attributes ssoStartPage and startURL do not seem to work.  Is this being rolled out later this month, or was this not implemented?

 

Thanks

 

 

ExpoExpo

Jong and other SSO experts

 

We were successfuly able to establish a connection using myonelogin.com and OpenSSO. Myonelogin uses SAML1.1 and OpenSSO uses 2.0.

 

Our assertion is similar to Opensso and we do not have any errors when validating through the assertion validator.

 

However we continue to encounter " Your login attemp using single sign on with an identity provider certificate has failed. Please contact your Salesforce administrator for more information"

 

We do not have any entries in the error logs. We are unable to make any progress as we do not have any sort of logs from Salesforce.com that would help us in resolving this issue.

 

 

jongleejonglee

Did you get a chance to look at the login history in your test org?   Normally when the SAML assertion can be mapped to a valid SFDC user, it should display the error code there.  If no login history at all, please try to use the Validator page to see if it gives you any hit on the error.  If none of those working, maybe you can post the base64encoded assertion here, I am happy to take a closer look.

 

thanks

Jong

 

 

ExpoExpo

Jong,

 

Thanks for getting back to us, we do not have any entry in the login history. We used the validator page and did not encounter any errors. As requested below is the base64 encoded assertion. I have also posted the validation results.

 

PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20vP3NhbWw9TWdvVHg3OGFFUGg2cUhLR01kMDR6OTFEaER1bTN2NkF3eWZEU1FEbGYya1VPU1pIa2haSS5GaE5QNyIgSUQ9ImNhZTk5ODAwYzYzNDJiNzNlMWFlIiBJc3N1ZUluc3RhbnQ9IjIwMDktMDctMTdUMDc6NTg6MDYuNTI2WiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+Q049cHRnLnNzby5hcHBzLnRlc3RiZWQ8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYzdmZjJjYzkzZjViNGUxNWY2MTEiIElzc3VlSW5zdGFudD0iMjAwOS0wNy0xN1QwNzo1ODowNi41MTBaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5DTj1wdGcuc3NvLmFwcHMudGVzdGJlZDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYzdmZjJjYzkzZjViNGUxNWY2MTEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPnVsanFRS3U0cW1SUmVCbHBqWVVqNmw5ZkxGaz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+TEMvWXE3UlFKbGlLemJoNUNJKzNIRVpJT1FKNjhFZEpWeHMxQzg4QTlmK3AzTEUzMnFSZ21EZEVpeVlxbEVob2lSbm8zeTRlOFExKw0KV3B1cGdXUmhDS3IxUFk5TlBHT2lvTjZKWVBwSG8ySnFaZERjbzZiazJFWnd6akRzb09McTZHa0JnSkJSUlUwQWdwV1VXV2RVSU1zcg0KbGROaTNtdjBxUFhzUE5rSzZscz08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDWERDQ0FjVUNCRVZUVUZNd0RRWUpLb1pJaHZjTkFRRUZCUUF3ZFRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBazVLDQpNUlF3RWdZRFZRUUhFd3RLWlhKelpYa2dRMmwwZVRFUk1BOEdBMVVFQ2hNSVVHVnljMmhwYm1jeEVUQVBCZ05WQkFzVENGQmxjbk5vDQphVzVuTVIwd0d3WURWUVFERXhSd2RHY3VjM052TG1Gd2NITXVkR1Z6ZEdKbFpEQWVGdzB3TmpFeE1Ea3hOVFU1TVRWYUZ3MHhOakV4DQpNRFl4TlRVNU1UVmFNSFV4Q3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSUV3Sk9TakVVTUJJR0ExVUVCeE1MU21WeWMyVjVJRU5wDQpkSGt4RVRBUEJnTlZCQW9UQ0ZCbGNuTm9hVzVuTVJFd0R3WURWUVFMRXdoUVpYSnphR2x1WnpFZE1Cc0dBMVVFQXhNVWNIUm5Mbk56DQpieTVoY0hCekxuUmxjM1JpWldRd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFJRlBFdlYwS1pqQ0tmSFFMR3A0DQpYeFJvbzRzVCtuNmw1Yi85MWFUekVFbVREWE9Tc045NE9iWVE3MmduNnB5em9xODNQZEVmd0ExQmp2SWt5c1pUSGhLRWt6YkpFLzgyDQpGWmhBN0tZbDJCUTJ1NG9oVVVzaGQ1U0pnY0kwV05LbmtaZTIwcWloenpxcFBOdzc5RG9yeTdkNW9XNVJoYXNrZWp1aXIySWxsbGhyDQpBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ1lFQWNvWmtFM0pyaEZVY2pGM2I2citjeldyOSs1MkV6TklCcXpHRmFzNTdFVU5LDQpjaHJUZUhUNmtTeTNUWTJQNG44V3ROa2U3T2NNdFNkR0lZbkRsYVc5SmZJOWJjWWtzN2RiL1A4MXlIaUh4QkhBYmhNUSt0bHJDd0dPDQpVekNaNFBsVm1hYTM5UEc1ZG9QU0xmUzFqOGpDTFNuTVdnczl0Z0JiVTNrWnlua2YrTVU9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIE5hbWVRdWFsaWZpZXI9IkNOPXB0Zy5zc28uYXBwcy50ZXN0YmVkIiBTUE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vc2FtbC5zYWxlc2ZvcmNlLmNvbSI+dGVzdDwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAwOS0wNy0xN1QwODowMzowNi41MTBaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20vP3NhbWw9TWdvVHg3OGFFUGg2cUhLR01kMDR6OTFEaER1bTN2NkF3eWZEU1FEbGYya1VPU1pIa2haSS5GaE5QNyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDA5LTA3LTE3VDA3OjU4OjA2LjUxMFoiIE5vdE9uT3JBZnRlcj0iMjAwOS0wNy0xN1QwODowMzowNi41MTBaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vc2FtbC5zYWxlc2ZvcmNlLmNvbTwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMDktMDctMTdUMDc6NTg6MDYuNTEwWiIgU2Vzc2lvbkluZGV4PSJxVXFQNWN5eG02WWNUQWh6MDVIcGg1Z3Z1OU09IiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDA5LTA3LTE3VDA3OjU4OjA5LjUxMFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiPnRlc3Q8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=

 

 

 

Results

1. Validating the Status

Ok

2. Checking that the assertion contains a reference to a user

Ok

3. Looking for an Authentication Statement

Ok

4. Looking for a Conditions statement

Ok

5. Checking that the timestamps in the assertion are valid

Ok

6. Checking that the Attribute namespace matches, if provided

Ok

7. Miscellaneous format confirmations

Unknown

8. Confirming Issuer matches

Ok

9. Confirming a Subject Confirmation was provided and contains valid timestamps

Ok

10. Checking that the Audience matches, if provided

Ok

11. Checking the Recipient

Ok

12. Validating the Signature

Ok

--------------------------------------------------------------------------------

Subject: test

AssertionId: cae99800c6342b73e1ae

 

My SSO setting are given below

 

My Username david@sky.com has been mapped to Federation id 'test'

 

SAML                               - Enabled
SAML Version               -  2.0
SAML User ID Type    - Federation ID
SAML User ID Location - Attribute
Attribute Name              - uid    
Name ID Format           -
Salesforce Login URL  - https://login.salesforce.com/?saml=MgoTx78aEPh6qHKGMd04z91DhDum3v6AwyfDSQDlf2kUOSZHkhZI.FhNP7

jongleejonglee

Your sample SAML 2.0 assertion looks ok.  What instance is your user 'david@sky.com' on?  Is it ap1.salesforce.com?

 

thanks

Jong

ExpoExpo

Yes - We are hitting the ap1 instance. Is it possible to check the logs at your end and see the error message that has been trigerred.

 

(or) you could tell me a time when we can post our assertion and we can do the same --

 

 

jongleejonglee

OK.  We will investigate. 

 

thanks

Jong

ExpoExpo

 

Thanks Jong -- Eagerly awaiting your results.

 

 

jongleejonglee

I suspect the problem is only ap1 related.  In the mean time, you can probably try another prod instance or sandbox to continue with your development.

 

thanks

Jong

ExpoExpo

I am not sure if it's ap1 related, as opensso and myonelogin are working and we have tested with the same id.

 

I believe it has something to do with the assertion / some mapping when we are posting from our tool.

 

 

 

 

 

Message Edited by Expo on 07-23-2009 12:25 AM
ExpoExpo

Finally after a prolonged struggle we got our SSO working. It has been a nightmare to identify the problem and fix it. If not for OpenSSO and myonelogin.com we wouldn't have found a solution.

 

 

jongleejonglee

Do you mind sharing with us what you find out?  Probably we can look into enhance our debugging page to track this type of error in the future.

 

thanks

Jong

 

crm_expertcrm_expert

Currently, we are implementing federation single sign on for one of our clients.

when we log in to the production URL, it goes into the salesforce.

If we bookmark or favorite the page, and then click on logout in salesforce, it does everything well and goes to the intranet page.

 

but after this, if we try to click on the bookmarked(or favorited) URL, it does not redirect to salesforce, instead gives a 'Page cannot be displayed' error.

 

I am attaching the assertion below:

If anyone can give their valuable inputs as to why it is not working when we bookmark it and it works if we login directly, it would be a great help.

 

Thank you so much.

 

 

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://login.salesforce.com/?saml=EK03Almz90RPX1sk0F3gL_UQYTUnDzlvpUFiii6CkZKlxbr67y7HYzOqcz" ID="_7eb309180a7ecca5e8aa585f28cbdfe39e6f" IssueInstant="2009-09-30T20:07:37Z" Version="2.0"> <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">abc.com</ns1:Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </Status> <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_3a3d0167a97b60515d1e34a2d412ff271ac6" IssueInstant="2009-09-30T20:07:37Z" Version="2.0"> <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">abc.com</ns2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Reference URI="#_3a3d0167a97b60515d1e34a2d412ff271ac6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ex7zmBjvM0wMmImMJOIqFILJBlU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> PX7j4coCVBymjz+tG/Xy+0IvgDYNU5/rfoOWFZecf3eKF5oXKUm1YBK/2uuHZ1nDb5AWb8zgLaF/ NpjLkJ5lfJmN+M2cyd0fgm4XGd2Eu+P/7mmG9+HYGrik/SCKWibQab8x3ZDCt5znDbQyakVTeE4o AtzxcHW/blGJ0mtqmyU= </ds:SignatureValue> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> MIIERzCCAy+gAwIBAgILAQAAAAABIX6aGX4wDQYJKoZIhvcNAQEFBQAwUDEXMBUGA1UEChMOQ3li ZXJ0cnVzdCBJbmMxNTAzBgNVBAMTLEN5YmVydHJ1c3QgU3VyZVNlcnZlciBTdGFuZGFyZCBWYWxp ZGF0aW9uIENBMB4XDTA5MDUyNjE5MzAyM1oXDTEyMDUyNjE5MzAyM1owgfExFzAVBgNVBAMTDlNB UyBGZWRlcmF0aW9uMRwwGgYDVQQEExNJZGVudGl0eSBGZWRlcmF0aW9uMSAwHgYDVQQqExdTQVMg RmVkZXJhdGlvbiBQcm92aWRlcjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkFaMRAwDgYDVQQHEwdQ aG9lbml4MRkwFwYDVQQKExBBbWVyaWNhbiBFeHByZXNzMSAwHgYDVQQLExdJbnRlci9JbnRyYW5l dCBTZWN1cml0eTEtMCsGCSqGSIb3DQEJARYedGVjaG5pY2FsLnNzby5zdXBwb3J0QGFleHAuY29t MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDig+SHwHzMj5bXwX/Zm3KXs0v0dnIrJhtr2PJS pYh2/gvvDIVRh4wInE2RaTM5bDNc4wg1WxuCa4BKpqtfGvzZpPpLl3GXRA+8QjxWqBbsHXpE/zD6 rC5BJbY5rkkgS7+KL+Lw8M4gJFzVBlHemusBKW+zO5Fs+viZnuFsDQIJowIDAQABo4IBAjCB/zAf BgNVHSMEGDAWgBTNOpafrm4PQFwcSPhLLbhxAeuJ2jA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8v Y3JsLm9tbmlyb290LmNvbS9TdXJlU2VydmVyRzIuY3JsMB0GA1UdDgQWBBSsICr0lE734pSba+oE iK9xYYgvujAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD AjBPBgNVHSAESDBGMEQGCSsGAQQBsT4BMjA3MDUGCCsGAQUFBwIBFilodHRwOi8vY3liZXJ0cnVz dC5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUFAAOCAQEAbHHbrP1SM8TVosWi cOuihB1BzJexdfbFGJPoSWhpz3nRcVm+G/q3tUOuTZfRVDTUVlu2MT0PU8YDk4KSI29GMQwXuEhD p5KKA5f2sgBrYJHS1bx0n42SVRpN6bbascFkpe4I8bGkatRk6j+GBleFozFCNiZeex64meBNX68R vy+JtCTQVVxcZHj/I+aGw+ZknAeI0UL7J96xuE0IY6dcIK+36bWdE17Vsnxgwi39VijAbRBb41Zn Kvs5lSf94qWEE2ikIOKD4ZHTSFWpcnbYaoiDDSFZJZpTD0RsijQu4pcnVYsoQGDNIEO/6EFhFSQH RTW0sOo2ZbxeBpommEEDpg== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <ns2:Subject> <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">C1466791</ns2:NameID> <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <ns2:SubjectConfirmationData NotOnOrAfter="2009-09-30T20:09:07Z" Recipient="https://login.salesforce.com/?saml=EK03Almz90RPX1sk0F3gL_UQYTUnDzlvpUFiii6CkZKlxbr67y7HYzOqcz"/> </ns2:SubjectConfirmation> </ns2:Subject> <ns2:Conditions NotBefore="2009-09-30T20:07:07Z" NotOnOrAfter="2009-09-30T20:09:07Z"> <ns2:AudienceRestriction> <ns2:Audience>salesforcetravel</ns2:Audience> </ns2:AudienceRestriction> <ns2:AudienceRestriction> <ns2:Audience>https://saml.salesforce.com</ns2:Audience> </ns2:AudienceRestriction> </ns2:Conditions> <ns2:AuthnStatement AuthnInstant="2009-09-30T20:07:36Z" SessionIndex="Q+pzvs+8Rr7Z6tlt8IIpmRVDFdY=zIabKw==" SessionNotOnOrAfter="2009-09-30T20:09:07Z"> <ns2:AuthnContext> <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef> </ns2:AuthnContext> </ns2:AuthnStatement> <ns2:AttributeStatement> <ns2:Attribute Name="employeeid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>C1466791</ns2:AttributeValue> </ns2:Attribute> <ns2:Attribute Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>http://www.defweb.com/travelforcelogin</ns2:AttributeValue> </ns2:Attribute> <ns2:Attribute Name="logoutURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>https://central101.intra.abc.com/portal/site/defweb/menuitem.daa2dd4f4649fd301aae0ff54c2bda49/&amp;level=1?epi-content=CMU&amp;cmu_page=10002295&amp;format=leftmidwithoutcolor&amp;leftnav=false</ns2:AttributeValue> </ns2:Attribute> </ns2:AttributeStatement> </ns2:Assertion> </Response>

 

 

 

jongleejonglee

I saw you are setting ssoStartPage attribute in SAML 2.0 assertion.  It's the url where we will generate a SAMLRequest and initiate the login process to your identity provider when you click a bookmark.  It's a scenario called Sp-initiated Single Sign On in SAML 2.0 terminology.  It's not a simple redirect.  We actually will initiate a login request.  So your idp must be setup to accept SAMLRequest to complete the sign on process.

