Apex Code Development You need to sign in to do that
Don't have an account?
Mr Saml Anyone actually got SAML SSO working?
I haven't had much luck getting SSO to work with my SAML assertion. Has anyone got this to work? If so, what does your saml response look like? I signed my assertion and I believe everything is correct, yet the login history gives me "Failed: Assertion Invalid"
Any ideas?
Thank you.
Any ideas?
Thank you.
You need to have an Issuer element under Response, just like the one you have under Assertion.
Jong
Salesforce.com
All Answers
<samlp:Response Recipient="https://login.salesforce.com" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1" ResponseID="_a1c2e1b980d4d92b4847c2199bdd40ea" IssueInstant="2008-11-06T19:20:02.781+09:00">
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_894ab4a0628ec3e0dc930eb632254b21" IssueInstant="2008-11-06T19:20:02.406+09:00" Issuer="https://mrsaml.com" MajorVersion="1" MinorVersion="1">
<saml:Conditions NotBefore="2008-11-05T19:20:02.406+09:00" NotOnOrAfter="2008-11-07T19:20:02.406+09:00"/>
<saml:AuthenticationStatement AuthenticationInstant="2008-11-06T19:20:02.406+09:00" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>mr@mrsaml.com</saml:NameIdentifier>
</saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>1gkUq3rO8z4+5vG6UpBHeG2Y0KQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Q7C/MysMrqzueix2FcnzC4QJYj0pqwPdSatJ8p1xkeIuY+Bi7WIqlCzMq4BM0vq9AHueNXvzAX4w
Cp1K7PDZZqs7akiI84A2uWne2saQlTruvS0FO2ogBndY7LagBAscLAyGEOkG2hQgSgswAmJjydX9
kuxJvpcDSlma2OMCo5Y=
</ds:SignatureValue>
</ds:Signature>
</saml:Assertion>
</samlp:Response>
thanks
Jong
core spec:
"
5.4.4 Transforms
Signatures in SAML messages SHOULD NOT contain transforms other than the enveloped signature
transform (with the identifier http://www.w3.org/2000/09/xmldsig#enveloped-signature) or the exclusive
canonicalization transforms (with the identifier http://www.w3.org/2001/10/xml-exc-c14n# or
http://www.w3.org/2001/10/xml-exc-c14n#WithComments).
"
The c14n method you are using is:
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
thanks
Jong
5.4.3 Canonicalization Method
SAML implementations SHOULD use Exclusive Canonicalization [Excl-C14N], with or without comments,
both in the <ds:CanonicalizationMethod> element of <ds:SignedInfo>, and as a
<ds:Transform> algorithm. Use of Exclusive Canonicalization ensures that signatures created over
SAML messages embedded in an XML context can be verified independent of that context.
I haven't validated if it actually works to use
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
But it should be using
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
The "Login History" for the user shows a failed login attempt, with an error of: "Failed: Assertion Invalid." According to the SalesForce documentation:
Here is my SAML response without a signed Assertion.
how to pass the SAML assertion from client application to salesforce. can i get client side sample code.
-sunil
thanks
Jong
As per your suggestion, I gone through openSAML site and trying to understand.
Please share if you have any sample code related to salesforce using this open source library.
Thx
sunil
to generate a SAMLResponse, you can try to do something like this:
SAMLResponse r = new SAMLResponse();
SAMLAssertion a = new SAMLAssertion();
SAMLAuthenticationStatement s = new SAMLAuthenticationStatement();
SAMLSubject subject = new SAMLSubject(
new SAMLNameIdentifier(ssoId, null, null),
Collections.singleton(confirmationMethod), null, null
);
s.setSubject(subject);
s.setAuthInstant(new Date());
s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);
a.addStatement(s);
a.setId(assertionId);
a.setIssuer(issuer);
a.setNotBefore(notBefore);
a.setNotOnOrAfter(notOnOrAfter);
a.setIssueInstant(issueInstant);
r.addAssertion(a);
r.setId(getNewAssertionId());
r.setRecipient(recipient);
r.setIssueInstant(issueInstant);
--sunil
where you upload the certificate and set the issuer, once you hit save, you should be able to get the recipient from the ui page.
So in turns, you need to pass all those parameters to your codes.
Thanks jonglee,
I received the Recipient URL after configuring the SAML, and I passed all configured parameters to the code, and generated a SAML assertion using the openSAML library.
I tried to send this SAML assertion from client application to salesforce.com site. But it is throwing same error message.
Login Error
Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your Salesforce administrator for more information.
I'm thinking that the problem is with certificate. but I’m not sure about this also.
I'm not understanding the exact problem.
Here I'm sending my client code. Please let me know for any changes.
<%@page language="java"%>
<%
String strResponse =
"<Response xmlns=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" IssueInstant=\"2008-12-18T11:43:32.054Z\" MajorVersion=\"1\" MinorVersion=\"1\" Recipient=\"Recipient URL\" ResponseID=\"_23ced5473142eef7cbfdae01c3dc8351\">
<Status><StatusCode Value=\"samlp:Success\"></StatusCode></Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:1.0:assertion\" AssertionID=\"_d48bfa6b0e8eebec222d87941160c876\" IssueInstant=\"2008-12-18T11:43:32.335Z\" Issuer=\"http://www.opensaml.org\" MajorVersion=\"1\" MinorVersion=\"1\"><Conditions NotBefore=\"2008-12-18T11:43:32.304Z\" NotOnOrAfter=\"2008-12-18T11:44:32.304Z\"></Conditions><AuthenticationStatement AuthenticationInstant=\"2008-12-18T11:43:32.257Z\" AuthenticationMethod=\"urn:oasis:names:tc:SAML:1.0:am:password\"><Subject><NameIdentifier>foo</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><AttributeStatement><Subject><NameIdentifier>foo</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName=\"CGUSERNAME\" AttributeNamespace=\"CGUSERURI\"><AttributeValue>xyz@yahoo.com(SSO USER)</AttributeValue></Attribute></AttributeStatement></ds:Signature></Assertion></Response>";
%>
<html>
<body>
<form name = "acsForm" action ="Recipient URL" method="post">
<input type = "hidden" name = "TARGET" value ="https://na6.salesforce.com/ideas/ideaList.apexp"/>
<input type="hidden" name="SAMLResponse" value="<%=strResponse%>" />
<input type = "submit" value = "Submit" />
</form>
</body>
</html>
Thanks
Sunil
Here I'm sending the generation of SAML assertion code, and In the code itself i'm encoding the SAML Response.
SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();
SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();
SAMLResponse r = new SAMLResponse();
SAMLAssertion a = new SAMLAssertion();
SAMLAuthenticationStatement s = new SAMLAuthenticationStatement();
SAMLSubject subject = new SAMLSubject(
new SAMLNameIdentifier("foo", null, null),
Collections.singleton(SAMLSubject.CONF_BEARER), null, null
);
SAMLAttributeStatement attributeStmt = new SAMLAttributeStatement();
SAMLSubject subject1 = new SAMLSubject(
new SAMLNameIdentifier("foo", null, null),
Collections.singleton(SAMLSubject.CONF_BEARER), null, null
);
SAMLAttribute attribute = new SAMLAttribute("CGUSERNAME","CGUSERURI",null,0, null);
attribute.addValue("xyza@yahoo.com");
attributeStmt.addAttribute(attribute);
attributeStmt.setSubject(subject1);
s.setSubject(subject);
s.setAuthInstant(new Date());
s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);
a.addStatement(s);
a.addStatement(attributeStmt);
a.setId(idgen.getIdentifier());
a.setIssuer("http://www.opensaml.org");
a.setNotBefore(new Date());
a.setNotOnOrAfter(new Date(System.currentTimeMillis() + 300000));
//a.addCondition(new SAMLAudienceRestrictionCondition(Collections.singleton("https://saml.salesforce.com")));
r.addAssertion(a);
r.setId(idgen.getIdentifier());
r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");
//r.toStream(System.err);
//System.err.println();
a.sign(
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
ks.getKey(alias,password),
Arrays.asList(ks.getCertificateChain(alias))
);
r.sign(
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
ks.getKey(alias,password),
Arrays.asList(ks.getCertificateChain(alias))
);
assertTrue("SAMLResponse is not signed.",r.isSigned());
//System.err.println("================ Generated Response ===============");
//r.toStream(System.err);
//System.err.println();
Here I'm encoding the SAML assetion into Base64.
SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();
//request.SAMLResponse = new String(r.toBase64());
request.SAMLResponse = new String(Base64Coder.encodeString(r.toString()));
SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(
null,
request,
"https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",
ReplayCacheFactory.getInstance(),
null,
1);
assertTrue("SAMLResponse is not signed.",response.response.isSigned());
response.assertion.verify(ks.getCertificate(alias));
response.response.verify(ks.getCertificate(alias));
System.err.println("================ Verified Response ===============");
response.response.toStream(System.err);
System.err.println();
but still i'm facing the same error message.
Please let me know for further changes in the code.
Thanks
Sunil
Could you please provide the config from your saml settings page to see if it matches what you are trying to do here?
thanks
Jong
The SSO problem has been resolved, its working fine.
Thanks a lot, for the helpful tips.
I need one more favor from you, How do I implement SSO for custom portals?
Please help me on this.
Once again Thanks Jonglee.
--sunil
thanks
Jong
Hi Jonglee, I do have same issue with SAML. I have created one java file to create saml assertion and other jsp to pass it to salesforce. But nothing is working. The SAMLBrowserProfileFactory.getinstance() method throw null pointer exception. I tried to replace opensaml jar but it did not help.
Please check my code below and suggest if I am doing any thing wrong.