 

 

thanks

Jong Lee

Salesforce.com 

crm_expertcrm_expert

Thank you so much,

 

I also read somewhere that, we have to include the startURL in a different HTTP parameter 'relayState'..
can you please advise on it..

 

also can you please guide me how to setup the idp correctly..

 

thanks..

 

 

jongleejonglee

In Sp-initiated SSO case(when you clicked on bookmark of a SFDC page), we automatically set the RelayState to that you in the SAMLRequest post to your Idp.  Idp should just return that param unchanged when it returns the SAMLReponse to sign on, so that we know where to redirect you to after successful login.

 

So here is what should happen if everything is setup correctly on your Idp to accept SAMLRequest for Sp-initiated SSO from Salesforce.

 

1. You don't have a session established with your Idp yet, click a link of SFDC page, you should get the login page of your Idp, then after you sign on, you should be redirected to your bookmarked page.

 

2. If you already have a session with your Idp, you should be able to access to your bookmarked page without re-authenticating.

 

thanks

Jong Lee

Salesforce.com

jongleejonglee

Did you implement your own Idp or you used a commercial product or open-source project because each one is setup differently so you probably need to consult their documentation.

 

Here is a sample of SFDC generated SAMLRequest

 

<pre>

 

  <samlp:AuthnRequest AssertionConsumerServiceURL="http://localhost:9000" Destination="http://jonglee-ws2:9030/idp" ID="_1_RF3ESewdVBKeLyXjW6vwhrWxZ3sHfhXkSS.9vqgT5Br_Pjq4ATI6FRSvr8rmm7UGH5btYAlXc2WC5ejCileM_2ALMc" IssueInstant="2009-01-15T22:49:37.881Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.salesforce.com</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
      <ds:Reference URI="#_1_RF3ESewdVBKeLyXjW6vwhrWxZ3sHfhXkSS.9vqgT5Br_Pjq4ATI6FRSvr8rmm7UGH5btYAlXc2WC5ejCileM_2ALMc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ec:InclusiveNamespaces PrefixList="ds saml samlp" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
        <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">UPzylj19vhvnN41sIcafbZ728Pw=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">Js9fqZX+3IEm/IZRAvVnT39Yl/5Crp2jTCVcaS259j43Ypl3hHHFCQnCSBiOojgWRLymUbIPlUVA
ch2x5uF8b8nHdzU5YnQjxzlszf+hGpxH2KIXiRn8yTHLNWVe7ykUMnT2K0UitlxHK7QNeKEJ3U2R
WCC8p/lpLRLrRHhki9Q=</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIICoDCCAgkCCQCP3MN3sQ6/RDANBgkqhkiG9w0BAQUFADCBozELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xFzAVBgNVBAoTDlNhbGVzZm9y
Y2UuY29tMRwwGgYDVQQLExNRdWFsaXR5IEVuZ2luZWVyaW5nMTAwLgYDVQQDEydGVGVzdCBIb21l
Z3Jvd24gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwMzE0MTg1ODM1WhcNMTMwMjE2MTg1
ODM1WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRcwFQYDVQQKEw5TYWxlc2ZvcmNlLmNvbTEcMBoGA1UECxMTUXVhbGl0eSBFbmdpbmVlcmluZzEZ
MBcGA1UEAwwQKi5zYWxlc2ZvcmNlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwOu7
uG2FRiIiykW7loKRXqM+tV1MSgws5fIyzXvh8GmLuh+NDfLy8+C9fY4l+Y8W/jyU3CNf2rxizozv
Ftf4uatXvelr4fMNkLuZUfoQHFTKOnwLFoxUYGCMRoWfIurnsUnMlTwBZaKmMv00lGUTIJTcPGMS
dX1l7TQvX404j+cCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAST0eWSefnlMXJxIuIS8gFrTC5CXmN
Ckm6MMBvJt2Sdvp36kSYx0B4w/OnPVih36rwYWWw6y3rSRbZhWuXqhnpBf93JFYLByuotgn2noEE
bcjGPr6IPAMbOQdNrMzNbLsCtLDTyoBJSFLR57xhfQTbprGskoDbzTXsQbTYhCIqtQ==</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
</samlp:AuthnRequest>

</pre>

crm_expertcrm_expert

Hi..

 

thanks sir..

 

we have implemented using our own identity provider..

we have wrote assertions all be ourselves..

 

the thing is that..

 

in saml 1.1,  when we used to redirect the page, it redirected properly, but in saml 2.0, it doesn't redirect in th usual way..

 

either its a concept of a relaystate parameter which we haven't used yet..or something  else that is so silly that we haven't added it yet..

 

if you refer wiki..the following page:

 

http://en.wikipedia.org/wiki/SAML_2.0#SP_Redirect_Artifact.3B_IdP_Redirect_Artifact

 

it tries to explain what is being done..but i cannot really get it..

 

 

could you please throw some light on the relaystate parameter and how to use it..

also how to use artifact and where to use it..

 

 

thanks,

jongleejonglee

The use of ssoStartPage in  SAML 1.1 TARGET post param is Salesforce proprietary way to support Sp-initiated SSO as a parity of SAML 2.0 standard.  In SAML 2.0 spec, it defines different binding to support sp-init scenario, we only support browser-post binding.  The wiki you read is about artifact redirect binding which is a little more complicated.  

 

You might find this doc a little bit easy to follow:

 

http://wiki.eclipse.org/SAML2_IdP_Overview_1.0

 

I understand your concern why SAML 2.0 won't work the way in Salesforce.com SAML 1.1 implementation.  However, it's clearly defined how it supposed to work in SAML 2.0 specs that we must follow in order to interop other SAML 2.0 Idp vendors. 

 

thanks

Jong Lee

Salesforce.com 

crm_expertcrm_expert

Hi Jong,

 

I read your reply in the post:

 

http://community.salesforce.com/sforce/board/message?board.id=general_development&message.id=20243

 

Could you please confirm that Salesforce does not support SP initiated SSO, and that it supports only IdP initiated SSO..

 

Plus, can the "relaystate" parameter be included in the assertion rather than including it in the form? (if you could tell me evrything about how to use it)..

 

Just fyi, The link you gave in the previous reply states the use of SP initiated SSO

 

Eagerly waiting for your reply..

 

 

Thanks,

 

Sumit

 

 

Message Edited by crm_expert on 10-11-2009 11:08 PM
MuraliMMuraliM

Hi,

 

   Could you please let me know how you could fix the problems with SSO? Any hints in this direction would be helpful.

 

Thanks,

Murali(murali_va@hotmail.com)

jongleejonglee

Salesforce started to support SP initiated SSO in Summer Release 2009.  In the recent Winter 2009 release(just completed last weekend), we also added support for SAML login on portal(please see the docs,  https://na1.salesforce.com/help/doc/en/sso_portals.htm)

 

 

in Sp-inited sso, the relaystate is set by Salesforce, that's the protected page you are trying to access, i.e: the bookmarked link.  In the Idp init you can also set that in the post form.  We currently don't support setting it in the assertion, if that's something it turns out a very popular request, we will consider to support it.

 

thanks

Jong

 

Salesforce.com

jongleejonglee

What do you mean by "problems with SSO"?  Could you please be a little more specific?

 

thanks

Jong

crm_expertcrm_expert

hi jong!!

 

sent u a pm..

 

~Sumit

Ashish_ChettiarAshish_Chettiar

Hi Jong,

 

I am trying to implement the  salesforce SSO using active directory as the IDP. I generate the saml response, but the SAML validator indicates 

 

8. Confirming Issuer matches

  No issuer found in response

 

 Below is the Saml response generated:

 

 <samlp:Response ID="kogdninhjplhgekjoodihlllbgccbfhhiibmhkpg" IssueInstant="2009-11-16T15:30:11Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

  <samlp:Status>

    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

  </samlp:Status>

  <Assertion ID="hapmklejfkebmofedgblacaocjmdoaloogpomelj" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

    <Issuer>

      https://www.salesforce.com

    </Issuer>

    <Subject>

      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xyz@gmail.com</NameID>

      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

        <SubjectConfirmationData Recipient="https://login.salesforce.com/?saml=MgoTx78aEPRKsgiCAdLvFt8gq0J7W_s3h4HLT1HzJcg" NotOnOrAfter="2009-11-16T20:40:11Z"  />

      </SubjectConfirmation>

    </Subject>

    <Conditions NotBefore="2009-11-16T20:25:11Z" NotOnOrAfter="2009-11-16T20:40:11Z">

      <AudienceRestriction>

        <Audience>https://saml.salesforce.com</Audience>

      </AudienceRestriction>

    </Conditions>

    <AuthnStatement AuthnInstant="2009-11-16T15:30:11Z">

      <AuthnContext>

        <AuthnContextClassRef>

          urn:oasis:names:tc:SAML:2.0:ac:classes:Password

        </AuthnContextClassRef>

      </AuthnContext>

    </AuthnStatement>

  </Assertion>

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

    <SignedInfo>

      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

      <Reference URI="">

        <Transforms>

          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

        </Transforms>

        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

        <DigestValue>/Ufrgm+ew3VxWWHGfpdi+DSzfMk=</DigestValue>

      </Reference>

    </SignedInfo>

    <SignatureValue>xxxxxxxxxxxx</SignatureValue>

    <KeyInfo>

      <X509Data>

        <X509Certificate>xxxxxxxx</X509Certificate>

      </X509Data>

    </KeyInfo>

  </Signature>

</samlp:Response>

 

When I try posting this response to the Recepient URL i get:

 

 Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information.

 

 

Thanks,

Ashish 

jongleejonglee

You need to have an Issuer element under Response, just like the one you have under Assertion.

 

 

 

Jong

Salesforce.com

This was selected as the best answer
Ashish_ChettiarAshish_Chettiar

I do have a issuer element under response,

 

https:\\www.salesforce.com

Ashish_ChettiarAshish_Chettiar
sorry my mistake, please overlook my previous message
Ashish_ChettiarAshish_Chettiar

Hi Jong,

 

Sorry for the confusion earlier. 

 

I tried the Issuer element under response, but i still get same message in the SAML validator.

 

And posting the response to the Recepient URL gives me the same message too.

 

 

 

 

Thanks,

Ashish

Ashish_ChettiarAshish_Chettiar

Hi Jong,

 

SAML Response below for your refrence

 

<samlp:Response ID="eopmekcmamjdibjkbokehcbjnngobjdafdakdbbn" IssueInstant="2009-11-19T12:41:50Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <samlp:Status> <Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://www.salesforce.com </Issuer> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="epfdfbomgnoengfnpkijabooainmfnnaebkhcadh" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://www.salesforce.com </Issuer> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xyz@abc.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData Recipient="https://login.salesforce.com/?saml=MgoTx78aEPRKsgiCAdLvFt8gq0J7WBqC05v88FAHBy8r_s3h4HLT1HzJcg" NotOnOrAfter="2009-11-19T17:51:50Z" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2009-11-19T17:36:50Z" NotOnOrAfter="2009-11-19T17:51:50Z"> <AudienceRestriction> <Audience>https://saml.salesforce.com</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2009-11-19T12:41:50Z"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>AYVbIkBxDf5FNtdbcwKaVEmL8bs=</DigestValue> </Reference> </SignedInfo> <SignatureValue>xxxxxxxxxxxxxxx</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>xxxxxxxxxxx</X509Certificate> </X509Data> <KeyValue> <RSAKeyValue> <Modulus>zzzzzzzzzzz</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature></samlp:Response>

 

 

i still get

 

8. Confirming Issuer matches

  No issuer found in response

 

in the SAML validator.

 

 

Thanks

 Ashish 

 

jongleejonglee

It happened that page 7 of this thread has a sample SAML 2.0 assertion.  I quickly compare that with yours.  There are two differences,

 

1) you are using default namespace of Issuer, that should work, but I don't know why would our codes reject that.

Could you please try not to use default namespace to see if it works

 

2) also you have the Format attribute in the issuer, take that out and try.

 

 

the page 7 sample:  http://community.salesforce.com/sforce/board/message?board.id=general_development&thread.id=22960&view=by_date_ascending&page=7

 

 

thanks

Jong

Ashish_ChettiarAshish_Chettiar

Jong,

 

Thanks for the response,

 

I tried the two changes  suggested by you, still no luck.

 

 

 

Thanks,

Ashish 

jongleejonglee
Did you check the login history to see what error does it give?
jongleejonglee

Your issuer seems to be child of Status not Response. 

 

Ashish_ChettiarAshish_Chettiar

Thanks, that resolved the Issuer error,

 

I also have a

5. Checking that the timestamps in the assertion are valid
  Timestamp of the response is outside of allowed time window
  Current time is: 2009-11-19T18:50:45.721Z
  Timestamp is: 2009-11-19T13:50:17.000Z

  Allowed skew in milliseconds is 480000

 

error

 

How do i resolve that

 

 

jongleejonglee
Your test assertion exipres(NotBefore and NotOnOrAfter elements). 
Ashish_ChettiarAshish_Chettiar

Hi Jong,

 

 I finally got the SSO to work :smileyhappy:.

 

The current time was not universal time, while the others were hence the problem.

 

 

Thanks,

Ashish 

pascalepascale

Hi,

 

 

I implemented an idp and get an assertion validated from the SF validator.
However, the sso is failing and I do not see any entry in the SF history log.

The user id is in the NameId subject and the assertion contains the id sf user.

 

I am stuck and have no idea what is wrong.
Anyone could help ?