SAMLAssertionCreator.java
----------------------------
package com;
//import COM.rsa.*;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import org.opensaml.provider.*;
import org.opensaml.ReplayCacheFactory;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLBrowserProfile;
import org.opensaml.SAMLBrowserProfileFactory;
import org.opensaml.SAMLIdentifier;
import org.opensaml.SAMLIdentifierFactory;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLBrowserProfile.BrowserProfileResponse;
import javax.xml.namespace.QName;
//import weblogic.xml.crypto.dsig.api.XMLSignature;
import com.rsa.certj.xml.dsig.XMLSignature;
public class SAMLAssertionCreator {
public BrowserProfileResponse createSAML() throws IOException
{
try
{
System.out.println("I am i SAMLASSErtionCreator++++");
SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();
System.out.println("I am i SAMLASSErtionCreator2222222222");
SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();
System.out.println("I am i SAMLASSErtionCreator3333333333");
SAMLResponse r = new SAMLResponse();
SAMLAssertion a = new SAMLAssertion();
SAMLAuthenticationStatement s = new SAMLAuthenticationStatement();
SAMLSubject subject = new SAMLSubject(
new SAMLNameIdentifier("foo", null, null),
Collections.singleton(SAMLSubject.CONF_BEARER), null, null
);
System.out.println("I am i SAMLASSErtionCreator444444444444444");
SAMLAttributeStatement attributeStmt = new SAMLAttributeStatement();
SAMLSubject subject1 = new SAMLSubject(
new SAMLNameIdentifier("foo", null, null),
Collections.singleton(SAMLSubject.CONF_BEARER), null, null
);
SAMLAttribute attribute = new SAMLAttribute("CGUSERNAME","CGUSERURI",null,0, null);
attribute.addValue("xyza@yahoo.com");
attributeStmt.addAttribute(attribute);
attributeStmt.setSubject(subject1);
s.setSubject(subject);
s.setAuthInstant(new Date());
s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);
a.addStatement(s);
a.addStatement(attributeStmt);
a.setId(idgen.getIdentifier());
a.setIssuer("http://www.opensaml.org");
a.setNotBefore(new Date());
a.setNotOnOrAfter(new Date(System.currentTimeMillis() + 300000));
//a.addCondition(new SAMLAudienceRestrictionCondition(Collections.singleton("https://saml.salesforce.com")));
r.addAssertion(a);
r.setId(idgen.getIdentifier());
r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");
//r.toStream(System.err);
//System.err.println();
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
char[] pwd={'t','e','s','t','k','e','y','p','a','s','s'};
a.sign(
//XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
XMLSignature.RSA_SIGNATURE_ALGORITHM,
ks.getKey("testalias",pwd),
Arrays.asList(ks.getCertificateChain("testalias"))
);
r.sign(
XMLSignature.RSA_SIGNATURE_ALGORITHM,
ks.getKey("testalias",pwd),
Arrays.asList(ks.getCertificateChain("testalias"))
);
//assertTrue("SAMLResponse is not signed.",r.isSigned());
//System.err.println("================ Generated Response ===============");
//r.toStream(System.err);
//System.err.println();
SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();
request.SAMLResponse = new String(r.toBase64());
//request.SAMLResponse = new String(Base64Coder.encodeString(r.toString()));
SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(
null,
request,
"https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",
ReplayCacheFactory.getInstance(),
null,
1);
// assertTrue("SAMLResponse is not signed.",response.response.isSigned());
response.assertion.verify(ks.getCertificate("testalias"));
response.response.verify(ks.getCertificate("testalias"));
System.err.println("================ Verified Response ===============");
response.response.toStream(System.err);
System.err.println();
return response;
}catch(Exception e)
{
e.printStackTrace();
}
return null;
}
}
and JSP file is
<%@ page import="org.opensaml.SAMLBrowserProfile"%><%@ page import="com.SAMLAssertionCreator"%><%@
page language="java" contentType="text/html; charset=ISO-8859-1"pageEncoding="ISO-8859-1"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%
System.out.println("11111111111111111");SAMLAssertionCreator samlCr = new SAMLAssertionCreator();System.out.println(
"222222222222222222222");SAMLBrowserProfile.BrowserProfileResponse objSAML = (SAMLBrowserProfile.BrowserProfileResponse)samlCr.createSAML();
System.out.println("3333333333333333333333");
if(objSAML!=null){
System.out.println("444444444444444444");System.out.println("+++++++++++++++++"+objSAML.response.getAssertions()+"++++++++++"+objSAML.response.getId());
}
else
{
System.out.println("555555555555555555555555555"); System.out.println("+++++++++++++++++");}
System.out.println("66666666666666666666");
session.setAttribute("SAMLOBJ",objSAML);
%>
<html>
<head>
<html><body><
form name = "acsForm" action ="https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=" method="post"><input type = "hidden" name = "TARGET" value ="https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA="/>
<%
System.out.println("777777777777");
%>
<input type="hidden" name="SAMLResponse" value="<%=objSAML%>" /><input type = "submit" value = "Submit" /></
form></body></
html>I really appreciate if you can help me in this ..thanks
Sandeep
Hi Jonglee, first error is Null Pointer exception at
SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance(); and i m using opensaml.jar
thanks
Sandeep
NPE occurs on SAMLBrowserProfileFactory.getInstance()? That seems odd. How could that be? Do you mind post the complete statcktrace?
thanks
Jong
hi jong, yeah it's odd. i generate another log .please see below . the line number 41 is 'SAMLBrowserProfileFactory.getInstance' ..can you send me opensaml.jar at sandeep.mann@gmail.com so that i try with that too..
at org.opensaml.SAMLBrowserProfileFactory.getInstance(Unknown Source)
at org.opensaml.SAMLBrowserProfileFactory.getInstance(Unknown Source)
at com.SAMLAssertionCreator.createSAML(SAMLAssertionCreator.java:41)
at jsp_servlet._admin.__auth._jspService(__auth.java:111)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
at weblogic.servlet.internal.ServletStubImpl.onAddToMapException(ServletStubImpl.java:394)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:309)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3395)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2140)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2046)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
Are you using this one?
http://shibboleth.internet2.edu/downloads/opensaml/java/1.1b/
Or you can build it from source, I just tried it:
1) svn co https://svn.middleware.georgetown.edu/java-opensaml1
2) cd java-opensaml1/tags/Rel_1_1_FINAL_B
3) ant
"
create-jar:
[jar] Building jar: /home/jonglee/projects/saml/java-opensaml1/tags/Rel_1_1_FINAL_B/dist/opensaml-1.1.jar
dist:
BUILD SUCCESSFUL
Total time: 12 seconds
"
Hi Jong,
I tried with new 'opensaml-1.1.jar' file too but got same null exception. Can you tell me all steps which we have to do to implement SSO. Do we need any configuration file too?
right now i have coded one jsp and one java file as i attached before and done nothing other than that. I am trying to pass assertion from application appA to salesforce.
Let me know if I am missing any step.
Thanks
Sandeep
after removing the getinstance() method, now i m facing issue while setting the QName in SAMLAttribute
Plz see below for error message
java.lang.NoSuchMethodError: org.opensaml.SAMLAttribute.setType(Ljavax/xml/namespace/QName;)Vat com.SAMLAssertionCreator.createSAML(SAMLAssertionCreator.java:63)
at jsp_servlet._admin.__auth._jspService(__auth.java:111)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)
Truncated. see log file for complete stacktrace
first i used 'SAMLAttribute attribute = new SAMLAttribute("abc","abc",null,0, null);' but that i got error that there is not such method means constructor having 4 entry paramter though i passed 5 parameter. and that time error message was
java.lang.NoSuchMethodError: org.opensaml.SAMLAttribute.<init>(Ljava/lang/String;Ljava/lang/String;Ljavax/xml/namespace/QName;JLjava/util/Coll
ection;)V
at com.SAMLAssertionCreator.createSAML(SAMLAssertionCreator.java:60)
at jsp_servlet._admin.__auth._jspService(__auth.java:111)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)
Truncated. see log file for complete stacktrace
what do u suggest should i remove this call too....
It seems to be a class loading issue. I recalled weblogic was bundling open saml jar in the distribution. So you can try to place opensaml jar in front of weblogic.jar/weblogicaux.jar to see if it works. Another workaround is to remove attributes from the saml assertion for now since you can just use subject to pass in SFDC identity without using attributes...
I avoid that and got saml login error at SFDC
now I am passing following things in subject and those are configured in sfdc too:
------------------------------------------------------------------
SAMLSubject subject = new SAMLSubject(
new SAMLNameIdentifier("sandeep@yahoo.com", null, null),
Collections.singleton(SAMLSubject.CONF_SENDER_VOUCHES), null, null
);
and tried this too
SAMLSubject subject = new SAMLSubject(
new SAMLNameIdentifier("sandeep@yahoo.com", null, null),
Collections.singleton(SAMLSubject.CONF_BEARER), null, null
);
also please tell what should come here
a.setIssuer("http://www.opensaml.org"); --> will it be ISSUER URL from my weblogic server.
-------------------------------------------------------------------
Another thing right now i return SAMLBrowserProfile.BrowserProfileRequest base64 encoded instace at jsp.
but will i not need that 'SAMLBrowserProfile.BrowserProfileResponse' instance(remember i was not
able to work with getinstance()method)
thanks
sandeep
1) According to SAML 1.1 Browser Post Profile, the subject confirmation must be bearer.
2) The issuer must match the one you defined in SFDC settings ---> Setup/Security Controls/Single-Sign-On-Settings, where you need to define issuer after enabling the SAML.
3) I think the getInstance() NPE is caused by the opensaml jar bundled in WLS, so you can probably verify it by prepending the opensaml jar in front of weblogic.jar. I don't see why you need to SAMLBrowserProfile.BrowserProfileRequest since you can just post the SAMLResponse.toBase64() to SFDC.
4) As I recalled, WLS has out-of-the-box support for SAML 1.1 brower post. But I don't remember the details now. Maybe something you can also explore as an alternative to writing your own jsp to the post the SAMLResponse.
I don't see you load the keystore file, from your codes post ealier:
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
char[] pwd={'t','e','s','t','k','e','y','p','a','s','s'};
a.sign(
//XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
XMLSignature.RSA_SIGNATURE_ALGORITHM,
ks.getKey("testalias",pwd),
Arrays.asList(ks.getCertificateChain("testalias")
);
I would expect something like:
see http://java.sun.com/j2se/1.5.0/docs/api/java/security/KeyStore.html
Hey Jonglee,
from where do we get
import com.rsa.certj.xml.dsig files.is it a jar or something.