 

Here is my response sent to SF:

 

 

<samlp:Response ID="pnnghnibpedbndgfkagjfmiicfbdafpchddgigbb" IssueInstant="2009-11-29T09:02:55.434Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>http://localhost:8080/mysso</saml:Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="aedigjaallddnijhgkdjebfhhdajdgapkjfinkip" IssueInstant="2009-11-29T09:02:55.434Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>http://localhost:8080/mysso</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><Reference URI="#aedigjaallddnijhgkdjebfhhdajdgapkjfinkip"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>V72vwxasvpeYBnXvC9d7Bavyv4w=</DigestValue></Reference></SignedInfo><SignatureValue>LAvgxiuaTufMkT3jxkHNyJaSPIceI+bA1bHorL8MGmYA7TS6tLhGhg==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIID3DCCA5ygAwIBAgIJAKV7na9zMHlIMAkGByqGSM44BAMwgakxCzAJBgNVBAYTAkFUMRMwEQYD VQQIEwpTb21lLVN0YXRlMQ8wDQYDVQQHEwZWaWVubmExHjAcBgNVBAoTFVBhcml0eSBDb21tdW5p Y2F0aW9uczEQMA4GA1UECxMHSGlnZ2luczEZMBcGA1UEAxMQTWFya3VzIFNhYmFkZWxsbzEnMCUG CSqGSIb3DQEJARYYbXNhYmFkZWxsb0BwYXJpdHlpbmMubmV0MB4XDTA3MTEwNDA2NTQwM1oXDTEw MTEwMzA2NTQwM1owgakxCzAJBgNVBAYTAkFUMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ8wDQYDVQQH EwZWaWVubmExHjAcBgNVBAoTFVBhcml0eSBDb21tdW5pY2F0aW9uczEQMA4GA1UECxMHSGlnZ2lu czEZMBcGA1UEAxMQTWFya3VzIFNhYmFkZWxsbzEnMCUGCSqGSIb3DQEJARYYbXNhYmFkZWxsb0Bw YXJpdHlpbmMubmV0MIHwMIGoBgcqhkjOOAQBMIGcAkEAnGbDS2akXDlfOO6XN3tgwHom37exdk2r nWxvVIk2OOBCwQCZO/oODk5+jgRG83Wo2cxUSLZBrv9ANyGyk/UvJwIVAJ0Pm3KaN8wSsixfdzs6 4ak9t12bAkANy++f7+t+Fhf4Rz3J1WUkPmEaFTmd0WKo+zloX1pAANziva2E8cfsfx4czHf68lzS t9yPj3Jr8bjoXVFzAM2pA0MAAkBQfm3P97adZHsZ/Fqj+o2oqkr++AmkxvkSXMYwGuS/HM60ufdc IL+cX3TDsn9Jo+olz1R1sDj7CbalU7ocStk4o4IBEjCCAQ4wHQYDVR0OBBYEFGXnXfkuwsWmfjj2 6JUMVsFJjVnNMIHeBgNVHSMEgdYwgdOAFGXnXfkuwsWmfjj26JUMVsFJjVnNoYGvpIGsMIGpMQsw CQYDVQQGEwJBVDETMBEGA1UECBMKU29tZS1TdGF0ZTEPMA0GA1UEBxMGVmllbm5hMR4wHAYDVQQK ExVQYXJpdHkgQ29tbXVuaWNhdGlvbnMxEDAOBgNVBAsTB0hpZ2dpbnMxGTAXBgNVBAMTEE1hcmt1 cyBTYWJhZGVsbG8xJzAlBgkqhkiG9w0BCQEWGG1zYWJhZGVsbG9AcGFyaXR5aW5jLm5ldIIJAKV7 na9zMHlIMAwGA1UdEwQFMAMBAf8wCQYHKoZIzjgEAwMvADAsAhRoLHrRLGMgsloroOidzKGE25GA qAIUOR5n5Wdm6ioo/9Vo2mDAm4nQBEE=</X509Certificate></X509Data></KeyInfo></Signature>
<saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testpb@test.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2009-11-30T09:02:55.434Z" Recipient="https://login.salesforce.com"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2009-11-29T09:02:55.434Z" NotOnOrAfter="2009-11-30T09:02:55.434Z"><saml:AudienceRestriction><saml:Audience>https://saml.salesforce.com</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2009-11-29T09:02:55.434Z" SessionIndex="aedigjaallddnijhgkdjebfhhdajdgapkjfinkip"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
jongleejonglee

Did you get it resolved?  I saw you have the following login history entry.

 

 

 

11/30/2009 9:04:33 AM PSTMASK IP AddressSAML Idp Initiated SSOSuccessFirefox 3.5WinXPUnknown N/AN/AN/A

 

 

thanks 

Jong Lee

Salesforce.com 

pascalepascale

Yes, I finally got it to work. Thanks a lot for asking.

 

My project only needs the idp initiating the sso... 

I curious on how the sp initiated SSO works.

 

How SF knows about the idp to make the auth request, does the user should click on a specific SF url in order to initiate the sso from SF ?

 

--Pascale

jongleejonglee

That's correct.  After the IDP-init SSO, you can go to the SFDC URL(bookmark or something), in this case, we will post a AuthnRequest to Idp to initiate the SAML login insteadof normal redirect to the login page.

 

 

thanks
Jong

pascalepascale

Thank you John...

 

I ve got saml 2 checked on salesforce. The idp initiated the sso is working fine.

 

However, I still don't understand when the SF should and can initiate the sso.

When I access SF page directly (loging page or bookmark), I am prompted to the SF login page. It is what I want!

But I d like to make sure the SF will not go back to my idp for authentication.

 

Idon't understand how SF knows about my idp and when and how it will initiate a post SAMLrequest to my idp while I just post a SF direct access url and SF does not know my identity yet.

 

In my context, I d like to avoid this behaviour where SF initiates the sso.

 

Many thanks,

--pascale

jongleejonglee

Once you did Idp-init SSO, we set some cookies on your browser, so next time when you click a SFDC link, based on the cookie values, we generate SAMLRequest and send to your Idp.  See our docs on the use of ssostartpage and logouturl attributes of your SAML 2.0 assertion.  That's done automatically without any configuration.  Unfortunately that does not support what you want -- only do Idp-init SSO, but use username/password login if start from SP.   

 

thanks

Jong 

pascalepascale

Thank you.

So you are saying that as long as the saml 2.0 is enabled on salesforce, it won't be possible anymore to login

through salesforce from the username/password login page ? And Salesforce will automatically call the idp login page.

The authentication process has to be always in the IDP side? Is that correct ?

 

However, in my tests, although my user setting enable saml2.0, the user still can login from the login salesforce page and access directly to it.

 

Do you know if SAML1.0 does what I want : Idp init SSO only and let the user access the sf login page if he wish .

 

Many thanks for your help

--pascale

 

 

 

jongleejonglee

No, that's not what I meant.  What I am saying is once you use saml 2.0, if you click a link from bookmark, we automatically generate SAMLRequest and send to Idp insteadof redirect to login page.  For SAML 1.1, if you don't specify ssostartpage(again, see SAML doc), we should just redirect to login page, if you set that, we then redirect to the ssostartpage value you specify.  So yeah, it seems our SAML 1.1 impl supports your usecase if you don't specify ssostartpage.  Now we can probably evaluate the option of providing a user configuration to control whether we do Sp-init SSO for SAML 2.

 

thanks

Jong

pascalepascale

Thanks for the fast reply, Jong. That will be nice to have this feature. 

 

I 'll do more tests tomorrow. 

erk14485erk14485

With SAML2.0 enabled, you can still login using the salesforce.com login page (username/password).

 

Also, SP initiated SSO does not work by default.  SFDC will set a cookie to enable SP init SSO, but only if you send ssoStartPage as part of your Attribute Statement.  It needs to point to your IDP login.  In my case (using opensso) it was https://sso.domain.com:443/opensso/SSORedirect/metaAlias/idp

 

 

brsanthubrsanthu

I started to integrate the SAML with my sandbox account and getting the following error.

 

"Login Error
Your
login attempt using single sign-on with an identity provider
certificate has failed. Please contact your salesforce.com
administrator for more information."

 

When I checked the Login History for my account, nothing is there. It just shows the ones I logged in from Web. Moreover if I take the assertion and test it using "Validate SAML" screen, everything is fine. Here is the assertion sent to Salesforce.com

 

Any help is appreciated.

 

 

<samlp:Response IssueInstant="2010-02-05T02:03:35.496Z" ID="C_VD26qnsLVTiOiuFJMdp3otzj9" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://ssod2.autodesk.com/saml2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion Version="2.0" IssueInstant="2010-02-05T02:03:35.497Z" ID="xiD8Huwg43fj_Gowg3fm1.XDfdY" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>https://ssod2.autodesk.com/saml2</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#xiD8Huwg43fj_Gowg3fm1.XDfdY">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>mhFJJotNlKPT7QKtuEkFmhE94AA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
bvHZCxz4prH9wSzcKQcNGJB9Ay6d9B4f1+SfAbo78CCGwqNoiqsgxGZO0phnnqpx0TwLzzlI0PeD
UQlkOstIsmziiSn3ROSzImPFCwEDsIujNFD3ADjjXeI14xqwRvHUNgdB53ixBdMD4y0I7KlJDdxe
i7PDehgsP+lndiYtAvs=
</ds:SignatureValue>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">112810189166834</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2010-02-05T02:07:35.498Z" Recipient="https://login.salesforce.com/?saml=EK03Almz90oQobVSWkhHqhYgmgLUqLsETAYULuFkcIcblzVUyt0fGISBp5"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2010-02-05T02:07:35.498Z" NotBefore="2010-02-05T02:02:35.498Z">
<saml:AudienceRestriction>
<saml:Audience>https://saml.salesforce.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2010-02-05T02:03:35.497Z" SessionIndex="xiD8Huwg43fj_Gowg3fm1.XDfdY">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="GUID">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">112810189166834</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="logoutURL">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://www.autodesk.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="EMAIL">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">adsk1234santhosh@autodesk.comaa</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="ssoStartPage">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">https://ssod2.autodesk.com/idp/startSSO.ping?PartnerSpId=https://saml.salesforce.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

 


 

jongleejonglee

If your saml login does not show up in the login history, typically, it's a problem mapping your SAML assertion to a valid SFDC user.  You are setting "112810189166834" in the subject and your recipient url in the SAML assertion is "https://login.salesforce.com/?saml=EK03Almz90oQobVSWkhHqhYgmgLUqLsETAYULuFkcIcblzVUyt0fGISBp5", it means you are using Federation id as the subject mapping.  Please make sure your SFDC user's federation id field is set to "112810189166834".

 

For testing purpose, change your subject mapping to be username and use your SFDC username in the subject to see if you can get that to work. 

 

 

thanks

Jong Lee 

jongleejonglee

You are right.  We need to know where to post the SAMLRequest before we can initiate the SP login.  That's why we need the "ssostartpage" attribute.  I think we document this already.

 

thanks

Jong Lee

Salesforce.com 

brsanthubrsanthu

Thank you Mr Lee for the response.

 

I have specified that SF should look for Federation Id and that id is coming as an attribute  GUID (as below) and specifying the GUID as part of the assertion.

 

Santhosh.

 

brsanthubrsanthu

Nevermind, it was indeed the problem.  I had specified Federation Id as email but was sending GUID. I updated the user with GUID and it worked like a charm.

 

Truth be told, Salesforce SAML is one of the easiest I have ever configured :)

 

jongleejonglee

awesome! 

 

thanks

Jong 

ExpoExpo

Jong in one of your earlier postings(View Message 106) you had mentioned that Salesforce.com supports SP initiated post from Summer Release 2009. Can you let us know if there is any more detaliled document or information on this.

 

Also does Salesforce.com support Relaystate in IDP post.

 

Thanks in advance

ExpoExpo

Jong Lee,

 

We have another query as well, our scenario is given below

 

Identity Provider 1  Single Signs On into  SP (  Salesforce.com )

Identity Provider 2 Single Signs On into  SP (  Salesforce.com )

 

IDP1 and IDP2 establish a relationship with each other and IDP2 users are created in IDP1.

So essentially the user could login in either IDP1 or IDP2 and should access the same SP instance/data.

It is the case of same user coming from multiple IDP's accessing one SP.  

 

Does salesforce support this scenario ?.

 

 

jongleejonglee

General doc on Salesforce SAML setup:

 

https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=sso_saml.htm&loc=help&hash=topic-title

 

Yes, we support RelayState in IDP post and use that as the landing page after logged in.

 

 

thanks

Jong Lee

Salesforce.com 

jongleejonglee

Salesforce.com(SP) does not care how users are created in IDPs.  As long as the Idp user can be mapped to the SFDC user using username or federation id and the SAML assertion is validated against the settings, i.e:

issuer, acs url, signing cert etc.

 

 

thanks

Jong 

ExpoExpo

Jonglee

 

As always thanks for the reply, we tried the Relaystate in IDP post, but for some reason it was not working. We were always landing on the home page.

 

Any idea as to what would be causing this issue, also if you could provide us an example of an assertion with relaystate post it would be useful.

 

Regards

 

jongleejonglee
RelayState is  a POST param that should be sending in with SAMLResponse, did you try relative or absolute path?  It shouldn't matter.
ExpoExpo

Jong

 

We did add the Relaystate in POST param and used the absolute path. For eample https://ap1.salesforce.com/i09997877fn

ExpoExpo

Jonglee,

 

Thanks for your valuable inputs, we were able to access the page using the Relaystate parameter, thanks for your valuable inputs.

 

Apparently some additional parameters was causing some issues. Once we removed the same we were able to SSO to the relevant page.

 

 

The link that you provided for SP SSO does not provide detailed info for SP intiated SSO, although it does have information for IDP.

 

Can you provide us the steps for performing a SP POST with Salesforce

 

For example: From where we could download the Public Cert for Salesforce

                     The URL that will challenge the IDP for Authn Request etc

 

Thanks in advance

 

 

 

 

jongleejonglee

Sp-init SSO happens automatically

when you tried to access a protected resource without a session

if you define ssostartpage in the Assertion attribute:

 

see https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=sso_saml_idp_values.htm&loc=help&hash=d644124e367

 

The following is an example of an <AttributeStatement> for SAML 2.0 that contains both ssoStartPage and logoutURL:

<saml:AttributeStatement>
<saml:Attribute Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">
http://www.customer.org
</saml:AttributeValue>
</saml:Attribute>

<saml:Attribute Name="logoutURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
https://www.salesforce.com
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

 

 

 

To download outbound SAMLRequest signing cert:

 

https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=dev_wsdl.htm&loc=help&hash=topic-title

 

Optionally, you can download a certificate to authenticate Salesforce.com clients. Click Setup | Develop | API, and on the WSDL Download page, right-click Download Client Certificate and save it to an appropriate location. You can then import the downloaded certificate into your application server, and configure your application server to request the client certificate.

 

ExpoExpo

Jonglee
 

Below is the sequence of steps for an SP initiated SSO

 

a) User logs into IDP(say Amazon.com) 

 

b) User clicks on a protected resource in SP(Salesforce.com)

 

c) According to the SAML 2.0 web browser specification, the SP initiated SSO message flow should start with SP sending the Authn Request to IdP ( in this case Salesforce.com should challenge Amazon.com with a Authn Request)

 

We do not see any document detailing these steps in Salesforce nor it is clear as to how Salesforce.com sends the Authn Request.

 

In one of the earlier posts a contributor quoted the below

 

" For SalesForce, is it required to send an assertion with an attribute statement containing ssoStartpage and logoutURL first ? As I understand, then only SF is sending the Authn Request using SAML POST binding and follow the message flow depicted in the specification. Is this complete sequence of actions required always when a user logs into SalesForce?

 

I am concerned on how SP initiated SSO works for SalesForce. Seems like they have a different approach than other service providers who support SSO( eg: Google Apps) "
 

Is the above statement correct? If yes, then it does not seem to be the standard way of doing SP initiated SSO and the looks more like an IDP post

 

Message Edited by Expo on 02-10-2010 06:02 AM
chuckmortimorechuckmortimore

Hi Expo...

 

SP initiated SAML with Salesforce is a tad odd at the moment.    Let me see if I can explain the background, best practice, and where we are going....

 

The main difficulty with SP initiated SAML has to do with the way our multi-tenancy works.    At the moment, all customers have the same URL ( at least per-instance )   It is only after a user logs into the system that we are able to determine their Org, and hence any unique configuration for that Org.    

 

While this approach works well for many use cases, it does make it difficult to tie Organization specific behavior to un-authenticated requests.    In other words, when a request comes into our system, if it doesn't yet have a session, we can't tell what customer it belongs too, and hence can't redirect the request to the appropriate SP.

 

The way we currently solve this is by setting a cookie in the user's browser.   If you you show up to the system, and have this cookie set, we'll redirect you to the appropriate SP.    

 

Unfortunately, given the way that cookies work, we have to set the cookie from a response in the salesforce.com domain...it's not possible for customers to set this cookie directly.     We currently accept the values for the cookie in SAML assertions ( for SAML 2.0 ), and then set the cookie on behalf of the customer.    

 

What this means is that in order for SP initiated SAML to work with our system, the user must have gone through IDP initiated SSO at least once, in order to get this cookie.    That actually works well for a lot of use cases - for instance, a user might initially access Salesforce via a link to their Intranet, which sends them via IDP initiated SAML....this sets the cookie.   During that session they might bookmark something.   Later, when they access that bookmark, SP initiated SAML can work, as the cookie has been set.

 

So - current best practice is to always send the ssoStartPage in your assertions, and try and make sure user's go through IDP initiated SSO the first time they access Salesforce.

 

All that said, we recognize that this is not perfect, and are working to improve.   In the Spring 10 release, there is a new capability being rolled out, that allows customers to have unique URLs.   For instance https://Company.my.salesforce.com   Once this is available, we'll be working on tying per-org SSO behaviors to these URLs, so SP intiiated Auth can work in a more conventional manner.

 

Hope this is useful for you.

 

 

ExpoExpo

Hi Chuck,

 

Thanks for the clarification, we look forward to the Spring 2010 release.

 

 

chuckmortimorechuckmortimore

Hi Expo - thanks - we're excited about Spring 10.  

 

Please keep in mind that Spring 10 only releases the basic capability we need to support this feature "Custom Domains".   Spring 10 will not yet introduce the SP initated feature you're looking for.   However, with that dependency released, we'll be working hard on adding these in the future.

blomquisgblomquisg

Hi Chuck,

 

This information was very useful!  Thanks for posting it.  I've been looking around for quite a while on what it takes to get SP initiated SSO working, and this provided me with the right details.

 

---

 Greg 

blomquisgblomquisg

Hi Chuck,

 

What is the current strategy for dealing with users that have multiple accounts in SalesForce and allowing for SP-Initiated SSO?

 

For instance, we are developing a Partner Relationship Management system for our business partners.  This means that they'll have a user profile for our partner accounts.  Some of those same partners might use SalesForce for their internal sales pipeline management.  This means that an employee of that business partner will have two SalesForce logins (one to get to their sales management account, and one to get to their business partner account).

 

If the ssostartpage cookie is set in their browser to redirect to our authentication page, they will not be able to authenticate as their sales management account user.

 

How can we avoid this situation?

 

Is this something that simple has to wait for customized urls (and eventually the underpinnings that allow for configuring SP-initiated SSO)?

 

Thanks Chuck!

 

----

 Greg 

chuckmortimorechuckmortimore

Hi Greg...

 

Multi-org scenarios are defintely tricky.    There is currently only 1 cookie that control's SP initated sso per instance, so there will be difficulty with overlap.  If your salesforce orgs are on the same instance ( NA1 for example ), the last account they login as would overwrite the cookie.    If your orgs are on different instances ( NA1 and NA6 for example ) then it would work properly.

 

This should be sorted out once we get these domain dependant features in place.   

 

A short term work around might be to ask your users which account they want before sending the SAML message, but it would take some web development on your side for sure.

blomquisgblomquisg

Chuck,

 

Once again, thanks very much for the information.  We'll have to determine how important SP-Initiated SSO is at this point before moving forward.

 

----

 Greg 

 

 

ExpoExpo

Chuck/ Jong

 

A user can login to Salesforce.com through any of the options listed below

 

a) By accessing the login page (login.salesforce.com)

 

b) Federated Authn(using SAML or SP)

 

c) Delegated Authn

 

Can a user login through all the above options without any limitations or does Salesforce.com places certain restrictions  For example : If SSO is enabled for a user profile, does Salesforce.com allow accessing through login page and Federated Authn

 

Thanks in advance

 

 

chuckmortimorechuckmortimore

Hi Expo

 

SAML, if enabled, may always be used for an org.     

 

If Delegated Authentication is enabled, it will handle ALL logins to the system that are done with a userid / password.   That includes Login Page, Portal Logins, Site Logins, and API Logins

 

So, you can do:

 

1) Just Login

2) SAML and Login Pages

3) SAML and Delegated Auth

4) Just Delegated Auth

 

Just SAML is not currently an option.

 

 

ExpoExpo

 Hi Chuck,

 

Thanks for your reply.

 

As per the documentation in your website, which is quoted below it mentions about tokens and passwords 

 

"You can configure the Salesforce.com delegated authentication authority to allow only tokens or to accept either tokens

or passwords. If the authority only accepts tokens, a Salesforce.com user cannot log in to Salesforce.com directly, because

they cannot create a valid token. However, many companies choose to allow both tokens and passwords. In this

environment, a user could still log in to Salesforce.com through the login page"

 

How exactly does this work? How can we allow token and passwords?

 

With SSO enabled, I dont think I can enter my normal Salesforce.com password, which would mean that I provide my corporate password when logging directly through login.salesforce.com. Is my understanding correct?

 

Thanks in advance

Message Edited by Expo on 03-01-2010 05:40 AM
chuckmortimorechuckmortimore

Hey Expo..

 

I beleive all this is saying, is that when you implement a Delegated Authentication endpoint, you could choose to have this endpoint accept both tokens and passwords.   The implementation of this is really up to you.    Here's an example though

 

1) On your intranet, you'd have a link to a piece of code which generated a cyrptographically secured token of some kind.   SAML, some encrypted string, some hash....something that is secure and can verify the identity of the user.

 

2) You'd also implement a delegated authentication endpoint, that knows how to verify both these tokens, as well as a regular password.   It would have to determine which this based upon structure of the token - for instance all your tokens could be XML ( which the passwords wouldn't be ) or could look like TOKEN:<some string here>

 

 

When users click on the single sign-on link from #1, a token gets generated and passed over to our system, which passes it back to your delegated auth endpoint.   You'd notice this is a token, and not a password, and verify accordingly.    If a user came direct to the system, then you'd verify the credential as a password.

 

More detail here:

http://wiki.developerforce.com/index.php/How_to_Implement_Single_Sign-On_with_Force.com

 

Als, SAML is of course an option that can be used for web sso as well: 

http://wiki.developerforce.com/index.php/Single_Sign-On_with_SAML_on_Force.com

 

imalinkerimalinker

The Salesforce SAML Response validator exposes these dificiencies with our post.

 

12. Validating the Signature
  Is the response signed? true
  Is the correct certificate supplied in the keyinfo? true
  Signature or certificate problems
  The signature in the response is not valid
  Is the assertion signed? fals

 

 Here is the decoded content:

 

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="bdlkoaidmhchonpniicnmiigmaajiaijinomdljn" IssueInstant="2010-03-12T16:12:35.393Z"
    Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
        https://xifin.com</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#bdlkoaidmhchonpniicnmiigmaajiaijinomdljn">
                <ds:Transforms>
                    <ds:Transform
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                            PrefixList="ds saml samlp" />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>B3EcTl2HeuGzWPtpcEqwvSXoybc=
                </ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            f9cLtayEDr+o7oXIx/HyqCeSYZGI2LXvoS3sfESdf8TpLifRY+YoC8VlBSdZRHukXNhkYp9xGfMU
            v/jj7l9v6ThXGlYQ5eFYipjhXse43KPJYgJ3UxqNVLWbbDPn4IZlDbxyv2rJPwURC42B5EHT3r0f
            sfcX/LfwMzvlC3C8+3U=
</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    MIIC+TCCAmKgAwIBAgIJANSUf/OPERfdMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
                    VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEChMLWGlmaW4sIElu
                    Yy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMRYwFAYDVQQDEw13d3cueGlmaW4uY29t
                    MSMwIQYJKoZIhvcNAQkBFhRwb3N0bWFzdGVyQHhpZmluLmNvbTAeFw0wOTA3MjIy
                    MjI0MDFaFw0xMDA3MjIyMjI0MDFaMHQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
                    YWxpZm9ybmlhMRQwEgYDVQQKEwtYaWZpbiwgSW5jLjEUMBIGA1UECxMLRW5naW5l
                    ZXJpbmcxJDAiBgNVBAMTG3hpZmluLWFsaW5rZXIubWJhLnhpZmluLmNvbTCBnzAN
                    BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgDbPkTucIVUBz8JOWWNyu4OvTNNXH6ws
                    KRgkASJ9EGLb80k8wXo14Fk7zCr0wPVEA+es3rjTKIo78DZnXuhVADY1g3opx61/
                    3/dhiBf3omO5H9nogTnrVGuNyEEWHbQBj3Wy1xFNxhBd7OKt+/ngOcXzY/lGtNYa
                    w0ojNGZzS50CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
                    blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFb3ETnOVxytGFfn
                    jgFbd+yTjAnUMB8GA1UdIwQYMBaAFJAn3xVxfpJdtTmM+wSjsDCyyCrOMA0GCSqG
                    SIb3DQEBBQUAA4GBAGGUiQQxPIt8/h5PCGLmAmH+VD9Hi2crtxs7bHDdRdKiKzjW
                    +AQHaVDuJbQr3QZy1Pqq7xbM4vCvUJzR2I5coAjEc1CaEVWmpYvlgTfuVSByXb1A
                    JCyG123J05xA/+kfVfvZ1NyNM2G1G1DOgPbnzVCztbJtpSQqymQTu9ndhbQO
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="gmijolpbffdjkebaciaigdampeojioocolbcfgna" IssueInstant="2010-03-12T16:12:35.596Z"
        Version="2.0">
        <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
            https://xifin.com</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                sed_alinker</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData
                    NotOnOrAfter="2010-03-12T16:12:35.596Z"
                    Recipient="https://cs3.salesforce.com/?saml=02HKiPoin4X5uFW25YtDLo.9NGZZ5YafDc9cY_W4m1uxofESECaN0T8J1t" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2010-03-12T16:12:35.596Z"
            NotOnOrAfter="2010-03-12T16:17:35.596Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://saml.salesforce.com
                </saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2010-03-12T16:12:35.596Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="portal_id">
                <saml:AttributeValue>06030000000Mvaa
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="organization_id">
                <saml:AttributeValue>00DQ0000000A9DP
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="ssoStartPage">
                <saml:AttributeValue>https://Xifin-alinker.mba.xifin.com/cas/login
                </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="logoutURL">
                <saml:AttributeValue>https://Xifin-alinker.mba.xifin.com/cas/logout
                </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

 

Is there a Subject Matter Expert available to troubleshoot the error?  I do not see the fault and thought another's insight might help.

 

- Thanks

 

 

 

 
 
 
 
 

 

 

chuckmortimorechuckmortimore

It's very difficult to tell what the issue might be from just looking at it.   Everything looks pretty good by eyeballing it.   Often times when we see this error, and you're using the correct private key ( it appears you are since the cert provided in keyinfo matches your configuration ) it comes down to cannonicalization.   What are you using for your software?    If you're writing this yourself, are you using an existing c14n library?

 

jongleejonglee

Please make sure your are using the right key-pair, also if you pass the certificate in the assertion, the SAML validator will also compare that with the cert in your org settings.

 

Jong Lee

Salesforce.com 

imalinkerimalinker

Thanks for the reply.

 

Your assumption is correct.  The response is hand-coded using opensaml v. 2.3.2.  The c14 implementation package is com.sun.org.apache.xml.internal.security.c14n.

 

 

chuckmortimorechuckmortimore

As Jong points out, we off see the wrong keypair being used, but your cert does seem to match, so chances are that's not it.    Double check though

 

My only other suggestion would be to try and validate it yourself using opensaml - that may give you a better idea of what is wrong.

imalinkerimalinker

We resolved our signature issue and are now confronted with a problem similar to that detailed by member EXPO last year, for which no solution is posted, i.e., Assertion Validation succeeds but access is denied. 

 

The current error message is "Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information."  There is no record of the login attempts in the Login History view.

 

We are using a sandbox for testing and the copy is configured for: 

Salesforce User Id Type = Federation  ID

SAML User ID Location = Subject

 

Here is the posted Response:

 

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo" IssueInstant="2010-03-16T22:19:41.535Z"
    Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://xifin.com</saml2:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="#kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>k+3/NhelbXPHnfO0irTZWTnP354=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            ZUvHPz3tSWr141TWMr4tcV8ieYDfEVrzGXLoj+iiIMG6HuNnj174jhThr+4pETR46cdh/4pg1FsE
            Fjcb5Otbc1JW/i6S/IOj2xGMAtjkwNNYdSz6d+mSGePlE0gcLES2zrtlz7PMm5FLY8kd+6bpx7Gy
            sho707GPr88mvUEUzvc=</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIC+TCCAmKgAwIBAgIJANSUf/OPERfdMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYDVQQGEwJVUzET
                    MBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEChMLWGlmaW4sIEluYy4xFDASBgNVBAsTC0VuZ2lu
                    ZWVyaW5nMRYwFAYDVQQDEw13d3cueGlmaW4uY29tMSMwIQYJKoZIhvcNAQkBFhRwb3N0bWFzdGVy
                    QHhpZmluLmNvbTAeFw0wOTA3MjIyMjI0MDFaFw0xMDA3MjIyMjI0MDFaMHQxCzAJBgNVBAYTAlVT
                    MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQKEwtYaWZpbiwgSW5jLjEUMBIGA1UECxMLRW5n
                    aW5lZXJpbmcxJDAiBgNVBAMTG3hpZmluLWFsaW5rZXIubWJhLnhpZmluLmNvbTCBnzANBgkqhkiG
                    9w0BAQEFAAOBjQAwgYkCgYEAgDbPkTucIVUBz8JOWWNyu4OvTNNXH6wsKRgkASJ9EGLb80k8wXo1
                    4Fk7zCr0wPVEA+es3rjTKIo78DZnXuhVADY1g3opx61/3/dhiBf3omO5H9nogTnrVGuNyEEWHbQB
                    j3Wy1xFNxhBd7OKt+/ngOcXzY/lGtNYaw0ojNGZzS50CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglg
                    hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFb3ETnO
                    VxytGFfnjgFbd+yTjAnUMB8GA1UdIwQYMBaAFJAn3xVxfpJdtTmM+wSjsDCyyCrOMA0GCSqGSIb3
                    DQEBBQUAA4GBAGGUiQQxPIt8/h5PCGLmAmH+VD9Hi2crtxs7bHDdRdKiKzjW+AQHaVDuJbQr3QZy
                    1Pqq7xbM4vCvUJzR2I5coAjEc1CaEVWmpYvlgTfuVSByXb1AJCyG123J05xA/+kfVfvZ1NyNM2G1
                    G1DOgPbnzVCztbJtpSQqymQTu9ndhbQO</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
        ID="aemgmabeokofllhfljfojlgmmndnjnjkfffggakp" IssueInstant="2010-03-16T22:19:41.535Z"
        Version="2.0">
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://xifin.com
        </saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sed_alinker
            </saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData
                    NotOnOrAfter="2010-03-16T22:19:41.535Z"
                    Recipient="https://cs3.salesforce.com/?saml=02HKiPoin4X5uFW25YtDLo.9NGZZ5YafDc9cY_W4m1uxofESECaN0T8J1t" />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2010-03-16T22:19:41.535Z"
            NotOnOrAfter="2010-03-16T22:24:41.535Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>https://saml.salesforce.com
                </saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2010-03-16T22:19:41.535Z">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
                </saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="portal_id">
                <saml2:AttributeValue>06030000000Mvaa
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="organization_id">
                <saml2:AttributeValue>00DQ0000000A9DP
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="ssoStartPage">
                <saml2:AttributeValue>https://Xifin-alinker.mba.xifin.com/cas/login
                </saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="logoutURL">
                <saml2:AttributeValue>
                    https://Xifin-alinker.mba.xifin.com/cas/logout
                </saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

 

Here is the Validation:

 

Results

 
1. Validating the Status
  Ok
2. Checking that the assertion contains a reference to a user
  Ok
3. Looking for an Authentication Statement
  Ok
4. Looking for a Conditions statement
  Ok
5. Checking that the timestamps in the assertion are valid
  Ok
6. Checking that the Attribute namespace matches, if provided
  Not Provided
7. Miscellaneous format confirmations
  Ok
8. Confirming Issuer matches
  Ok
9. Confirming a Subject Confirmation was provided and contains valid timestamps
  Ok
10. Checking that the Audience matches, if provided
  Ok
11. Checking the Recipient
  Ok
12. Validating the Signature
  Ok


Subject: sed_alinker

AssertionId: cihmhmjhlejnblhkjhdoflkfoggledfgmacbbpki

 

Do you have any insights on this issue?  Your suggestion to review canonicalization lead to resolution of the original validation error.  Our implementation relied on manual signing procedures instead of using the OpenSAML framework factory methods.