I am trying to implement SSO from corporate site to Salesforce. The only thing which is concerning certificate is, I have to upload certificate to SFDC and then get the recipient url. then add that url to assertion creator class. Correct me if I am wrong. we are planning to use our own certificate, no third party.
Thanks
Hi All,
I really need your help. I am trying to send assertion from our intranet to Salesforce using SSO. I am using simple JSP and Java class with Tomcat. I took the code from the same forum. I think they are using it with weblogic. I need help with the RSA Certj package. Any help would be appreciated.
Thanks.
I really don't think you need the RSA certj library. You can simply use jdk classes to read/load a x509 cert from a keystore or even just a file.
Jong
Hi Jong,
its not able to find
import com.rsa.certj.xml.dsig.XMLSignature;
that's why it is giving error
XMLSignature.RSA_SIGNATURE_ALGORITHM,
ks.getKey("testalias",pwd),
Arrays.asList(ks.getCertificateChain("testalias")
);
r.sign(
XMLSignature.RSA_SIGNATURE_ALGORITHM,
ks.getKey("testalias",pwd),
Arrays.asList(ks.getCertificateChain("testalias")
);
assertTrue("SAMLResponse is not signed.",r.isSigned());
my other question is (although I might sound dumb)
what all info from certificates I need to pass into this class. where do we use .per file.
Thanks,
Your help is highly appreciated
--------------------- my code -----------------
package com.SSOTest;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import org.opensaml.provider.*;
import org.opensaml.ReplayCacheFactory;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLBrowserProfile;
import org.opensaml.SAMLBrowserProfileFactory;
import org.opensaml.SAMLIdentifier;
import org.opensaml.SAMLIdentifierFactory;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLBrowserProfile.BrowserProfileResponse;
import javax.xml.namespace.QName;
import com.rsa.certj.xml.dsig.XMLSignature;
public class SAMLAssertionCreator {
public BrowserProfileResponse createSAML() throws IOException
{
try
{
SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();
SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();
SAMLResponse r = new SAMLResponse();
SAMLAssertion a = new SAMLAssertion();
SAMLAuthenticationStatement s = new SAMLAuthenticationStatement();
SAMLSubject subject = new SAMLSubject(
new SAMLNameIdentifier("foo", null, null),
Collections.singleton(SAMLSubject.CONF_BEARER), null, null
);
SAMLAttributeStatement attributeStmt = new SAMLAttributeStatement();
SAMLSubject subject1 = new SAMLSubject(
new SAMLNameIdentifier("foo", null, null),
Collections.singleton(SAMLSubject.CONF_BEARER), null, null
);
SAMLAttribute attribute = new SAMLAttribute("CGUSERNAME","CGUSERURI",null,0, null);
attribute.addValue("xyza@yahoo.com");
attributeStmt.addAttribute(attribute);
attributeStmt.setSubject(subject1);
s.setSubject(subject);
s.setAuthInstant(new Date());
s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);
a.addStatement(s);
a.addStatement(attributeStmt);
a.setId(idgen.getIdentifier());
a.setIssuer("http://www.xyz.com");
a.setNotBefore(new Date());
a.setNotOnOrAfter(new Date(System.currentTimeMillis() + 300000));
//a.addCondition(new SAMLAudienceRestrictionCondition(Collections.singleton("https://saml.salesforce.com"));
r.addAssertion(a);
r.setId(idgen.getIdentifier());
r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");
//r.toStream(System.err);
//System.err.println();
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// char[] pwd={'t','e','s','t','k','e','y','p','a','s','s'};
a.sign(
//XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,
XMLSignature.RSA_SIGNATURE_ALGORITHM,
ks.getKey("testalias",pwd),
Arrays.asList(ks.getCertificateChain("testalias")
);
r.sign(
XMLSignature.RSA_SIGNATURE_ALGORITHM,
ks.getKey("testalias",pwd),
Arrays.asList(ks.getCertificateChain("testalias")
);
assertTrue("SAMLResponse is not signed.",r.isSigned());
//System.err.println("================ Generated Response ===============");
//r.toStream(System.err);
//System.err.println();
// get user password and file input stream
// char[] password = getPassword();
// java.io.FileInputStream fis = new java.io.FileInputStream("keyStoreName");
// ks.load(fis, password);
// fis.close();
SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();
// request.SAMLResponse = new String(r.toBase64());
request.SAMLResponse = new String(Base64Coder.encodeString(r.toString()));
SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(
null,
request,
"https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",
ReplayCacheFactory.getInstance(),
null,
1);
assertTrue("SAMLResponse is not signed.",response.response.isSigned());
response.assertion.verify(ks.getCertificate("testalias"));
response.response.verify(ks.getCertificate("testalias"));
System.err.println("================ Verified Response ===============");
response.response.toStream(System.err);
System.err.println();
return response;
}catch(Exception e)
{
e.printStackTrace();
}
return null;
}
}
import com.rsa.certj.xml.dsig.XMLSignature;
but the Signatureclass from open-saml. Your code seems to use keystore to load the cert. If you prefer, you can directly load the cert from perm/der file -- I think that's the .per you are referring to.
Thanks. There is no signature class in opensaml 1.1. I might be downloading wrong opensaml1.1.jar then. Infact the jar I am using doesn't have org.opensaml.xml package. I have 3 files, .crt,.cer,.pem. I tried hard finding documentation for SAML 1.1, so that I can code but couldn't get anything.I am not sure how to use these files.
java.io.FileInputStream fis = new java.io.FileInputStream("sf.pem");
BufferedInputStream bis = new BufferedInputStream(fis);
fis.close();
a.sign(
XMLSignature.RSA_SIGNATURE_ALGORITHM,
bis.toString(),
Arrays.asList(ks.getCertificateChain("testalias")
);
r.sign(
XMLSignature.RSA_SIGNATURE_ALGORITHM,
bis.toString(),
Arrays.asList(ks.getCertificateChain("testalias")
);
assertTrue("SAMLResponse is not signed.",r.isSigned());
SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();
request.SAMLResponse = new String(Base64Coder.encodeString(r.toString()));
SAMLBrowserProfile.BrowserProfileResponse response = profile.receive( null, request,
"https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",
ReplayCacheFactory.getInstance(), null, 1);
assertTrue("SAMLResponse is not signed.",response.response.isSigned());
response.assertion.verify(ks.getCertificate("testalias"));
response.response.verify(ks.getCertificate("testalias"));
You can try download 1.1 library from https://spaces.internet2.edu/display/OpenSAML/Home/
In fact, open saml 1.1 is deprecated, I think you can try out 2.0. It seems they have some doc to get you started. Another way is to look at their tests, it will give you ideas how to do it as well.
Thanks Jonglee.
I used XMLSignature class xmlsec.jar from apache
I got 3 files
.per - containing private key - This will be read by our java program
.crt - containing public key - I think this will be uploaded in Salesforce.com and not used in Java program.
.cer - containing certificate - I think this will be read by our java program as well.
Can you please help if I am right.
java.io.FileInputStream fis = new java.io.FileInputStream("sf.per"); java.io.BufferedInputStream bis = new java.io.BufferedInputStream(fis);fis.close();
a.sign(
//XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,// XMLSignature.RSA_SIGNATURE_ALGORITHM,
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,bis.toString(),
Arrays.asList(ks.getCertificateChain("testalias")) *** what to do here if I am reading from certificate);
r.sign(
// XMLSignature.RSA_SIGNATURE_ALGORITHM,
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1,bis.toString(),
Arrays.asList(ks.getCertificateChain("testalias")) *** what to do here if I am reading from certificate);
response.assertion.verify(ks.getCertificate(bis.toString())); *** what to do here if I am reading from certificate
Thanks for all the help.
Thanks.
In the sign method, the second argument requires private key. In verify method, it requires public key as argument. The private key can be retrieved from .pem file. the public key can be retrieved from .cer file.
the above information I got is from reading few places on internet, I might be totally wrong. Please feel free to correct me.
BufferedReader in = new BufferedReader(new java.io.FileReader("SFSign.pem"));String line, encodedPrivateKey;
encodedPrivateKey = "";line = in.readLine();
while (line != null) {encodedPrivateKey += line + "\r\n";line = in.readLine();
}
in.close();
// Remove the markers from the data
encodedPrivateKey = encodedPrivateKey.replace("-----BEGIN RSA PRIVATE KEY-----", "");encodedPrivateKey = encodedPrivateKey.replace("-----END RSA PRIVATE KEY-----", "");encodedPrivateKey = encodedPrivateKey.trim();
this is string but the sign method requires key.
how to retrieve public private keys from .pem, .cer
Google seems to be our friend. I am typing "read private key in java" on the search box, and I got plenty info, including this one:
http://forums.sun.com/thread.jspa?threadID=5175986
public class SAMLAssertionCreator {
public BrowserProfileResponse createSAML() throws IOException{
try
{
SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();
SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();
SAMLResponse r = new SAMLResponse();SAMLAssertion a = new SAMLAssertion();SAMLAuthenticationStatement s =
new SAMLAuthenticationStatement();SAMLSubject subject = new SAMLSubject(
new SAMLNameIdentifier("user@mail.com", null, null),Collections.singleton(SAMLSubject.CONF_BEARER), null, null
);
s.setSubject(subject);
s.setAuthInstant(new Date());
s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);a.addStatement(s);
a.setId(idgen.getIdentifier());
a.setIssuer("http://www.mail.com");a.setNotBefore(new Date());a.setNotOnOrAfter(
new Date(System.currentTimeMillis() + 300000));//a.addCondition(new SAMLAudienceRestrictionCondition(Collections.singleton("https://saml.salesforce.com"));
r.addAssertion(a);
r.setId(idgen.getIdentifier());
r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");r.toDOM();
String privKeyFile = "SFSign.pem";String alias = "testalias";
char[] password = "pwd".toCharArray();
java.io.FileInputStream fis = new java.io.FileInputStream("SFSign.cer");//java.io.BufferedInputStream bis = new java.io.BufferedInputStream(fis);
// read private key PEM file
java.io.DataInputStream dis = new java.io.DataInputStream(new FileInputStream(privKeyFile));
byte[] privKeyBytes = new byte[(int)privKeyFile.length()];dis.read(privKeyBytes);
dis.close();
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
BASE64Decoder b64 = new BASE64Decoder();// decode private key
PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(b64.decodeBuffer(privKeyBytes.toString()));RSAPrivateKey privKey = (RSAPrivateKey) keyFactory.generatePrivate(privSpec);
CertificateFactory cf = CertificateFactory.getInstance("X.509");X509Certificate cert = (X509Certificate)cf.generateCertificate(fis);
fis.close();
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.setCertificateEntry(alias, cert);
a.sign(
Signature.getInstance("MD5withRSA").toString(),//ks.getKey(alias,password),
privKey,
//Arrays.asList(ks.getCertificateChain(alias))
null
);
r.sign(
Signature.getInstance("MD5withRSA").toString(),privKey,
null
);
assertTrue("SAMLResponse is not signed.",r.isSigned());r.verify(ks.getCertificate(alias));
SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();
request.SAMLResponse = new String(r.toBase64());SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(
null,request,
"https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",ReplayCacheFactory.getInstance(),
null,1);
assertTrue("SAMLResponse is not signed.",response.response.isSigned());response.assertion.verify(ks.getCertificate(alias));response.
response.verify(ks.getCertificate(alias));System.err.println("================ Verified Response ===============");
response.response.toStream(System.err);System.err.println();
return response;}catch(Exception e){
e.printStackTrace();
}
return null;}
}
jsp file ------
<%@ page import="org.opensaml.SAMLBrowserProfile"%><%@ page import="com.SSOTest.SAMLAssertionCreator"%>
<%@page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%
System.out.println("Start");SAMLAssertionCreator samlCr = new SAMLAssertionCreator();
System.out.println("After SAMLAssertionCreator");SAMLBrowserProfile.BrowserProfileResponse objSAML = (SAMLBrowserProfile.BrowserProfileResponse)samlCr.createSAML();
System.out.println("After SAMLBrowserProfile");if(objSAML!=null){
System.out.println("objSAML is null : " + objSAML.response.getAssertions() +"....." + objSAML.response.getId());}
else{ System.out.println("objSAML is not null");}
System.out.println("After the loop");session.setAttribute("SAMLOBJ",objSAML);
%>
<html><body><
form name="acsForm" action="https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=" method="post"> <input type="hidden" name="TARGET" value="https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=" /><input type="hidden" name="SAMLResponse" value="<%=objSAML%>" />
<input type="submit" value="Submit" /></form></
body></html>
when I am trying to run this, I am getting
java.lang.NoClassDefFoundError: org/opensaml/SAMLStatement. not sure why?
I have 3 files
1. SFSign.pem - private key
2. SFSign.cer - certificate with public key uploaded on Salesforce.com
3. org.crt - trusted root certificate from the organization.
My question is
in sign method we need private key as second argument, in verify method we need public key.
is it possible that I just read file 1 in keystore and get the public key for verify or do I need to load both file 1 and file 2 as I have done in the code above. Do I need file 3 somewhere for the assertion or it is not at all required.
Thanks for all help. agg_rajat@yahoo.com
Thanks. we just need to sign, then will we still use alias and password for the private key during signing. if yes, how?
SAMLBrowserProfile profile = SAMLBrowserProfileFactory.getInstance();
SAMLIdentifier idgen = SAMLIdentifierFactory.getInstance();
SAMLResponse r = new SAMLResponse();SAMLAssertion a = new SAMLAssertion();SAMLAuthenticationStatement s =
new SAMLAuthenticationStatement();SAMLSubject subject = new SAMLSubject(
new SAMLNameIdentifier(user@mail.com, null, null),Collections.singleton(SAMLSubject.CONF_BEARER), null, null
);
s.setSubject(subject);
s.setAuthInstant(new Date());s.setAuthMethod(SAMLAuthenticationStatement.AuthenticationMethod_Password);a.addStatement(s);
a.setId(idgen.getIdentifier());
a.setIssuer("http://www.mail.com");a.setNotBefore(new Date());a.setNotOnOrAfter(
new Date(System.currentTimeMillis() + 300000));r.addAssertion(a);
r.setId(idgen.getIdentifier());
r.setRecipient("https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=");r.toDOM();
String privKeyFile = "SFSign.pem";String alias = "SFSign";
char[] password = "password".toCharArray();// read private key PEM file
java.io.DataInputStream dis = new java.io.DataInputStream(new FileInputStream(privKeyFile)); byte[] privKeyBytes = new byte[(int)privKeyFile.length()];dis.read(privKeyBytes);
dis.close();
KeyFactory keyFactory = KeyFactory.getInstance("RSA");BASE64Decoder b64 = new BASE64Decoder();// decode private key
PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(b64.decodeBuffer(privKeyBytes.toString()));RSAPrivateKey privKey = (RSAPrivateKey) keyFactory.generatePrivate(privSpec);
a.sign(
Signature.getInstance("MD5withRSA").toString(),privKey,
null
);
r.sign(
Signature.getInstance("MD5withRSA").toString(),privKey,
null
);
assertTrue("SAMLResponse is not signed.",r.isSigned());
SAMLBrowserProfile.BrowserProfileRequest request = new SAMLBrowserProfile.BrowserProfileRequest();request.SAMLResponse = new String(r.toBase64());SAMLBrowserProfile.BrowserProfileResponse response = profile.receive(
null,request,
"https://login.salesforce.com/?saml=02HKiPoin4y6cz6d9xCPG23bQXBKA=",ReplayCacheFactory.getInstance(),
null,1);
assertTrue("SAMLResponse is not signed.",response.response.isSigned());System.err.println("================ Verified Response ===============");response.
response.toStream(System.err);System.err.println();
return response;
I am working on SAML assertion. I have a private key abc.pem. I want to read this file and sign the assertion. The code I found on the internet is what I have written. I might be wrong, but somehow I think this code is for generation private key from a public key, which is what I don't want. I already have a private key, alias and its password. I just want to read it from file and sign the assertion. You help would be greatly appreciated.
String privKeyFile = "abc.pem"; String alias = "test"; char[] password = "pwd".toCharArray(); // read private key PEM file java.io.DataInputStream dis = new java.io.DataInputStream(new FileInputStream(privKeyFile)); byte[] privKeyBytes = new byte[(int)privKeyFile.length()]; dis.readFully(privKeyBytes); dis.close(); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); BASE64Decoder b64 = new BASE64Decoder(); // decode private key PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(b64.decodeBuffer(privKeyBytes.toString())); RSAPrivateKey privKey = (RSAPrivateKey) keyFactory.generatePrivate(privSpec); samlassertion.sign( Signature.getInstance("MD5withRSA").toString(), privKey, null );Hi Sandeep,
I am facing the same issue (java.lang.NullPointerException while calling the SAMLBrowserProfileFactory.getInstance() method). Could you please let me know if you got it resolved? Was it a jar file issue? If yes, from where did you download the currect version of jar file to make it working? Please help!
Thanks,
Alok
try this to load the private key from file:
http://www.javadocexamples.com/java/security/spec/java.security.spec.PKCS8EncodedKeySpec.html
Alok,
I used same jar 'opensaml-1.1.jar' only. If you need then i can send the jar files. Send me ur email id.
I recalled the problem is you using opensaml 1.1 with weblogic server which bundled its own version. so you need to modify the startWeblogic.sh to prepend your version before weblogic.jar...
Hi,
I am getting the following exception. I used the same code as posted above with the pem file. Do I need to modify the pem file? Please advise.
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : nullat sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(Unknown Source)
at java.security.KeyFactory.generatePrivate(Unknown Source)
at com.SSOTest.SAMLAssertionCreator.createSAML(SAMLAssertionCreator.java:99)at org.apache.jsp.NCRSalesCentral_jsp._jspService(org.apache.jsp.NCRSalesCentral_jsp:56)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)at org.apache.jasper.servlet.JspServletWrapper.service(
JspServletWrapper.java:322)at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:291)at org.apache.jasper.servlet.JspServlet.service(
JspServlet.java:241)at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:252)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)at org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:213)at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:126)at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:107)at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)at org.apache.coyote.http11.Http11Processor.process(
Http11Processor.java:856)at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
PoolTcpEndpoint.java:527)at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:684)at java.lang.Thread.run(Unknown Source)
Caused by: java.security.InvalidKeyException: IOException : nullat sun.security.pkcs.PKCS8Key.decode(Unknown Source)
at sun.security.pkcs.PKCS8Key.decode(Unknown Source)
at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(Unknown Source)
at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(Unknown Source)
at sun.security.rsa.RSAKeyFactory.generatePrivate(Unknown Source)
... 24 more
Hi SalesforceSSO,
I am trying with the same code you posted with a pem file and getting the exception (posted in previous post). Please let me know if it is working for you now. Do we have to put the key in keystore first?
Thanks,
Alok
Hello SHanuman , Jonglee,
got struck while working with SAML.
I am getting login failed error while posting it to Salesforce. Can you please help. login history has no enteries. looks like its not able to get username.