 

Thanks 

chuckmortimorechuckmortimore
For this, you should probably file a support case, and get it assigned to the authentication team.   We can take a look in more detail then.
jongleejonglee

Please make sure the federatoin id actually mapped to a valid SFDC user.  If not, there will be no login history, which fits what your described.

 

sed_alinker ---> is this mapped to a valid user?

 

thanks

Jong

imalinkerimalinker
OK.  Our site admin opened a ticket this afternoon so I will persue that track.  Thanks, again.
imalinkerimalinker
Yes.  It is the Federation ID of a valid sandbox user.
imalinkerimalinker
OK, mark this issue solved!  The solution, in our case, was to remove the Attribute elements from the assertion.  The Salesforce user in the test was not a portal user and once we removed those elements the SSO executed successfully.  Application logic must be applied at runtime to determine the SF account type before posting the Response.  Salesforce users must be distinguished from portal users. 
chuckmortimorechuckmortimore

That's correct.  

 

Sorry we didn't call that out earlier. Given that the assertion contained the portal identifiers, I had assumed you were trying to authenticate a portal user...

blomquisgblomquisg

Hi Chuck,

 

We are using the partner portal module to give access to our business partners.  Our tests to date have only involved authenticating non-portal users, and all those tests succeeded.

 

Now that we try with portal users, all our SSO tests are failing.  The portal user has no login history, so I can tell that the SAML response is not matching to the user.  However, when we switch the same federation ID over to a non-portal user, the SSO attempt succeeds.

 

Is there something specific we need to include in the SAML Response that indicates that the SSO attempt is for a portal user?  It looks like the answer is "yes", based on imalinker's post.  However, can you point me to specific documentation on what needs to be included?

 

I really appreciate your help!

 

----

 Greg 

chuckmortimorechuckmortimore

If you look in the partner guide under Enabling Single Sign-On for Portals ( page 538 of the user's guide ) you'll find the following:

 

 

In addition to the SAML sign-on information that must be gathered and shared with your identity provider, you must supply your information provider with the Organization ID and the Portal ID. In the SAML assertion that is sent from your identity provider, the portal_id and organization_id must be added as attributes.

 

 

So - these need to end up in an Attribute statement in your SAML like this:

        <saml:AttributeStatement>
            <saml:Attribute Name="portal_id">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">060900000004cDk</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="organization_id">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">00D900000008bX0</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>

 

 

imalinkerimalinker

Could you link to the referenced guide?

 

Thanks!

chuckmortimorechuckmortimore

If you go into "help" in your org, there is a link to "printable user guide" in the upper left.

 

In addition, the whole guide is there in HTML.   The page you're looking for is

 

/help/doc/en/sso_portals.htm

 

-cmort

blomquisgblomquisg

Once again, you're a life saver!

 

Thanks Chuck!

 

---

 Greg 

mannsandeepmannsandeep

Hi Chuck or Jonglee,

we are passing assertion encoded in base64 from 3rd party to salesforce and it is failing due to assertion expired.  Can you please check saml xml tags posted below for any correction. I found one thing is that issuer is not matching with certificate setting of salesforce. But why salesforce is not showing issuer mismatch in place os assertion expired error status.

 

<samlp:Response ResponseID="_8e75243a-71e9-406b-9017-b36a00baaa12" MajorVersion="1" MinorVersion="1" IssueInstant="2010-04-29T09:54:38Z" Recipient="https://cs5.salesforce.com" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#_8e75243a-71e9-406b-9017-b36a00baaa12"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>3uK4lXwzPE4ArKopm8kIFd5B03A=</DigestValue></Reference></SignedInfo><SignatureValue>S8YrfFaL/ZlTzz9wQYEn3Y4Qh1hBlJUuXct8CtjPoWj7Xu9xgYrHHdxbDC5CSGWmbiDVBprsGZXJAUKk34UsyI99Ltbv2uZFtqj0PrLOk+oi5JP1y8Ske2sdlNCrouAwRki6tUIcMdGO0mzDYHDAUXCC6cU0CivYH1h79ufLlbY=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIICOjCCAaMCBEnnVw0wDQYJKoZIhvcNAQEEBQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5KMQswCQYDVQQHEwJFSDERMA8GA1UEChMITm92YXJ0aXMxETAPBgNVBAsTCE9uY29sb2d5MRUwEwYDVQQDEwxHb3BhbCBHb3J0aGkwHhcNMDkwNDE2MTYwNDI5WhcNMzYwODMxMTYwNDI5WjBkMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxCzAJBgNVBAcTAkVIMREwDwYDVQQKEwhOb3ZhcnRpczERMA8GA1UECxMIT25jb2xvZ3kxFTATBgNVBAMTDEdvcGFsIEdvcnRoaTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnXNtqzLNe/41JkD9/q5E8QmaA048rnkOPfr1bgcyKn8tb12Nx1n/uLjnHzYfzNoELxPNV5qzl/cRfFprcFJGLMGbLhIlv+PJdKxc8KKcX7RqY+VYyEkBTkP4mMyBXAZeOllaQ4UIZkicm1tpXSocSM1CTKfMwfR+/5WXCDFyYrcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQARCt3lb4lh7/3NnwTj5tadK2ZBEDDEo9sgiOl2wPB2ZT3huMTIqUVEc4QaHndM+VOpuj1eOTvFAm19/vKcFnJzpdNtVFN7hHM2kQ1qjNEBKM0TuC41i7VimyC6smd6aOoMkGaPOlos35jCEGQzxUKg+A9vdhBsFmOMq2rCrUyj1g==</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="samlp:Success" /></samlp:Status><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_88bbd1df-ad00-44f5-bd77-6c052f8df94c" Issuer="124.124.71.99" IssueInstant="2010-04-29T09:54:37Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2010-04-29T00:54:37Z" NotOnOrAfter="2010-04-30T02:54:37Z" /><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2010-04-29T09:54:37Z"><saml:Subject><saml:NameIdentifier>xyz@abc.com</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#_88bbd1df-ad00-44f5-bd77-6c052f8df94c"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>vxTzxN7Y2sKmZlFTlfvp6KQZd+A=</DigestValue></Reference></SignedInfo><SignatureValue>PXY5PHFcrPoVRnhwICAxkLjHv3MWS0/Oafwcz6uCV3uh5Hlsm4ZcAxyfFvb+wJ9TZvjJiRlvFSk7HsmYFNBQKmeN4jOKmPKHdlbYK3/Z6Eg3Rv6/LkbdSLnb9NSas1yLdirXucZPqpMmb8j7bYkWGkZqv6StFGGGAYw8r7gvgtI=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIICOjCCAaMCBEnnVw0wDQYJKoZIhvcNAQEEBQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5KMQswCQYDVQQHEwJFSDERMA8GA1UEChMITm92YXJ0aXMxETAPBgNVBAsTCE9uY29sb2d5MRUwEwYDVQQDEwxHb3BhbCBHb3J0aGkwHhcNMDkwNDE2MTYwNDI5WhcNMzYwODMxMTYwNDI5WjBkMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxCzAJBgNVBAcTAkVIMREwDwYDVQQKEwhOb3ZhcnRpczERMA8GA1UECxMIT25jb2xvZ3kxFTATBgNVBAMTDEdvcGFsIEdvcnRoaTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnXNtqzLNe/41JkD9/q5E8QmaA048rnkOPfr1bgcyKn8tb12Nx1n/uLjnHzYfzNoELxPNV5qzl/cRfFprcFJGLMGbLhIlv+PJdKxc8KKcX7RqY+VYyEkBTkP4mMyBXAZeOllaQ4UIZkicm1tpXSocSM1CTKfMwfR+/5WXCDFyYrcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQARCt3lb4lh7/3NnwTj5tadK2ZBEDDEo9sgiOl2wPB2ZT3huMTIqUVEc4QaHndM+VOpuj1eOTvFAm19/vKcFnJzpdNtVFN7hHM2kQ1qjNEBKM0TuC41i7VimyC6smd6aOoMkGaPOlos35jCEGQzxUKg+A9vdhBsFmOMq2rCrUyj1g==</X509Certificate></X509Data></KeyInfo></Signature></saml:Assertion></samlp:Response>

chuckmortimorechuckmortimore

Did you run this through the SAML validator found on the SSO Settings page?   That should help you determine what is wrong.    If so, perhaps attach a screenshot of the output.  We can't directly debug from just the assertion, as it's only part of the puzzle.  

 

Couple comments:

 

The issuer does not need to match the certificate - it needs to match the issuer that is configured in your SSO settings.

 

As far as expired assertion...are you sure it's not expired?   Perhaps check the clock on your IDP to make sure it is correct...?

 

mannsandeepmannsandeep

Hi Chuck, validator helped. thanks for you comments.

 

Joshua71Joshua71

Several months passed since last post so I thought to check out the current status...

 

Is "Custom Domains" already supported?

 

Any news regarding SP-initiated SSO combined with "Custom Domains" ?

 

Thanks a lot.

Josh

chuckmortimorechuckmortimore

Custom domains is now available and supported for customers.  

 

Current plan is to have the SP initiated behaviors, custom error URLs, and custom SAML entity IDs tied into these domains in the Winter release.

 

 

Joshua71Joshua71

I am looking forward for this release!

 

Thanks for your reply.

Mihir PatelMihir Patel

Hi, this explanation helped me clear most of my doubts on why Salesforce can't initiate SAMLRequest to start a user session. As you mentioned that there is a cookie on browser based on which you determine user's org and fetch SAML request information and initiated SAMLRequest from Salesforce.

 

I looked at the cookies and found that two cookies are important to make the call.

ssostartpage=https://mycompany/loginurl;

saml_request_id=_s.baBasdadsdasdasmsasdaa8asdaFaDsdav;

 

What do you suggest on using this cookie values and initiate a request to https://naX.salesforce.com/home/home.jsp to help salesforce initiated SAML request even at the beginning of the session? Basically, IdP already has ssostartpage value, but find out saml_request_id and use that value to create two cookies and send request to one of the protected page so that Salesforce initiates SAML request?

 

What are pros and cons of this approach? Main question would be what's the life time of saml_request_id?

 

Thanks,

Mihir

 

 

chuckmortimorechuckmortimore

Hi Mihar...

 

Actually we can perform SP initiated Single Sign-On and send our a SAMLRequest to your IDP.   At the moment you need to first do IDP initiated SAML at least once for a user, and include a ssoStartPage parameter in an Attribute statement in the assertion.    We will turn this into a cookie for the user.   On subsequent visits when we see this cookie, we will initiate SAML with a SAMLRequest as you are hoping.    The SAML docs cover this in specific detail.

 

In the winter release we'll be releasing the ability for orgs using the "My Domains" feature to have a org configured URL.   In that case, no need for the one time IDP initiated SSO....it will just as you expect based upon the org config.

 

As far as your URL suggestion, yes - we do support a URL for initiating SP initiated SSO.   In most cases this isn't what customers want, as they really want request for bookmarks, deeplinks, etc to kick of the SAML exchange.    However the URL sometimes comes in handy, and can be used for specific use-cases.

 

Hope that helps

Mihir PatelMihir Patel

Thanks for the quick reply. 

 

So now we have two options...

1) Having a URL pointing to IdP with SAMLRequest with login url of our SAML sso setup (or what other way you think we could initiate request from IdP?).

e.g. https://mycompany.com/sso/login?SAMLRequest=<base64encodedxmlrequest>

2) Having a URL pointing to Salesforce (auth_request.jsp) and pass saml_request_id, ssostartpage, relaystate so that salesforce has enough information to initiate the SAML request to our sso.

 

Can you please tell how unique is the saml_request_id and how long is it valid? I prefer to send request to Salesforce as it gives you control of generating the request instead of hardcoding saml request itself within the URL. Both approach are similar though.

 

 

chuckmortimorechuckmortimore

Hey Mihar...

 

I'm a bit confused by your reply.   It might help if you spelled out in a little more detail the use-case you were trying to support.   It sounds like you might simply be trying to do IDP initiated SAML.  To address your questions as best I can:

 

#1 ) ( where you have a URL pointing at your local SAML service):  

You shouldn't need a SAML Request     Your IDP should can just generate an un-solicited SAML Response.   This is completely valid, and we will accept them...there is no need to hit salesforce.com first ( unless your SAML infrastructure requires it for some odd reason ) 

 

#2) (where you hit us first ):

Typically you only see SAML Requests from Salesforce if the user actually requests a protected resource...like a speciific or account or contact, and they aren't authenticated.   Are you saying your SAML service MUST receive a SAML Request, and hence want to kick off a SAML request directly?

 

Technically, the SAML request ID is unique, and is not a value you can generate.  It must be generated by salesforce.com   However, you can hit our service with your orgid set as the request_id, and we'll handle sending you a SAML response. 

 

First, could you please spell out in a little more detail the exact flow you're trying to support so I don't send you down the wrong path?   Also, what software are you using for your SAML service?

 

thanks

 

 

CarlInAustinCarlInAustin

 


chuckmortimore wrote:

 

... you can hit our service with your orgid set as the request_id, and we'll handle sending you a SAML response. 

 


 

Hi Chuck-

 

First off thanks for all the coherent and thoughtful posts you've been making.  My understanding of Salesforce's SAML support has improved tremendously as a result.

 

The above response you made is intriguing.  I would like to have Salesforce play the role of identity provider to our Saas service provider but have not found any documentation indicating how to do it.  Can you shed some light on that for us?

 

Thanks,

Carl

chuckmortimorechuckmortimore

Thanks CarlinAustin

 

While that particular quote is really focused on Salesforce acting as a Service Provider, we do also have the ability to act as an Identity Provider.    This is currently in Pilot and can be enabled for you if you are interested.    Goal is to GA in Winter 11.