<%@ page import="org.opensaml.SAMLBrowserProfile"%><%@ page import="com.sso.SAMLAssertionCreator"%>
<%@page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%
SAMLAssertionCreator samlCr = new SAMLAssertionCreator();SAMLBrowserProfile.BrowserProfileResponse objSAML = (SAMLBrowserProfile.BrowserProfileResponse) samlCr.createSAML();
session.setAttribute("SAMLOBJ", objSAML);
%>
<html><body><
form name="acsForm" action="https://cs3.salesforce.com" method="post"> <input type="hidden" name="TARGET" value="https://cs3.salesforce.com" /><input type="hidden" name="SAMLResponse" value="<%=objSAML%>" />
<input type="submit" value="Submit" /></form> </body></html>
Federated single sign-on using SAML:
Expiration: 29 Mar 2019
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2009-04-30T16:19:29.738Z" MajorVersion="1" MinorVersion="1" Recipient="https://cs3.salesforce.com" ResponseID="_c5226ab7546137e707d44a9c6bd935cf"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"></ds:SignatureMethod>
<ds:Reference URI="#_c5226ab7546137e707d44a9c6bd935cf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>g5E85emP02skn6lHjlnVafBCCFs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
KL2ggRD5iTQVYA9Wdqc1iNt16Dw12fvqO+96CT8GUzObQ+fd/9ces/yT+lxS0PTZYPt9KelkO/jy
PrV9DUFZj37PxNI1vvhT6ZSA1XY1GsooN7nlUdu+tou7a3ZvdCz4CeN0mFCUL7RrH99fmHNgIT4o
s3ZCx4fbstXCFfqomcM=
</ds:SignatureValue>
</ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_0383e17ba54b53140ad122a4bb68255c" IssueInstant="2009-04-30T16:19:30.049Z" Issuer="http://www.xyz.com" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2009-04-30T16:19:30.028Z" NotOnOrAfter="2009-04-30T16:24:30.028Z"></Conditions><AuthenticationStatement AuthenticationInstant="2009-04-30T16:19:29.928Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier>abc@xyz.com</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"></ds:SignatureMethod>
<ds:Reference URI="#_0383e17ba54b53140ad122a4bb68255c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>dYcFbFuLH3CjTTvxxqzaXTKqMSc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MB665iHEbaPF23TNqUdtIUllx0BqepfrzB6pNBejWS+49S5dd1g+qcCTK7SqtF/IHQ9xm7jzyfAR
KVzV4/f1e8C5+6y9WBaeCiUCbSfymZ9PQn1/1goJCyd/+jlPvPi3SKj0J4gmnveQQLrUG4dYtkbm
peCFzICrMBisOuDKb1U=
</ds:SignatureValue>
</ds:Signature></Assertion></Response>
Has anyone got the 'TARGET' field working with SAML 2.0 so that it accepts the startURL, logoutURL, and ssoStartPage?
We set the value according to the docs for the as a TARGET field on the POST response:
<input type="hidden" name="TARGET" value="https://saml.salesforce.com/?startURL=https://na1.salesforce.com/001/o&logoutU
RL=http://admintools.aria.net/index.php/SignOn/logout">
But the starting URL still goes to https://na1.salesforce.com/home/home.jsp, and the logout URL is the default Salesforce logout URL.
Is the documentation wrong in describing how to set these URLs for SSO? Or are we missing something obvious?
Thanks for your help
Per SAML 2.0 spec, there is no TARGET post param avaiable to set those sso related paramaters, so in upcoming release(already available in cs0, cs2, and cs3 now and rest of the instances will be upgraded in June), we used SAML 2.0 attribute statement to pass in those values.
<pre>
</pre>
thanks
Jong Lee
Salesforce.com
Hi Jong Lee and Salesforce SSO Guru's
We need your help in resolving the below error message
"Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your Salesforce administrator for more information. "
Below is the SAML assertion that is being posted
<?xml version="1.0" ?>
- <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="b55010b709b8d8cf858e" IssueInstant="2009-06-11T10:01:10.892Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>http://www.abc.com</saml:Issuer>
- <samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
- <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="a40aa6e29fef4791da2c" IssueInstant="2009-06-11T10:01:10.830Z" Version="2.0">
<saml:Issuer>http://www.abc.com</saml:Issuer>
- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <ds:Reference URI="#a40aa6e29fef4791da2c">
- <ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lSo9/fOxK9pCMf6tt0qu0YELXSw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SzN+Ui9mubjcS0ROWOKHx7dmcAEVMx4pz1=</ds:SignatureValue>
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>ART_21</ds:KeyName>
</ds:KeyInfo>
</ds:Signature>
- <saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sample@abc.com</saml:NameID>
- <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2009-06-11T10:06:10.830Z" Recipient="https://login.salesforce.com" />
</saml:SubjectConfirmation>
</saml:Subject>
- <saml:Conditions NotBefore="2009-06-11T10:01:10.846Z" NotOnOrAfter="2009-06-11T10:06:10.846Z">
- <saml:AudienceRestriction>
<saml:Audience>https://saml.salesforce.com</saml:Audience>
</saml:AudienceRestriction>
<saml:Condition>restrict IP</saml:Condition>
<saml:OneTimeUse>use it once</saml:OneTimeUse>
</saml:Conditions>
- <saml:AuthnStatement AuthnInstant="2009-06-11T10:01:10.846Z" SessionIndex="wMx9ZzhvB/wdd6UPZjFd1OjEAMQ=" SessionNotOnOrAfter="2009-06-11T10:01:13.846Z">
- <saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
We also validated our SAML assertion in the SAML settings page and results are listed below
1. Validating the Status
Ok
2. Checking that the assertion contains a reference to a user
Ok
3. Looking for an Authentication Statement
Ok
4. Looking for a Conditions statement
Ok
5. Checking that the timestamps in the assertion are valid
Ok
6. Checking that the Attribute namespace matches, if provided
Unknown
7. Miscellaneous format confirmations
Unknown
8. Confirming Issuer matches
Ok
9. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
10. Checking that the Audience matches, if provided
Ok
11. Checking the Recipient
Ok
12. Validating the Signature
Ok
What does the Login History tell you?
If you did not get an entry, it means we can't resolve your username. I saw your Recipeint URL is using "https://login.salesforce.com", it means you are putting SFDC username into the SUBJECT. Mostly like the problem is
"sample@abc.com" is not a valid SFDC username. Also you did not output the "Username or Federation ID" of the debug result, do you see that matches "sample@abc.com" -- the one you define in your assertion?
Jonglee
Thank you very much for getting back to us.
We do not have any entry in the login history.
We are using a valid user ID and we are able to logon to SFDC using the ID that has been specified in the assertion. However the same fails when we use the SAML assertion
The assertion validation page displays the valid SFDC User ID in the subject. We are not using the Federated ID option.
Subject: sample@abc.com
AssertionId: c4e9c837b58814a9f87f
__________________________________________
As per the document available in the below link the SAML Assertion Debugger is available in Setup -> Security Controls - >Single Sign-On Settings-> SAML Assertion Debugger.
https://tapp0.salesforce.com/help/doc/en/salesforce_single_sign_on.pdf
The Single Sign-On settings page only has the SAML Assertion Validator button and not the SAML Assertion Debugger button.
By debug are you referring to the SAML Assertion Validator results or SAML Assertion Debugger function which is not available
The sample@abc.com is the Development Edition Admin Id and when we login into SFDC we hit the below URL
https://c.ap1.visual.force.com/apex/Start_Here?sfdc.tabName=01r900000008XGa
It seems you are on "ap1" instance, and unfortunately, when I search "sample@abc.com", I can't locate your organization. Could you please post your user id? You can find the user id on the url when you visit the personal information page under setup.
thanks
Jong
Jong,
The Actual ID that we are using is david@sky.com. Thanks again for your assistance.
OK, I actaully can locate your record using david@sky.com. Now if you put that into the SAML assertion insteadof "sample@abc.com", does it work? The SAML assertion needs to be mapped to a valid SFDC user, either by using username like "david@sky.com" or you can set a federation id "sample@abc.com" in your user's page and change the SAML settings to accept federation id.
thanks
Jong
Jong,
We have tried all the options and we continue to get the same error message. I find it strange as our assertion validation is successfull. have sent you a PM.
Thanks
Can you post or send PM with your code, so that I can have a look at it.
Jonglee,
Kindly let us know if you need any futher information and we will be glad to provide the same.
Thanks
Jong,
We have tested the attribute statement, and it works for logoutURL, but the attributes ssoStartPage and startURL do not seem to work. Is this being rolled out later this month, or was this not implemented?
Thanks
Jong and other SSO experts
We were successfuly able to establish a connection using myonelogin.com and OpenSSO. Myonelogin uses SAML1.1 and OpenSSO uses 2.0.
Our assertion is similar to Opensso and we do not have any errors when validating through the assertion validator.
However we continue to encounter " Your login attemp using single sign on with an identity provider certificate has failed. Please contact your Salesforce administrator for more information"
We do not have any entries in the error logs. We are unable to make any progress as we do not have any sort of logs from Salesforce.com that would help us in resolving this issue.
Did you get a chance to look at the login history in your test org? Normally when the SAML assertion can be mapped to a valid SFDC user, it should display the error code there. If no login history at all, please try to use the Validator page to see if it gives you any hit on the error. If none of those working, maybe you can post the base64encoded assertion here, I am happy to take a closer look.
thanks
Jong
Jong,
Thanks for getting back to us, we do not have any entry in the login history. We used the validator page and did not encounter any errors. As requested below is the base64 encoded assertion. I have also posted the validation results.
PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20vP3NhbWw9TWdvVHg3OGFFUGg2cUhLR01kMDR6OTFEaER1bTN2NkF3eWZEU1FEbGYya1VPU1pIa2haSS5GaE5QNyIgSUQ9ImNhZTk5ODAwYzYzNDJiNzNlMWFlIiBJc3N1ZUluc3RhbnQ9IjIwMDktMDctMTdUMDc6NTg6MDYuNTI2WiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+Q049cHRnLnNzby5hcHBzLnRlc3RiZWQ8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iYzdmZjJjYzkzZjViNGUxNWY2MTEiIElzc3VlSW5zdGFudD0iMjAwOS0wNy0xN1QwNzo1ODowNi41MTBaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5DTj1wdGcuc3NvLmFwcHMudGVzdGJlZDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjYzdmZjJjYzkzZjViNGUxNWY2MTEiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPnVsanFRS3U0cW1SUmVCbHBqWVVqNmw5ZkxGaz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+TEMvWXE3UlFKbGlLemJoNUNJKzNIRVpJT1FKNjhFZEpWeHMxQzg4QTlmK3AzTEUzMnFSZ21EZEVpeVlxbEVob2lSbm8zeTRlOFExKw0KV3B1cGdXUmhDS3IxUFk5TlBHT2lvTjZKWVBwSG8ySnFaZERjbzZiazJFWnd6akRzb09McTZHa0JnSkJSUlUwQWdwV1VXV2RVSU1zcg0KbGROaTNtdjBxUFhzUE5rSzZscz08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDWERDQ0FjVUNCRVZUVUZNd0RRWUpLb1pJaHZjTkFRRUZCUUF3ZFRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBazVLDQpNUlF3RWdZRFZRUUhFd3RLWlhKelpYa2dRMmwwZVRFUk1BOEdBMVVFQ2hNSVVHVnljMmhwYm1jeEVUQVBCZ05WQkFzVENGQmxjbk5vDQphVzVuTVIwd0d3WURWUVFERXhSd2RHY3VjM052TG1Gd2NITXVkR1Z6ZEdKbFpEQWVGdzB3TmpFeE1Ea3hOVFU1TVRWYUZ3MHhOakV4DQpNRFl4TlRVNU1UVmFNSFV4Q3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSUV3Sk9TakVVTUJJR0ExVUVCeE1MU21WeWMyVjVJRU5wDQpkSGt4RVRBUEJnTlZCQW9UQ0ZCbGNuTm9hVzVuTVJFd0R3WURWUVFMRXdoUVpYSnphR2x1WnpFZE1Cc0dBMVVFQXhNVWNIUm5Mbk56DQpieTVoY0hCekxuUmxjM1JpWldRd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFJRlBFdlYwS1pqQ0tmSFFMR3A0DQpYeFJvbzRzVCtuNmw1Yi85MWFUekVFbVREWE9Tc045NE9iWVE3MmduNnB5em9xODNQZEVmd0ExQmp2SWt5c1pUSGhLRWt6YkpFLzgyDQpGWmhBN0tZbDJCUTJ1NG9oVVVzaGQ1U0pnY0kwV05LbmtaZTIwcWloenpxcFBOdzc5RG9yeTdkNW9XNVJoYXNrZWp1aXIySWxsbGhyDQpBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ1lFQWNvWmtFM0pyaEZVY2pGM2I2citjeldyOSs1MkV6TklCcXpHRmFzNTdFVU5LDQpjaHJUZUhUNmtTeTNUWTJQNG44V3ROa2U3T2NNdFNkR0lZbkRsYVc5SmZJOWJjWWtzN2RiL1A4MXlIaUh4QkhBYmhNUSt0bHJDd0dPDQpVekNaNFBsVm1hYTM5UEc1ZG9QU0xmUzFqOGpDTFNuTVdnczl0Z0JiVTNrWnlua2YrTVU9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiIE5hbWVRdWFsaWZpZXI9IkNOPXB0Zy5zc28uYXBwcy50ZXN0YmVkIiBTUE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vc2FtbC5zYWxlc2ZvcmNlLmNvbSI+dGVzdDwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAwOS0wNy0xN1QwODowMzowNi41MTBaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20vP3NhbWw9TWdvVHg3OGFFUGg2cUhLR01kMDR6OTFEaER1bTN2NkF3eWZEU1FEbGYya1VPU1pIa2haSS5GaE5QNyIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDA5LTA3LTE3VDA3OjU4OjA2LjUxMFoiIE5vdE9uT3JBZnRlcj0iMjAwOS0wNy0xN1QwODowMzowNi41MTBaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vc2FtbC5zYWxlc2ZvcmNlLmNvbTwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMDktMDctMTdUMDc6NTg6MDYuNTEwWiIgU2Vzc2lvbkluZGV4PSJxVXFQNWN5eG02WWNUQWh6MDVIcGg1Z3Z1OU09IiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDA5LTA3LTE3VDA3OjU4OjA5LjUxMFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiPnRlc3Q8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
Results
1. Validating the Status
Ok
2. Checking that the assertion contains a reference to a user
Ok
3. Looking for an Authentication Statement
Ok
4. Looking for a Conditions statement
Ok
5. Checking that the timestamps in the assertion are valid
Ok
6. Checking that the Attribute namespace matches, if provided
Ok
7. Miscellaneous format confirmations
Unknown
8. Confirming Issuer matches
Ok
9. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
10. Checking that the Audience matches, if provided
Ok
11. Checking the Recipient
Ok
12. Validating the Signature
Ok
--------------------------------------------------------------------------------
Subject: test
AssertionId: cae99800c6342b73e1ae
My SSO setting are given below
My Username david@sky.com has been mapped to Federation id 'test'
SAML - Enabled
SAML Version - 2.0
SAML User ID Type - Federation ID
SAML User ID Location - Attribute
Attribute Name - uid
Name ID Format -
Salesforce Login URL - https://login.salesforce.com/?saml=MgoTx78aEPh6qHKGMd04z91DhDum3v6AwyfDSQDlf2kUOSZHkhZI.FhNP7
Your sample SAML 2.0 assertion looks ok. What instance is your user 'david@sky.com' on? Is it ap1.salesforce.com?
thanks
Jong
Yes - We are hitting the ap1 instance. Is it possible to check the logs at your end and see the error message that has been trigerred.
(or) you could tell me a time when we can post our assertion and we can do the same --
OK. We will investigate.
thanks
Jong
Thanks Jong -- Eagerly awaiting your results.
I suspect the problem is only ap1 related. In the mean time, you can probably try another prod instance or sandbox to continue with your development.
thanks
Jong
I am not sure if it's ap1 related, as opensso and myonelogin are working and we have tested with the same id.
I believe it has something to do with the assertion / some mapping when we are posting from our tool.
Finally after a prolonged struggle we got our SSO working. It has been a nightmare to identify the problem and fix it. If not for OpenSSO and myonelogin.com we wouldn't have found a solution.
Do you mind sharing with us what you find out? Probably we can look into enhance our debugging page to track this type of error in the future.
thanks
Jong
Currently, we are implementing federation single sign on for one of our clients.
when we log in to the production URL, it goes into the salesforce.
If we bookmark or favorite the page, and then click on logout in salesforce, it does everything well and goes to the intranet page.
but after this, if we try to click on the bookmarked(or favorited) URL, it does not redirect to salesforce, instead gives a 'Page cannot be displayed' error.
I am attaching the assertion below:
If anyone can give their valuable inputs as to why it is not working when we bookmark it and it works if we login directly, it would be a great help.
Thank you so much.
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://login.salesforce.com/?saml=EK03Almz90RPX1sk0F3gL_UQYTUnDzlvpUFiii6CkZKlxbr67y7HYzOqcz" ID="_7eb309180a7ecca5e8aa585f28cbdfe39e6f" IssueInstant="2009-09-30T20:07:37Z" Version="2.0"> <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">abc.com</ns1:Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </Status> <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_3a3d0167a97b60515d1e34a2d412ff271ac6" IssueInstant="2009-09-30T20:07:37Z" Version="2.0"> <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">abc.com</ns2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Reference URI="#_3a3d0167a97b60515d1e34a2d412ff271ac6" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ex7zmBjvM0wMmImMJOIqFILJBlU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> PX7j4coCVBymjz+tG/Xy+0IvgDYNU5/rfoOWFZecf3eKF5oXKUm1YBK/2uuHZ1nDb5AWb8zgLaF/ NpjLkJ5lfJmN+M2cyd0fgm4XGd2Eu+P/7mmG9+HYGrik/SCKWibQab8x3ZDCt5znDbQyakVTeE4o AtzxcHW/blGJ0mtqmyU= </ds:SignatureValue> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> MIIERzCCAy+gAwIBAgILAQAAAAABIX6aGX4wDQYJKoZIhvcNAQEFBQAwUDEXMBUGA1UEChMOQ3li ZXJ0cnVzdCBJbmMxNTAzBgNVBAMTLEN5YmVydHJ1c3QgU3VyZVNlcnZlciBTdGFuZGFyZCBWYWxp ZGF0aW9uIENBMB4XDTA5MDUyNjE5MzAyM1oXDTEyMDUyNjE5MzAyM1owgfExFzAVBgNVBAMTDlNB UyBGZWRlcmF0aW9uMRwwGgYDVQQEExNJZGVudGl0eSBGZWRlcmF0aW9uMSAwHgYDVQQqExdTQVMg RmVkZXJhdGlvbiBQcm92aWRlcjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkFaMRAwDgYDVQQHEwdQ aG9lbml4MRkwFwYDVQQKExBBbWVyaWNhbiBFeHByZXNzMSAwHgYDVQQLExdJbnRlci9JbnRyYW5l dCBTZWN1cml0eTEtMCsGCSqGSIb3DQEJARYedGVjaG5pY2FsLnNzby5zdXBwb3J0QGFleHAuY29t MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDig+SHwHzMj5bXwX/Zm3KXs0v0dnIrJhtr2PJS pYh2/gvvDIVRh4wInE2RaTM5bDNc4wg1WxuCa4BKpqtfGvzZpPpLl3GXRA+8QjxWqBbsHXpE/zD6 rC5BJbY5rkkgS7+KL+Lw8M4gJFzVBlHemusBKW+zO5Fs+viZnuFsDQIJowIDAQABo4IBAjCB/zAf BgNVHSMEGDAWgBTNOpafrm4PQFwcSPhLLbhxAeuJ2jA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8v Y3JsLm9tbmlyb290LmNvbS9TdXJlU2VydmVyRzIuY3JsMB0GA1UdDgQWBBSsICr0lE734pSba+oE iK9xYYgvujAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD AjBPBgNVHSAESDBGMEQGCSsGAQQBsT4BMjA3MDUGCCsGAQUFBwIBFilodHRwOi8vY3liZXJ0cnVz dC5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeTANBgkqhkiG9w0BAQUFAAOCAQEAbHHbrP1SM8TVosWi cOuihB1BzJexdfbFGJPoSWhpz3nRcVm+G/q3tUOuTZfRVDTUVlu2MT0PU8YDk4KSI29GMQwXuEhD p5KKA5f2sgBrYJHS1bx0n42SVRpN6bbascFkpe4I8bGkatRk6j+GBleFozFCNiZeex64meBNX68R vy+JtCTQVVxcZHj/I+aGw+ZknAeI0UL7J96xuE0IY6dcIK+36bWdE17Vsnxgwi39VijAbRBb41Zn Kvs5lSf94qWEE2ikIOKD4ZHTSFWpcnbYaoiDDSFZJZpTD0RsijQu4pcnVYsoQGDNIEO/6EFhFSQH RTW0sOo2ZbxeBpommEEDpg== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <ns2:Subject> <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">C1466791</ns2:NameID> <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <ns2:SubjectConfirmationData NotOnOrAfter="2009-09-30T20:09:07Z" Recipient="https://login.salesforce.com/?saml=EK03Almz90RPX1sk0F3gL_UQYTUnDzlvpUFiii6CkZKlxbr67y7HYzOqcz"/> </ns2:SubjectConfirmation> </ns2:Subject> <ns2:Conditions NotBefore="2009-09-30T20:07:07Z" NotOnOrAfter="2009-09-30T20:09:07Z"> <ns2:AudienceRestriction> <ns2:Audience>salesforcetravel</ns2:Audience> </ns2:AudienceRestriction> <ns2:AudienceRestriction> <ns2:Audience>https://saml.salesforce.com</ns2:Audience> </ns2:AudienceRestriction> </ns2:Conditions> <ns2:AuthnStatement AuthnInstant="2009-09-30T20:07:36Z" SessionIndex="Q+pzvs+8Rr7Z6tlt8IIpmRVDFdY=zIabKw==" SessionNotOnOrAfter="2009-09-30T20:09:07Z"> <ns2:AuthnContext> <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef> </ns2:AuthnContext> </ns2:AuthnStatement> <ns2:AttributeStatement> <ns2:Attribute Name="employeeid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>C1466791</ns2:AttributeValue> </ns2:Attribute> <ns2:Attribute Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>http://www.defweb.com/travelforcelogin</ns2:AttributeValue> </ns2:Attribute> <ns2:Attribute Name="logoutURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>https://central101.intra.abc.com/portal/site/defweb/menuitem.daa2dd4f4649fd301aae0ff54c2bda49/&level=1?epi-content=CMU&cmu_page=10002295&format=leftmidwithoutcolor&leftnav=false</ns2:AttributeValue> </ns2:Attribute> </ns2:AttributeStatement> </ns2:Assertion> </Response>
I saw you are setting ssoStartPage attribute in SAML 2.0 assertion. It's the url where we will generate a SAMLRequest and initiate the login process to your identity provider when you click a bookmark. It's a scenario called Sp-initiated Single Sign On in SAML 2.0 terminology. It's not a simple redirect. We actually will initiate a login request. So your idp must be setup to accept SAMLRequest to complete the sign on process.