 

If you're interested, please log a support ticket, and have them direct it to me.    We can discuss directly off the board and see if your use-case is a good fit for the pilot.

CarlInAustinCarlInAustin

Thanks Chuck. 

 

That's great news and we may look to leverage it once you've released it. Next year is probably the earliest that we would need such a capability in any case.

 

For now, I am advocating the use of the platform's current Service Provider role implementation. With that said, I need to visit with our product management team and CTO to get a consensus.  If they feel the need to investigate it sooner, I will open that support ticket.

 

Cheers,

Carl 

 

 

vasvas

Hi Chuck,

This thread gave me a good understanding of the SP initiated SSO currently supported in SFDC, and I have some questions on the same topic in the context of Sites. "My Domain" would have addressed my need but I guess its not going to be available till winter release (do you have a date yet?).

Given that a site uses custom domain, shouldn't SP initiated SSO work seamlessly with Sites? I haven't tried but based on other posts here, looks like it doesn't. So, I'm trying to figure out how to make SP initiated SSO work because we can't do IdP initiated even the first time.

I came across this in the help-

 

If you wanted to use SAML for Sites for when a service provider initiates sign-on, you must first create a Visualforce page that provides a redirect to your server. The following is an example:
<apex:page showHeader="false" sidebar="false">
 <script>
     var PingSpURL = "https://my.pingserver.com:9031/idp/startSSO.ping?PartnerSpId=salesforce.com.sp";
     var siteLoginPage = "&TargetResource={!$Site.CurrentSiteUrl}siteLogin?startUrl={!$Site.OriginalUrl}";
     window.location = PingSpURL+siteLoginPage;
 </script>
</apex:page>

 

 

Where does this page go? as the error page on Sites?

 

A few other questions-

1. When SAML is enabled in Single Sign-On settings, does it apply to all users including Sites/Customer portal users? Is it possible to have SAML apply to only a set of users, and how?

2. Is it possible to have Delegated SSO for regular users and SAML SSO for Sites/portal users?

 

 

Thanks in advance.

 

 

 

If you wanted to use SAML for Sites for when a service provider initiates sign-on, you must first create a Visualforce page that provides a redirect to your server. The following is an example:
<apex:page showHeader="false" sidebar="false">
 <script>
     var PingSpURL = "https://my.pingserver.com:9031/idp/startSSO.ping?PartnerSpId=salesforce.com.sp";
     var siteLoginPage = "&TargetResource={!$Site.CurrentSiteUrl}siteLogin?startUrl={!$Site.OriginalUrl}";
     window.location = PingSpURL+siteLoginPage;
 </script>
</apex:page>
chuckmortimorechuckmortimore

The SP initiated SSO features for My Domain are rolling out already.   Winter 11 shipped to a number of instances last friday 10/1/10 - it you don't yet have it, you will by this 10/9/10

 

SP initiated for Sites is quite a different animal.   You should only be interested in this if you're actually using Sites - it won't work for CRM or force.com platform users.

 

If you're still interested, the workaround for sites below basically tries to simulate SP initiated SAML by kicking off IDP initiated SAML.   When an un-authenticated request comes to the site, it detects the URL you are trying to access, and then attempts to kick off IDP initiated SAML at your IDP.    

 

To answer your direct questions, 

 

1) Yes - SAML can be used for both CRM/force.com user and Sites/Portal users.  However, the contents of the assertion that you send needs to be slightly different for each.  You should read the manual on SAML with Portals / Sites to see extra attributes you need to pass.

2) Yes - Delegated SSO and SAML are distinct from eachother and can be used together or separate.   SAML is on or off for an org, but always technically optional.   Delegated Auth is controlled by the user's profile.    Which gets used depends on how the user shows up and authenticates

 

 

ExpoExpo

Chuck,

 

I hope this is my final question related to Salesforce SSO

 

I have delegated and SAML turned on for my Org. I have a user Id : test@salesforce.com and SSO is enabled for the profile associated to this ID

 

For the above mentioned ID can I login through Delegated Authn wherein I provide the ID/password and regular SAML where I only provide the login ID.

vasvas

Hi Chuck,

Thanks for your response. I see that the release was done on the weekend. So, assuming My Domain is configured and SAML is enabled with appropriate settings, typing the url (my-domain-name.my.salesforce.com) in a browser should route the users to IdP where the authentication is done, right?

 

I'm also interested in SP initiated for Sites but I don't understand why I still need that workaround (vf page forwarding) for sites. Are sites domains not supported for SP initiated?

 

I understand that portal_id should be included in the SAML assertion for Sites but how I do know on IdP side whether the user is CRM user or Customer portal user so that I can create the SAML assertion with appropriate info?

 

Thanks

chuckmortimorechuckmortimore

Expo - yes you can.   If you show up to the salesforce with SAML, we'll process it as a SAML.   If you go to any login form ( web, portal, or any API client ) if the profile says to use delegated auth, we'll use delegated auth.   They work together great.

chuckmortimorechuckmortimore

vas 

 

1) yes - that is how it works, assuming you have it configured in that manner.  Type in that URL, or click on a bookmark / deeplink / email and we'll initiated a SAML Request to your IDP

 

2) Sites does not support a full SP initiated SAML - only IDP initiated SAML.   Using the workaround you can simulate the same behavior by kicking of IDP initiated.

 

3) If possible, I'd suggest two separate SP configurations in your IDP.

vasvas

Hi Chuck- Could you tell me, for #2 how to actually use the workaround (the redirecting vf page)? Where does that page go?

And, can you explain #3 in more detail? Let's say I have CRM users, Partners and Customer portal users, and all of them need to be SSO. How do I figure out, on IdP end, whether or not to include portal id in the assertion, and if I do include it then how do I find out which portal the request is coming from so that appropriate portal id is included in the assertion?

 

Thank you so much for your responses.

vasvas

Just wanted to provide some clarification-

I'm only interested in SP initiated here. When SFDC initiates SAML request, I believe all the requests go to same URL on IdP but I'm not sure if SFDC sends the portal id with the request. How does IdP know which portal the request is for and what portal id to include in the assertion?

kvinkvin

Hello Chuck,

 

Salesforce as IDP, the first glance to this post got me very excited. Appreciate your time and information you contributed here, great value.

 

I have this very requirement here in my ORG, I went through the winter 11 release notes but didn't see it mentioned there. Is it available?   I have skimmed through wiki and there seems no documentation out there. Can you guide me to an appropriate place for documention. I would like to present this idea to my team here and talk about it before escalating it to salesforce support. I would grealtly appreciate if you can forward me any supporting docs.

 

email: vinay.k.sw@gmail.com

chuckmortimorechuckmortimore

Detail on the IDP in Winter 11 is available in the Help system.   Simply search for:

"Enabling Salesforce.com as an Identity Provider"

SimonCRMSimonCRM

Hi,

SP-Initiated SSO is working ok (using SAML 2.0) however it appears that the RelayState (Salesforce.com URL) is not passed in the Post to our IDP and therefore our IDP cannot return this following successful authentication.  For example:

 

1.  User clicks the link ---> https://cs4.salesforce.com/09999999999WKUu

 

2.  Salesforce performs an internal get (maintaining relay state) ---> https://cs4.salesforce.com/saml/authn-request.jsp?RelayState=%2F099999999999WKUu.............

 

3.  Salesforce performs the post to our IDP, but does not include the RelayState.

 

4.  IDP has no RelayState so sends the browser to ssoStartPage.

 

Any ideas?

chuckmortimorechuckmortimore

Hi Simon...

 

From your POST, it certainly looks like we have what we need to send RelayState ( the authnrequest.jsp seem to have the correct param )    There isn't really any good explanation for why it wouldn't be passed.    

 

Could you capture the HTTP traffic with something like the Live HTTP Headers plugin for Firefox?    It would be good to see what's actually happening on the wire, as all indications are RelayState should be there.

SimonCRMSimonCRM

Hi Chuck,

 

It appears that the issue is on our side.

 

I was given the results of the httpwatch from an internal group however closer investigation reveals that the RelayState is being included in the Post so hopefully we should be able to get this resolved.  At least this will mean that we have actually got SAML SSO working and this will be a great feature for our users.

 

Best,

Simon.

 

 

Praveen24Praveen24

Hi,

In my organization we are implementing Single sign on.

I am trying to access salesforce site by sending SAML assertion but i am getting following error and i dont see any failure attempts in login history of salesforce site

 

Login Error
Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information.
 
here i am sending my SAML output xml code:
 

<?xml version="1.0" encoding="utf-16"?><samlp:Response ResponseID="uuid-4CBFC734-041A-451D-8D0A-699469FB5F2B" IssueInstant="2011-04-07T19:27:19Z" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#uuid-4CBFC734-041A-451D-8D0A-699469FB5F2B"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>BIcnJSyC0OdFEPanstRgIwBfPQs=</DigestValue></Reference></SignedInfo><SignatureValue>SOOdXc8ulmLtegB+PgLEf+YcfvbViaImVr5DbxhHYJuAepzdOO21h1bjFi4BD9KFE9QcExjBxx7ptE9ed1NNcgYe9SAVXKKxyXeb5enWDQYfTMQCioyIhR8i8KIgi+KxijuXvYLeVIgEaoviWLFyQVe+zBVGPAeKtnvWXkZL6vU=</SignatureValue></Signature><samlp:Status><samlp:StatusCode Value="samlp:Success" /></samlp:Status><saml:Assertion AssertionID="uuid-30CCD071-2752-4DAC-9667-C6D6A08CF82F" Issuer="MyID" IssueInstant="2011-04-07T19:27:21Z" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2011-04-07T19:26:21Z" NotOnOrAfter="2011-04-07T19:32:21Z" /><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2011-04-07T19:27:21Z"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">XYZ@gmail.com</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement></saml:Assertion></samlp:Response>

 

Please help me out and i really appreciate your help.

chuckmortimorechuckmortimore

Pretty hard to tell from just your SAML assertion.

 

As a first step towards debugging you should send an assertion, and then go to your Single Sign-On Settings page and click on the SAML Assertion Validator.   This will automatically save the last failed SAML login attempt, and tell you what went wrong.    If nothing is there, then we weren't able to figure out your org so there is something wrong with your username or ACS url.

 

Let me know if you have trouble interpretting the validator.

Praveen24Praveen24

Thank you for your reply.

I am getting following errors with my SAML assertion code.

 

10. Checking that the Audience matches, if provided
  Audience problems
  We expected, but did not find, an audience in the assertion
12. Validating the Signature
  Signature or certificate problems
  Is the signature valid? false
  Is the correct certificate supplied in the keyinfo? false
 
  No valid certificate specified in this response

 

13)Subject: 
Unable to map the subject to a Salesforce.com user

AssertionId: uuid-D91F59CF-400E-4CD4-B2AF-6AA50BBB271C

 

I really appreciate for your help .

chuckmortimorechuckmortimore

In your SAML Response we expect an AudienceRestriction ( as per SAML Spec ) that targets the entity id of your org.   It might look something like this:

 

 

<saml:Conditions NotBefore="2010-01-25T17:20:07Z" NotOnOrAfter="2010-01-25T17:40:07Z">
<saml:AudienceRestriction>
<saml:Audience>https://customer.my.salesforce.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
On the assertion mapping to user question, that means we couldn't find a user in your org.   If you're using federationid, then make sure that a user in your org has a federationid that matches what you sent in the assertion.   Same goes for username ( although make sure there is a matching salesforce username ) 

 

Praveen24Praveen24

Thank you for your reply.

In my SAMl assertion code i am sending AudienceRestriction.Here i am sending my SAML assertion code.

 

<?xml version="1.0" encoding="utf-16"?><samlp:Response ResponseID="uuid-1C42869F-6F84-4E1D-AAA1-E6E0FE68F347" IssueInstant="2011-04-14T17:21:27Z" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com/?saml=02HKiPoin4xIs2Ih8JTricxp8fyeHHR1n373RZsgeyLR4tK2Pz4lD1GHGsPwkGzvBzz1oFCaqa0ZjSMRbSTgzWwAhr.O5Rgj3JYl4=" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#uuid-1C42869F-6F84-4E1D-AAA1-E6E0FE68F347"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>rkkhDUNSdQf1JCuk64u9ZTrDGRo=</DigestValue></Reference></SignedInfo><SignatureValue>YgVBuOZrJ1B62NMct0jf+ciuX/99VWtmypD1UU3BWs0a5xygxkp+k+Rse7GzPx8ljV8rOavhn6QiNsXqEODgpf1oWQvI/PNh6TKeXI9O+QkxCJ7Wd2oFrYCi4684Gn0L7XbjN7893hNPllH/PJj/JAhQmK4tWjoh4BOOmWZlzjI=</SignatureValue></Signature><samlp:Status><samlp:StatusCode Value="samlp:Success" /></samlp:Status><saml:Assertion AssertionID="uuid-2A4BF965-FFB5-4E9D-A607-6890EDF0B854" Issuer="xyz-developer-edition.my.salesforce.com" IssueInstant="2011-04-14T17:21:27Z" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2011-04-14T17:20:28Z" NotOnOrAfter="2011-04-14T17:26:28Z" /><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2011-04-14T17:21:28Z"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xyz@gmail.com</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:AudienceRestriction><saml:Audience>https://xyz-developer-edition.my.salesforce.com </saml:Audience></saml:AudienceRestriction></saml:AuthenticationStatement></saml:Assertion></samlp:Response>

 

but still i am getting the following errors.

1)Audience problems
We expected, but did not find, an audience in the assertion
2) Signature or certificate problems
  Is the signature valid? false
  Is the correct certificate supplied in the keyinfo? false

3)Subject: 
Unable to map the subject to a Salesforce.com user

AssertionId: uuid-2A4BF965-FFB5-4E9D-A607-6890EDF0B854

 

I appreciate your help.

 

chuckmortimorechuckmortimore

If you could message me directly with your orgid or userid that would help.   I need to take a quick look at your configuration

Praveen24Praveen24

Thank you chuckmortimore.

my user id is   praveen0224@gmail.com.

 

seanpdoyleseanpdoyle

I have SAML 2.0 SSO working.. but not the SP initiated.. currently the ssoStartPage attribute is being sent but seemingly ignored by Salesforce.

 

            </saml:Attribute>

        <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

            <saml:Attribute FriendlyName="ssoStartPage" Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                <saml:AttributeValue xsi:type="xs:string">http://sso.lorealusa.com/sso/SSO?SPEntityID=https://saml.salesforce.com</saml:AttributeValue>

 

Help!!

chuckmortimorechuckmortimore

Hey seanpdoyle - if you're trying to do SP-Initiated SAML you should really setup My Domain ( Setup -> Company -> My Domain ) - this feature allows you to have your own URL for your salesforce org, and makes SP initated SAML work really well.   Once you have it setup you can simply configure your endpoint in your SAML config.   It's best practice for SSO and SP initated SAML.   

seanpdoyleseanpdoyle

The do have their own domain name with salelsforce.. does this mean the metadata needs to change for the assertion? currently it's https://www.salesforce.com.