thanks
Jong Lee
Salesforce.com
Thank you so much,
I also read somewhere that, we have to include the startURL in a different HTTP parameter 'relayState'..
can you please advise on it..
also can you please guide me how to setup the idp correctly..
thanks..
In Sp-initiated SSO case(when you clicked on bookmark of a SFDC page), we automatically set the RelayState to that you in the SAMLRequest post to your Idp. Idp should just return that param unchanged when it returns the SAMLReponse to sign on, so that we know where to redirect you to after successful login.
So here is what should happen if everything is setup correctly on your Idp to accept SAMLRequest for Sp-initiated SSO from Salesforce.
1. You don't have a session established with your Idp yet, click a link of SFDC page, you should get the login page of your Idp, then after you sign on, you should be redirected to your bookmarked page.
2. If you already have a session with your Idp, you should be able to access to your bookmarked page without re-authenticating.
thanks
Jong Lee
Salesforce.com
Did you implement your own Idp or you used a commercial product or open-source project because each one is setup differently so you probably need to consult their documentation.
Here is a sample of SFDC generated SAMLRequest
<pre>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://localhost:9000" Destination="http://jonglee-ws2:9030/idp" ID="_1_RF3ESewdVBKeLyXjW6vwhrWxZ3sHfhXkSS.9vqgT5Br_Pjq4ATI6FRSvr8rmm7UGH5btYAlXc2WC5ejCileM_2ALMc" IssueInstant="2009-01-15T22:49:37.881Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.salesforce.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_1_RF3ESewdVBKeLyXjW6vwhrWxZ3sHfhXkSS.9vqgT5Br_Pjq4ATI6FRSvr8rmm7UGH5btYAlXc2WC5ejCileM_2ALMc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ec:InclusiveNamespaces PrefixList="ds saml samlp" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">UPzylj19vhvnN41sIcafbZ728Pw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">Js9fqZX+3IEm/IZRAvVnT39Yl/5Crp2jTCVcaS259j43Ypl3hHHFCQnCSBiOojgWRLymUbIPlUVA
ch2x5uF8b8nHdzU5YnQjxzlszf+hGpxH2KIXiRn8yTHLNWVe7ykUMnT2K0UitlxHK7QNeKEJ3U2R
WCC8p/lpLRLrRHhki9Q=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICoDCCAgkCCQCP3MN3sQ6/RDANBgkqhkiG9w0BAQUFADCBozELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xFzAVBgNVBAoTDlNhbGVzZm9y
Y2UuY29tMRwwGgYDVQQLExNRdWFsaXR5IEVuZ2luZWVyaW5nMTAwLgYDVQQDEydGVGVzdCBIb21l
Z3Jvd24gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwMzE0MTg1ODM1WhcNMTMwMjE2MTg1
ODM1WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRcwFQYDVQQKEw5TYWxlc2ZvcmNlLmNvbTEcMBoGA1UECxMTUXVhbGl0eSBFbmdpbmVlcmluZzEZ
MBcGA1UEAwwQKi5zYWxlc2ZvcmNlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwOu7
uG2FRiIiykW7loKRXqM+tV1MSgws5fIyzXvh8GmLuh+NDfLy8+C9fY4l+Y8W/jyU3CNf2rxizozv
Ftf4uatXvelr4fMNkLuZUfoQHFTKOnwLFoxUYGCMRoWfIurnsUnMlTwBZaKmMv00lGUTIJTcPGMS
dX1l7TQvX404j+cCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAST0eWSefnlMXJxIuIS8gFrTC5CXmN
Ckm6MMBvJt2Sdvp36kSYx0B4w/OnPVih36rwYWWw6y3rSRbZhWuXqhnpBf93JFYLByuotgn2noEE
bcjGPr6IPAMbOQdNrMzNbLsCtLDTyoBJSFLR57xhfQTbprGskoDbzTXsQbTYhCIqtQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</samlp:AuthnRequest>
</pre>
Hi..
thanks sir..
we have implemented using our own identity provider..
we have wrote assertions all be ourselves..
the thing is that..
in saml 1.1, when we used to redirect the page, it redirected properly, but in saml 2.0, it doesn't redirect in th usual way..
either its a concept of a relaystate parameter which we haven't used yet..or something else that is so silly that we haven't added it yet..
if you refer wiki..the following page:
http://en.wikipedia.org/wiki/SAML_2.0#SP_Redirect_Artifact.3B_IdP_Redirect_Artifact
it tries to explain what is being done..but i cannot really get it..
could you please throw some light on the relaystate parameter and how to use it..
also how to use artifact and where to use it..
thanks,
The use of ssoStartPage in SAML 1.1 TARGET post param is Salesforce proprietary way to support Sp-initiated SSO as a parity of SAML 2.0 standard. In SAML 2.0 spec, it defines different binding to support sp-init scenario, we only support browser-post binding. The wiki you read is about artifact redirect binding which is a little more complicated.
You might find this doc a little bit easy to follow:
http://wiki.eclipse.org/SAML2_IdP_Overview_1.0
I understand your concern why SAML 2.0 won't work the way in Salesforce.com SAML 1.1 implementation. However, it's clearly defined how it supposed to work in SAML 2.0 specs that we must follow in order to interop other SAML 2.0 Idp vendors.
thanks
Jong Lee
Salesforce.com
Hi Jong,
I read your reply in the post:
http://community.salesforce.com/sforce/board/message?board.id=general_development&message.id=20243
Could you please confirm that Salesforce does not support SP initiated SSO, and that it supports only IdP initiated SSO..
Plus, can the "relaystate" parameter be included in the assertion rather than including it in the form? (if you could tell me evrything about how to use it)..
Just fyi, The link you gave in the previous reply states the use of SP initiated SSO
Eagerly waiting for your reply..
Thanks,
Sumit
Hi,
Could you please let me know how you could fix the problems with SSO? Any hints in this direction would be helpful.
Thanks,
Murali(murali_va@hotmail.com)
Salesforce started to support SP initiated SSO in Summer Release 2009. In the recent Winter 2009 release(just completed last weekend), we also added support for SAML login on portal(please see the docs, https://na1.salesforce.com/help/doc/en/sso_portals.htm)
in Sp-inited sso, the relaystate is set by Salesforce, that's the protected page you are trying to access, i.e: the bookmarked link. In the Idp init you can also set that in the post form. We currently don't support setting it in the assertion, if that's something it turns out a very popular request, we will consider to support it.
thanks
Jong
Salesforce.com
What do you mean by "problems with SSO"? Could you please be a little more specific?
thanks
Jong
hi jong!!
sent u a pm..
~Sumit
Hi Jong,
I am trying to implement the salesforce SSO using active directory as the IDP. I generate the saml response, but the SAML validator indicates
No issuer found in response
Below is the Saml response generated:
<samlp:Response ID="kogdninhjplhgekjoodihlllbgccbfhhiibmhkpg" IssueInstant="2009-11-16T15:30:11Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="hapmklejfkebmofedgblacaocjmdoaloogpomelj" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>
https://www.salesforce.com
</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xyz@gmail.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData Recipient="https://login.salesforce.com/?saml=MgoTx78aEPRKsgiCAdLvFt8gq0J7W_s3h4HLT1HzJcg" NotOnOrAfter="2009-11-16T20:40:11Z" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2009-11-16T20:25:11Z" NotOnOrAfter="2009-11-16T20:40:11Z">
<AudienceRestriction>
<Audience>https://saml.salesforce.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2009-11-16T15:30:11Z">
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>/Ufrgm+ew3VxWWHGfpdi+DSzfMk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xxxxxxxxxxxx</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>xxxxxxxx</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</samlp:Response>
When I try posting this response to the Recepient URL i get:
Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information.