 

When I analyze the the response from the SAML service I'm not seeing the ssostartpage cookie.. isn't this how SF does IDP discovery? Will the SAML service honor the ssostartpage attribute if it's of type basic? All of the examples I've found specifiy it as unspecified.

chuckmortimorechuckmortimore

You should ignore ssostartpage ahd the cookie.  It's an old way of doing things that doens't work very well.

 

If they already have My Domain setup, then simply go into the SAML configuration in Setup, and add your Login URL.   We'll send SP-Initiated SAML to that endpoint when we see an ua-authenticated request to the My Domain

seanpdoyleseanpdoyle

Ok!! I'll try that!!  I'll let you know what I see.

 

Sean

seanpdoyleseanpdoyle

Now we are getting somewhere!

 

Problem is now, the signature is being rejected.. where do I get the CA root cert for cert being used to sign the SP initiated SSO request?

chuckmortimorechuckmortimore

Setup > Develop > API > Client Cert

dhritidhriti

HI chuck 

 

My requirement is rhat when a user clicks on SP Link he should be redirected to Salesforce site Login Page and then redirected to SP-initiated POST endpoint . Here Salesforce is the identity provider but  i need to access the relay state parameter in controller. So How can i do that ? 

certi_vimalcerti_vimal

Hi SSO Experts,

 

Could anyone please help me with my issue?

 

We are looking for a SAML SSO solution for allowing User to login to Salesforce from web portal and from Salesforce to login to another web application.


Steps involved:


1. User logs into corporate web portal by providing his/her corporate credentials.

2. By clicking on a link provided on website, user must be able to login to Salesforce.com.

3. When user click on a custom link provided on Salesforce, user must be able to login to another web application.


Design proposal:


For step#2, Assume Federated Authentication (SAML) is implemented by providing federatedID and token(generated by one of the application within our environment) in the SAML assertion. While Salesforce uses federated ID for user authentication into salesforce, token is retrieved from SAML assertion and passed to the client’s authentication services for authenticating the user into 3rd application.


Questions:


1. Can we include a token (generated by one of the application within our environment) along with federatedID in the SAML assertion?  If yes, can we retrieve this token from the assertion and store in salesforce for using it for login to another application?

2. Can Salesforce act as service provider (SP) and also as an Identity Provider (Idp).


Please advise.

 


Thanks,


Vimal

dhritidhriti

HI

 

what  extra parameters are required in SAML request to implement Just In Time Provision when using Salesforce as IDP ?

chuckmortimorechuckmortimore

You have to enable provisioning in Setup on your SAML config, and then send us attributes in a SAML attribute statement. 

 

Details here:  http://www.salesforce.com/us/developer/docs/sso/Content/sso_jit_requirements.htm

CrocketCrocket

"Once you have it setup you can simply configure your endpoint in your SAML config" 

 

Can someone explain what this actually means? On the SSO settings page you do not have the ability to configure the endpoint. My problem is if I paste the "Salesforce Login URL" value on the SSO Settings page into an unauthenticated web browser, I end up at the Salesforce login page and not the identity provider login page.

jongleejonglee

Salesforce Login URL -- it should be the idp endpoint that accepts SAMLRequest generated by Salesforce when you are trying to access a protected page without a valid session.  SFDC will generate a SAMLRequest and auto-post to your Idp, if you already have an active session with your IDP, it should then autopost back a SAMLResponse to the Salesforce ACS URL.  If you don't have a session, then your IDP should ask you to login first.

 

thanks

Jong Lee

Salesforce.com

CrocketCrocket

Jong Lee:

 

Thanks for the info, it certaintly helps and would explain my results. However, the Salesforce Login URL is not something I can modify, it is generated by Salesforce. We are at cs10, not sure if that makes a difference.

 

Regaring the SSO Settings page, for our Dev and Full environments:

 

The Salesforce Login URL begins with "https://test.salesforce.com/?saml=".

The "OAuth 2.0 Token Endpoint" begins with "https://test.salesforce.com/services/oauth2/token?saml="

 

However, at one point the Full environment had "...cs10.salesforce.com..." in the Salesforce Login URL field. I just changed the "SAML User ID Type" so it matched the DEV environment and that is when the ".../test.salesforce.com..." URL first appeared in the FULL environment. This must be a reflection of changes Salesforce recently made on their end as changing the "SAML User ID Type" back did not restore the initial 'cs10' URL.

 

Here is a list of the settings I have access to on the SSO Settings edit page in both environments:

 

SAML Enabled: checked
SAML Version: 2.0
User Provisioning Enabled: unchecked
Issuer: This is the URL for the IDP server that the IDP admin provided us.
Identity Provider Certificate: Here we uploaded the certificate the IDP admin provided us.

Current Certificate: This displays the IDP server info and future expiration date.

 

Identity Provider Login URL:

This conains our IDP server URL with SAML related path info. I believe you indicated is the "endpoint that accepts SAMLRequests".

It was provided by our IDP admin.

 

Identity Provider Login URL: 

This conains our IDP server URL along with the parh to a logout servlet.

 

Custom Error URL: This is blank for now.

 

SAML User ID Type: Set to - "Assertion contains the Federation ID from the User object"

 

SAML User ID Location: Set to - "User ID is in an Attribute element"

 

Attribute Name: Name of the user identifier that was provided by our IDP admin.

 

Name ID Format: This is blank.

 

 

jongleejonglee

Thanks for the correction.  My previous post mixed up Idp login URL and ACS URL which is the one Salesforce generated to accept the SAMLResponse autopost from Idp.  when you directly enter that url to a browser without actaully doing a SAML login, we will display the login page as a result.  So that's really expected behavior. 

 

Now are you just confused with the terminology of what "Salesforce Login URL" means or you actually having an issue to login with SAML?

 

thanks

Jong Lee

Salesforce.com

CrocketCrocket

Jong Lee:

 

Thanks for sticking with this as I had assumed some of the many users would have recognized my problem and responded.

 

Our IDP is not in Salesforce, it is in a local server. We have an SP configured in a DEV and Full envirronment. We have installed the IDP certificate into the DEV and Full environments. We have downloaded the SP metadata from our DEV and Full environments and sent it to our IDP admin.

 

We expect to be able to have a login attempt in the DEV and Full environment be redirected to "our" IDP login page. Then after the user is authenticated, be redirected back to the initially targeted environment. The redirect to our IDP does not occur.

 

This process is described on your "Single_Sign-On_with_SAML_on_Force.com" page, which states, "Service Provider Initiated Login, where a user starts by clicking a link to the the service provider (e.g. a bookmark, mailed link, etc) and temporarily redirected to the identity provider for authentication, then returned to the link they initially requested."

 

 

 

jongleejonglee

As long as your Idp is configured properly, I assume either SP-init where you start from Salesforce or Idp-init where you start from your IDP should work.

 

thanks

Jong Lee

Salesforce.com

CrocketCrocket

This is now working, but to assist developers in the future it seems salesforce should come up with a cheatsheet that targets the important point of the implementation. The current documentation seems to be an attempt at teaching SSO basics, which is a good thing. However, even with this knowledge you will be hard pressed to come up with the list of (less that 10) bullet items that would (based on my experience) be helpful in guiding the developer to a successful implementation.

chuckmortimorechuckmortimore

Good suggestion.   I will forward to our doc writer, and also explore options on developer.force.com

chuckmortimorechuckmortimore

I'm reaching out to our SSO customers today to make sure you know about a Certificate Rotation that is happening this afternoon.   This could impact your processing of SAML Requests

 

http://wiki.developerforce.com/page/Client_Certificate

 

If you receive SAML Requests from us and validate the signature, your best bet would be to immediately download and trust the new cert, or temporarily disable signature validation.

 

Sorry if this catches you off-guard - let me know if you have questions.

 

mani.sundarammani.sundaram

Hi shanuman

 

 You didn't mention how it was resolved. because I also have the same issue. Can anyone help me on this.

I am trying this with ADFS and SAML.

 

Thanks

Mani Sundaram

ShibaniShibani

Hi i am new to salesforce. I am doing Saml sso. I have created java code for saml assertion. When i ran this assertion to SAML salesforce assertion validation i got error message  

 

Signature or certificate problems
  The signature in the response is not valid
  Is the correct certificate supplied in the keyinfo? false

 

 

I am stuck at this point very long time. please give any idea to solve this.

 

Thanks in Advance

Shibani

chuckmortimorechuckmortimore

Sounds like you're not constructing the XML digital signature properly, or you are signing with the wrong private key.   Fairly impossible to tell from the level of detail you've provided I'm afraid.   Perhaps post a sample SAML assertion 

ShibaniShibani

I have created jks file and got trial certificate. My saml assertion is

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo" IssueInstant="2013-01-31T07:08:12.750Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"></saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="............">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp xs xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>W00fFhandPjn5xTKd8nAArwGmQY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
7k3cZSpMxSQxBlKYbG3FfkuinVr+MgRP+OrcvX2EG+hOmqu/ssPIhay9deW9EvPHotgsrD32D/L
o7tNmcwaRFicDQSBoLuQ+C9TmC4DTYOZG6GwDg==
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>VxAMQQie9a
hS+htrZH4g==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo"
IssueInstant="2013-01-31T07:08:12.750Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="" SPNameQualifier=""></saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2013-01-31T07:10:12.750Z" Recipient=""/></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2013-01-31T07:08:12.750Z" NotOnOrAfter="2013-04-30T07:08:12.750Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AudienceRestriction><saml:Audience></saml:Audience></saml:AudienceRestriction>
</saml:Conditions><saml:AuthnStatement AuthnInstant="2013-01-31T07:08:12.797Z"
SessionIndex="kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Attribute Name="federation-id"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

 

 

 

 

 

My Idp and SP is Salesforce. Let me know What did i wrong. Give idea

 

 

Thanks for your reply.

ndotlndotl

Figure this out by going to:

Administration Setup | Security Controls | Single Sign-On settings | SAML Assertion Validator. Recreate the problem to get a current SAML Response and paste it in the provided textarea. This facility will analyze the response for you.

ndotlndotl

OK, I see you have already done that. I just recevied your xml post in an email. There are a number of ways to display your certificate. For example: 

 

keytool -printcert -file test.pem
Owner: CN=xx, OU=yy, O=zz, L=aa, ST=bb, C=cc
Issuer: CN=xx, OU=yy, O=zz, L=aa, ST=bb, C=cc

 

In the above, "test.pem" is your certificate file. I am not an expert in the certificate area (or any other area), but I have never seen a CN value that was not a hostname/domain.  If the cert is bad you should review the information you used to guide you through cert creation to ensure you provided the correct information. I believe a certificate is associated with a specific domain, which (I believe) is not possible with the certificate you provided. If you have openssl installed, the following provides another way of displaying the certificate:

 

openssl x509 -text -in test.pem

chuckmortimorechuckmortimore

Your cert looks fine - no issue there.   CN doesn't really matter in this case.

 

Have you made sure you're using the correct private key that is associated with this cert?

 

Is the Reference URI really "................" or did you ommit that from the post for some reason?

ShibaniShibani

Yes. I alreay done. I have posted that error only. I got Signature verification problem

 

Signature or certificate problems
  Is the signature valid? false
  Is the correct certificate supplied in the keyinfo? false

 

 

Thanks for your reply.

ShibaniShibani

I have omitted only. I got private key When run the code. But how can i verify it is correct private key. I think this may be the error i did. How can i overcome this. Please guide.

 

 

Thanks

ndotlndotl

1) You probably should have created a separate thread, which would make this easier to follow.

2) Have you looked at the "salesforce_single_sign_on.pdf" document? It has all of the info you need, but on your first pass at this it is hard to decipher. However, if you are not referencing it you will have problems. 

3) I do not believe you have provided detail on your setup. You say you are using Salesforce. Does this mean you are using a Salesforce org as the IdP and a Salesforce org as the SP? If so, I believe you should use the IdP to generate (i.e. download) the certificate. That certificate is then consumed by the SP (i.e. SSO Settings, Identity Provider Certificate, Chose File). If this has not been done you will have problems. 

4) I notice in your posted SAML Response that (among other things) the saml:Issuer is blank, which I do not think is correct. Are you deleting information for security reasons? If so, you should consider getting two developer orgs and setting up one as an IdP and one as an SP. I know that this works (as of 6 months ago). If you have problems getting the dev orgs working you should be able to post screenshots (e.g. SSO settings) and the full request/respose values. Once you get the dev orgs working you should have a good enough understanding of the setup process to get SSO set up in the actual orgs. 

ndotlndotl

*** IMPORTANT ***

 

I will just add that if you will have multiple orgs (e.g. integration, uat, prod), you will need to specify a domain in each. Otherwise the SSO domain will default to "https://saml.salesforce.com", and your IdP will have no way to distinguish the orgs. This needs to be done before you enable SSO on the SSO settings page. A reference to this domain can be found by searching on "domain" in the "salesforce_single_sign_on.pdf" (Single Sign-on Implementation Guide) document. 

ShibaniShibani

I have deleted issuer.  I already downloaded self signed certificate from salesforce. Shall i take idp and sp in same developer org. Is it possible. I have already done. But i got same error before. Thats why i went to CA signed certificate.

All saml assertion validator gave ok message. But i got error in signature or certificate problem.

 

 

 

Thanks for your reply.

ndotlndotl

"I have deleted issuer. " 

 

I do not believe you need to do this, and it is likely to be part of your problem. I also believe the cert the SP uses should be from the IdP.  How else can the SP be sure the response it received is from the IdP? 

 

Maybe you should consider the two developer environment approach I previously suggested. This would be indepentent of your real environment, so you could post the SSO settings screen and all of the SAML request/responses without having any security concerns. You would likely get more feedback on your problem as well. I would not use the same org for the IdP and SP. Once that setup is working you should have no problem getting your real environment set up.

 

 

I will just add that I ran into issues with the SP not being able to handle encrypted responses. So if you come accross such a setting you might consider waiting until this is working before looking into encrypting your responses. 

 

ShibaniShibani
 
I have followed single sign on setting http://wiki.developerforce.com/. but i got error like
 
Error: Unable to resolve request into a Service Provider. which side SAML sso setting  idp or sp .
 
 
ndotlndotl

When you enable SSO SAML, the SSO settings page is completed in the SP. The IdP must also be enabled, but that page is not similar to the SP page.

 

Regarding the error, part of the setup process involves downloading the SP metadata and making it available to the IdP. I have not googled the error, but you may want to ensure the metadata exchanged step was performed. 

 

I have not used the wiki, but maybe someone else can comment on the procedure. I will just add that until you can provided detail associated with your installation it is unlikely anyone will be able to help, the main reason being it is more time consuming. If I were in your position (and I was) I would try the '2 DE org' scenario that I suggested. If you are unable to get it working there it is unlikely you will get it workng in a real world environment which is a little more complex. Again, the idea is in the 2-DE-org scenario you can post your settings to the forum

 

shibanimcashibanimca

Thanks For your help. When i tried sso SAML with two organisation it works fine. But When i access from java code i got Error: Unable to resolve request into a Service Provider.

 

Shibani

 

chuckmortimorechuckmortimore

Not enough information to advise you here I'm afraid.  What java code, and what was providing this error?

Adam SchultzAdam Schultz

I'm trying to setup SSO with Active Directory.  I've done this a few times with no problem but this instance is giving me an error.  When I plug the response xml below into the assertion validator in Salesforce I get nothing too useful.  It says Unexpected Exceptions
  Unable to parse the response
  Premature end of file.
All of the numbered checks in the validator come back with 'Unknown'
 

Any help anyone can provide would be greatly appreciated!  

The error url I'm presented with is this:
https://na16.salesforce.com/_nc_external/identity/saml/SamlError

My response xml:

<samlp:Response ID="_b8dcaf93-af29-4ea7-a4aa-c521df14de23"
                Version="2.0"
                IssueInstant="2015-01-28T19:40:52.043Z"
                Destination="https://login.salesforce.com?so=00Dj0000000I3xf"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://fs.af-group.com/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                            >
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    </e:EncryptionMethod>
                    <KeyInfo>
                        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>C=USA, S=CA, L=San Francisco, O=Salesforce.com, OU=00Dj0000000I3xf, CN=SSO_with_AD</ds:X509IssuerName>
                                <ds:X509SerialNumber>26236850872755761797980282336291</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>e6cemiHsh4n1XyXzf4rGeHZ/fVEhzK7p9V/Vo4+djVrHB1mtFvAJrGowl5f2wzGGSZ2sg9rUvWB5V+2uHNURGoMJARsxlFuuLrlVLIc5i/+JRP7AdYchJfZtE+Rz8Y5o8pcFGPA5GJLFRa/VEGYk6/K+wxQlyRZLa+p0VHS1em7hRguKI5uhdOlSSb+iDEAxKH3IQKQ00nVOcV8NQkmhg/lqiSoY3Bv0QVMaH9wxGr9wJIaNrIK/9UvI9nmUQ5vP611dTOJaTjAyXRGojKR7qyWgqURpCIlJ3MaMU0SwooIM3mEONfyqTpcy3OLIzBWjFt4N0HjRixJl4ds7VfdlBw==</e:CipherValue>
                    </e:CipherData>
                </e:EncryptedKey>
            </KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>EcQwh4HVZIef2quybxdzssbxcdo2K9jQemSpuo8P7JeNRnIHtcZ6ID+R1xLr4gjmOrXPMUwpiWO14n5oJXvIVrrRnTJ6v9jQV6DKf+9s6X1B7Cjmu8uhmj1T/3azxKEM73NNBgawzaBY9tPYGChy9/ECUoFf0mKysz/CD4ONNNQjfXGQ70/6FvNRm8jgJx+vjCa1oFDRX8jTsJkxm+/yFx9tlCMyGeYXcVcITdDvHBnNOqCHBdHpxUKRVSGUoWztDR691l+vS3KbM7TN0mFQdoRm9ZrqeDgOxPEuGDachzeJjwKmyJ2rqZgiFuRbSATa9RyDY3wTyVKub2tiFDu3ZCXGKwuJFBLNBfbuIw9Qc5h7wTP18hrWJYX1oofi/j8/gNZ7jH3diLH2g7aTdbGDN4vQ6JVYyaSg2FYIGfy1Lw5CrDZq4+AdpamQ+BM+HlQK8sAbDbMYr4BPbFwlJD++yk5yFQ0LQ7KwULFBb2VPuPBbrBgcZMZSxpl+ATj/m1kp+jiSbqwWp/FCinyQbQYoyECmqnYVOtMKR0ca5U48JJ8zWzcwsa0a7pxOqX9oWuNMHADhlH8+Sz57VrZpvYFCaGp53xlHoJF3LgII/DhfI21d9EzQLCnkBLrhdVbNDRfK0vTTUv+zd7c3X9DSnGXv7fHXc14sZso2+OeiNxqJNWcG9n9DMnV4rNIEKf7YIfLEl0+PTyTa76zUIgbhVxd7vttJfLK+TpV3aaEcPuY66IlOimDXew5kFrBYvmKiZg0DB3a3ukIpilPDvE2jRbqiXEWQTf8ha9exi0lON6fs9oI2+QpBAcHLSkzOVzYcWBxmFzuJ8BG+JbE8Ve5B40C43ImRNg6gPAzE58l22T9xKLu7l2GEe2gLXsdmq3YBPlwK9/kesNaK1FnTeq8M8C5Bp2XrsuJIgREisCAcADO+qpqK9td00Rqibk5MLKLzv5LGM4VxAbqaSg1+m+VYx629ITKjIJzO0n66W+H+IanevxwEweVc/rYKRjgbkT9ipnnt0OHtE6NmCfWZaJraY6O2uFe7AMhIx89bE1iLOhh1q4+a2w4ezMOL70P1ZneKJ2rEjNvoKUNkMmmyi3aDEcJty70rkBbX7rmZmQJJcJHWVDBVyX7HdcNshRAd9s7T5AWOWxitdRApyw9N4LhWrc3hXiVkjxSs7PRRrzQwG9AJe4CRHSlE81FtmpAr1owaCToXyH6kZH0IYJlufHLx2xtXOPaT6KrmP66me17vhUizyNMFDnRISVaHVAU0G5qTiPcFfGhcdaJQMFOv7EYYfQpwzhfBYCjp2o1KZrXzdK/Fbm5kRwY+9xGLwl50KGXhJGLgfT0sqq5zw/AK/gBBndp+JeIt7Tm815+RAmFzhc49suvlw6/G6cAZhAZvrsEmCaVkmiOuTxiMXPwmGmh7DM2gq/bJXwBqyvNxQCTMl+rrxyPuVIxdTup3q1jBajEBRJAzswMbhsHMfC1qTRYvHovhoXdoP9d6iJrtnMPkAXUpU7/3FbiE95N0UFWPZUS/joJw8Jf2o99+YPjQ2zCF5w/2SNq0KcKox5g2rxJS+4ABIvJG74ly7RdlVOohgAdWQNeZX12j9w+zsIQW6ppp0Nf3Oa9qjTPE1QWI/msEOI83U8tvedBEk551kYdOxG/OrPBLs2gaaGAthD6BZluQ4yXsx+fLGEvdcwzmZLxOopZlAiPyCxaVkpXG2R9QCnScL1LyZLn/5v62PPGpuRPrI7+zK36olIxScXFRTkLZRQeD7inG0PUj9lyKUBACnKDsFHG+ccnDmGLGxelZyWiIXRzwKhOD1gCJUauM7cVWJXF8WG4jglPQqfv+GXRReobY7/xnw/UQI4pkyEJMhYA+I2m5a6wqxdrAnKDP3sOuk44eOA7+hVVNPtF7702DmPKdhM7Azrm2OiiFMuuqITDoi2QbTL/JhQ35SvP9bVnLHA3Pf7meeoG2c1xtmyHfNckVWOIHvcL+8nIftycxt6Js7ntraOptjcYxifziJGTSV6kvic4T+NEzRquL/LjTSY5ePqzcyNDuza4u0+73YcO3/Wmu5DVQ6jy7PgjTLI9OG2mzatt6Ypf6zV95ck/6mMncg3Qg6fUiRFXNSlOAY6LzCM/PG5w+pS1MZ560ffrw8zPfTnnXSU2Sh4PC1STk+bmk4o13xz1W0wEFu6bB4ZmqZ2jF5rbkotw/UbJtwqF5TkLGfgSdO44rVklQ9wg4qY3FBda8rm6KtwtmsBDzOJdTnG/jK7eldqVpBbOIlSoLench1wdpFvaqA3W9QmsM4Lulcncn88JDnZulf7NW/Vk2M/eObJ9Vx1F5pdCef1xWeaRc+Mk2FAtSwbfALfkjxpuT27US2isABT5ICB64z9r3RFPA8OUf29sxWA1X+luWZ4IhLL2ah2mhjOSrUqkmkjLeBlF41XV6Qa5BOnnxfhf7J9dIgIWlzHFumXeOT26Bot9HUW26AaHERavScKxyjPd1cxkFZy9xrSUGhePatAlO/wV3gxS1lJ+ClUkK3HtIkb5ZfwBoYL8P+p6DZ1/VV+SBsmxLUjysY9XNS6I3pQk2llKO+jJcnsmMXxN9KunyxHeLBsSxaxbuFbJ2VKeJPtkXGnwWNhcSj7mC41lVU3sP6//KzytCDsL2cm7j+gt8hsujLSrMDjGrW7Ia/5T1A3p28kqtYvlj0nebUnGpeFBVU5yi6eqcjvZqaiJMnNvemPWq1Pum0IQbk9aJnbzSsnK4J/IXV7P6PiurtcKg1HkX6oFZUTD+TlSggL39xGopUX35AOsUli76ytAGXWfmxn4fRMo7NwGA1vmLXGVatSSZ9M/5WfPigdWGjIGaPxiogU0Lt5L+bNaWW7KOQJ1bYBYMBkJhc6F2VP1zywgWwuV1r4NI1PuxBUzlbGVe8K25oOx4vs36GW9A7DPkDC6rNlFTfhsqLyUqcMmQagKwRnEC+zNaSoisz0NTjZoV7YTpbktgzY8LfzQXNVIHSWkbXzW2slacOHWYnvPGjCFIiIEB5rATuUc4un2Fw+9XDvoVXCe0HeTxI30/SK40NI9ZfbL2HdaT1bt1QG65WSh7zA4LKQ8L6S1AKzF3GRuG/jCW0HfFTFyFheVxUNhe78VVfj+2IWscn2wfBeIZhgw02LJUrM2MDGkH9foGoIGzI/uJepLliLOOhEKRsBpXQidMh4PbrKz4f26gnuF2y7jT4MtKOrDn7iz0Srmsb0hBNYE+UiJUGeNvAY7rRKOS0JTCQpYUbq0XrKp91TWAa4TnJKqHw6YG2JGCsp1Rcp0Bbryzpmzf06I8A4+oyODuifaS3i1A3IItfvtdWGZbWVOBIL5OYnH0cYFyY4aC2qD3e8slfQ8+IipUWPRVRlFYKeTjR1rnVhplgpq29zfWIwgavkUKJXKfWi+ftMzskpxEXBlbLRWv3UFDybq2IkfgUsQRLK26cm6un7id5UgkCDOufkWNbap2ZCvhxLUzCJAXkoupBdYo5dyCsIwcQIbAAoddmtLPL/ShLcXD8UG/fsOzyt0dLL4PRnUYn2R+HSUSafsvWxPNzFdqSKYEB3A+9Q/WZaFxlP7z1CUaZEgxttBSXMvOUQd1hObtXuvDVQyCO4LNI+d8r24QFq5tG6J0xkNMCZ5e+DmbNJG9W1t9c44ryHTU6KWnfRgkhtK3U3I+ENlAIST7vK3gKy/VIHhZgrqk1w0uEWVCjJjLzKINgjGt4WDiPpN0JR+820t59fkVYbaOIqCYEZMSL8G0U9pa9881+JC6Hy7rR9aWm+Tlos3mI84uv1RLYpuBNNug3y5KOUJEAIaXAzKwgDcvgqtDRx3C5rAZ0LdkI/taBec7IBAbxwjvBhdbH3LZ0Iy7nu4sG4GSKx+g2wZFcMYeG0zYyrOkoiHoL6SYv6eoqZezdmlcj7cqEndW21TsIDvEcsIH97lnRIvnvUcrQAFv7M0rXq5oAQuNFO955US6Blpcuxv0ou8YsIT9L28jOYl+vrj8oJMml+ts/NGwjn30spGQaGBpiFBj6cvzeMR4g4Hw7xKNGer5Y6PejAVeFtcOcpE55v0I4iuEyyZCvkW7zU4Hjx/SdPVhQpniuEOJ3Aahh6h5uvSvx9UQkPTbkQJA9zn6ErgsMqDgQMfrzFy9OBbq8e3ZMEmQWpfNmKhkUTqmRjFtOFZsa2QV8M1RW4R23BbBqnPhvtliZic6D2s/31upa2YOIRdwhgMByr4eyZ+MuDf58b/m67xZEqjjdl+NJYcURO69d0Zl6QwXgs9/YloUfrrOnvs9WKlfdaegxDxFYWGE7x9PXDwX+71gZB+Ee9vlKUC7rcDi7nwDJOEibs/ScFXg0kjN//hBeheD3KVo/Lj5zQi8/oJlobnDUHUMzhQR6+Wzv6VtmYpuIB/KN7xQEfv/C6GhjiYFPo0qmlAmnO5rr4U7Fl8qMKiWRlK9uHeB1AmKnWvrgWW3ngXT+nADACmSgvfqC2ja4qgn65x/4B4/+VUSP6yKTW37hxDkrGgPv/i4xHrdKV9V5MC+zeuljjZMYqr65ViIEcIAbido/gZoGrdN4WYW1tfaWkODMuu1fcxGNiQ6VtWIn+aHFFjJNqA2zMlIGwpNj8N/qF6Wipix5eBWpw7NU8Yg4WYCmKB5QG54yHBDVN/nJa93xiO/dWnwygh+aMEmcHDW3jDJVeqOJH3EEGE52T3v7kG6URhDfUIkNH1t2GuFB8Ic1jpKEnNwpEnfzZWmbrSRtGj3mSatz7OFLbB6uDRhi7JDEBYjOKWO5dXevC9kjy4SrNN4wLoxNgEZa8tYD04S1mtbtnTla4X5PVpBHmlmLqUfvymTrnaKWYblTjQotM/hTi7FCpXxytJde3HEwi6l0k9ZbTVsUfFpA9bbc2SvYrBet2xlYM99mqNQ8txh76ZpfPy/BHvZyHsJBLnMp7Fj/soHSFiYMFHGgSMFtEwG96mmiLA6WmrPnafm+7iEWHQHqTU1ZRzVqmWaHhni60g4BSSnZ3StrqUEl7GBoM+I80HGfjmX/4Hpo3UDoI5edefGKIPMeDSKOgCQaegwQdB68SuxwsG+QOSKaC1Yp8YNc7VcMYH+R2hnmB/44eOxDe0tX+6FJlNGqO7ceWKdjVJtqahYNDa68DRaTaeQXseFevswngSVe8ryHUFMq6xDL7P7X+QK+mVK8VE4Mq46HFJRzHbxXVvGqW4WpcsCyK0RGRk3Mc33FOLC1J5hicda/QpZ1R1J/9Z3jTveTVlKMC+DhxmGdYvJsZwmLRNyvEhTPza+UlPU6jxfJmOlljI=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </EncryptedAssertion>
</samlp:Response>

 

rm18rm18
Hi Jonglee,
I've established SSO with Salesforce to CAS server. The connection is established well but once the redirection happened im not able to login to salesforce. Its throwing SSO error and when used SAML validator i get  Signature or certificate problems
  The signature in the response is not valid (Is the assertion signed? false) How do i make the assertion true and execute succesful login?
I've checked the idp certificate its all good and also the timestamp assertion. Can you please help to resolve it. Thanks in advance!
rm18rm18
User-added image
Test Test 6004Test Test 6004
Validator Error. Can someone help me with this please?
I have checked all the settings, the test account works fine with SSO and redirects to O365 and validation succeeded. But for other accounts giving SAML validation error. Please help
Millar DakkimMillar Dakkim
An electronic signature, or eSignature, is any electronic means that indicates that a person agrees with the contents of an electronic message. An electronic signature can also mean that the person who claims to be the writer of a certain message is indeed the one who wrote it. Head here for more details Electronic Signature for Real-Estate https://www.esigngenie.com/industries/real-estate/.