Thanks,
Ashish
You need to have an Issuer element under Response, just like the one you have under Assertion.
Jong
Salesforce.com
I do have a issuer element under response,
https:\\www.salesforce.com
Hi Jong,
Sorry for the confusion earlier.
I tried the Issuer element under response, but i still get same message in the SAML validator.
And posting the response to the Recepient URL gives me the same message too.
Thanks,
Ashish
Hi Jong,
SAML Response below for your refrence
<samlp:Response ID="eopmekcmamjdibjkbokehcbjnngobjdafdakdbbn" IssueInstant="2009-11-19T12:41:50Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <samlp:Status> <Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://www.salesforce.com </Issuer> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="epfdfbomgnoengfnpkijabooainmfnnaebkhcadh" IssueInstant="2003-04-17T00:46:02Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://www.salesforce.com </Issuer> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xyz@abc.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData Recipient="https://login.salesforce.com/?saml=MgoTx78aEPRKsgiCAdLvFt8gq0J7WBqC05v88FAHBy8r_s3h4HLT1HzJcg" NotOnOrAfter="2009-11-19T17:51:50Z" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2009-11-19T17:36:50Z" NotOnOrAfter="2009-11-19T17:51:50Z"> <AudienceRestriction> <Audience>https://saml.salesforce.com</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2009-11-19T12:41:50Z"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>AYVbIkBxDf5FNtdbcwKaVEmL8bs=</DigestValue> </Reference> </SignedInfo> <SignatureValue>xxxxxxxxxxxxxxx</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>xxxxxxxxxxx</X509Certificate> </X509Data> <KeyValue> <RSAKeyValue> <Modulus>zzzzzzzzzzz</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature></samlp:Response>
i still get
No issuer found in response
in the SAML validator.
Thanks
Ashish
It happened that page 7 of this thread has a sample SAML 2.0 assertion. I quickly compare that with yours. There are two differences,
1) you are using default namespace of Issuer, that should work, but I don't know why would our codes reject that.
Could you please try not to use default namespace to see if it works
2) also you have the Format attribute in the issuer, take that out and try.
the page 7 sample: http://community.salesforce.com/sforce/board/message?board.id=general_development&thread.id=22960&view=by_date_ascending&page=7
thanks
Jong
Jong,
Thanks for the response,
I tried the two changes suggested by you, still no luck.
Thanks,
Ashish
Your issuer seems to be child of Status not Response.
Thanks, that resolved the Issuer error,
I also have a
Allowed skew in milliseconds is 480000
error
How do i resolve that
Hi Jong,
I finally got the SSO to work
.
The current time was not universal time, while the others were hence the problem.
Thanks,
Ashish
Hi,
I implemented an idp and get an assertion validated from the SF validator.
However, the sso is failing and I do not see any entry in the SF history log.
The user id is in the NameId subject and the assertion contains the id sf user.
I am stuck and have no idea what is wrong.
Anyone could help ?
Here is my response sent to SF:
Did you get it resolved? I saw you have the following login history entry.
thanks
Jong Lee
Salesforce.com
Yes, I finally got it to work. Thanks a lot for asking.
My project only needs the idp initiating the sso...
I curious on how the sp initiated SSO works.
How SF knows about the idp to make the auth request, does the user should click on a specific SF url in order to initiate the sso from SF ?
--Pascale
That's correct. After the IDP-init SSO, you can go to the SFDC URL(bookmark or something), in this case, we will post a AuthnRequest to Idp to initiate the SAML login insteadof normal redirect to the login page.
thanks
Jong
Thank you John...
I ve got saml 2 checked on salesforce. The idp initiated the sso is working fine.
However, I still don't understand when the SF should and can initiate the sso.
When I access SF page directly (loging page or bookmark), I am prompted to the SF login page. It is what I want!
But I d like to make sure the SF will not go back to my idp for authentication.
Idon't understand how SF knows about my idp and when and how it will initiate a post SAMLrequest to my idp while I just post a SF direct access url and SF does not know my identity yet.
In my context, I d like to avoid this behaviour where SF initiates the sso.
Many thanks,
--pascale
Once you did Idp-init SSO, we set some cookies on your browser, so next time when you click a SFDC link, based on the cookie values, we generate SAMLRequest and send to your Idp. See our docs on the use of ssostartpage and logouturl attributes of your SAML 2.0 assertion. That's done automatically without any configuration. Unfortunately that does not support what you want -- only do Idp-init SSO, but use username/password login if start from SP.
thanks
Jong
Thank you.
So you are saying that as long as the saml 2.0 is enabled on salesforce, it won't be possible anymore to login
through salesforce from the username/password login page ? And Salesforce will automatically call the idp login page.
The authentication process has to be always in the IDP side? Is that correct ?
However, in my tests, although my user setting enable saml2.0, the user still can login from the login salesforce page and access directly to it.
Do you know if SAML1.0 does what I want : Idp init SSO only and let the user access the sf login page if he wish .
Many thanks for your help
--pascale
No, that's not what I meant. What I am saying is once you use saml 2.0, if you click a link from bookmark, we automatically generate SAMLRequest and send to Idp insteadof redirect to login page. For SAML 1.1, if you don't specify ssostartpage(again, see SAML doc), we should just redirect to login page, if you set that, we then redirect to the ssostartpage value you specify. So yeah, it seems our SAML 1.1 impl supports your usecase if you don't specify ssostartpage. Now we can probably evaluate the option of providing a user configuration to control whether we do Sp-init SSO for SAML 2.
thanks
Jong
Thanks for the fast reply, Jong. That will be nice to have this feature.
I 'll do more tests tomorrow.
With SAML2.0 enabled, you can still login using the salesforce.com login page (username/password).
Also, SP initiated SSO does not work by default. SFDC will set a cookie to enable SP init SSO, but only if you send ssoStartPage as part of your Attribute Statement. It needs to point to your IDP login. In my case (using opensso) it was https://sso.domain.com:443/opensso/SSORedirect/metaAlias/idp
I started to integrate the SAML with my sandbox account and getting the following error.
"Login Error
Your
login attempt using single sign-on with an identity provider
certificate has failed. Please contact your salesforce.com
administrator for more information."
When I checked the Login History for my account, nothing is there. It just shows the ones I logged in from Web. Moreover if I take the assertion and test it using "Validate SAML" screen, everything is fine. Here is the assertion sent to Salesforce.com
Any help is appreciated.
<samlp:Response IssueInstant="2010-02-05T02:03:35.496Z" ID="C_VD26qnsLVTiOiuFJMdp3otzj9" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://ssod2.autodesk.com/saml2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion Version="2.0" IssueInstant="2010-02-05T02:03:35.497Z" ID="xiD8Huwg43fj_Gowg3fm1.XDfdY" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>https://ssod2.autodesk.com/saml2</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#xiD8Huwg43fj_Gowg3fm1.XDfdY">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>mhFJJotNlKPT7QKtuEkFmhE94AA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
bvHZCxz4prH9wSzcKQcNGJB9Ay6d9B4f1+SfAbo78CCGwqNoiqsgxGZO0phnnqpx0TwLzzlI0PeD
UQlkOstIsmziiSn3ROSzImPFCwEDsIujNFD3ADjjXeI14xqwRvHUNgdB53ixBdMD4y0I7KlJDdxe
i7PDehgsP+lndiYtAvs=
</ds:SignatureValue>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">112810189166834</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2010-02-05T02:07:35.498Z" Recipient="https://login.salesforce.com/?saml=EK03Almz90oQobVSWkhHqhYgmgLUqLsETAYULuFkcIcblzVUyt0fGISBp5"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2010-02-05T02:07:35.498Z" NotBefore="2010-02-05T02:02:35.498Z">
<saml:AudienceRestriction>
<saml:Audience>https://saml.salesforce.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2010-02-05T02:03:35.497Z" SessionIndex="xiD8Huwg43fj_Gowg3fm1.XDfdY">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="GUID">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">112810189166834</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="logoutURL">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">http://www.autodesk.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="EMAIL">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">adsk1234santhosh@autodesk.comaa</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="ssoStartPage">
<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">https://ssod2.autodesk.com/idp/startSSO.ping?PartnerSpId=https://saml.salesforce.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
If your saml login does not show up in the login history, typically, it's a problem mapping your SAML assertion to a valid SFDC user. You are setting "112810189166834" in the subject and your recipient url in the SAML assertion is "https://login.salesforce.com/?saml=EK03Almz90oQobVSWkhHqhYgmgLUqLsETAYULuFkcIcblzVUyt0fGISBp5", it means you are using Federation id as the subject mapping. Please make sure your SFDC user's federation id field is set to "112810189166834".
For testing purpose, change your subject mapping to be username and use your SFDC username in the subject to see if you can get that to work.
thanks
Jong Lee
You are right. We need to know where to post the SAMLRequest before we can initiate the SP login. That's why we need the "ssostartpage" attribute. I think we document this already.
thanks
Jong Lee
Salesforce.com
Thank you Mr Lee for the response.
I have specified that SF should look for Federation Id and that id is coming as an attribute GUID (as below) and specifying the GUID as part of the assertion.
Santhosh.
Nevermind, it was indeed the problem. I had specified Federation Id as email but was sending GUID. I updated the user with GUID and it worked like a charm.
Truth be told, Salesforce SAML is one of the easiest I have ever configured :)
awesome!
thanks
Jong
Jong in one of your earlier postings(View Message 106) you had mentioned that Salesforce.com supports SP initiated post from Summer Release 2009. Can you let us know if there is any more detaliled document or information on this.
Also does Salesforce.com support Relaystate in IDP post.
Thanks in advance
Jong Lee,
We have another query as well, our scenario is given below
Identity Provider 1 Single Signs On into SP ( Salesforce.com )
Identity Provider 2 Single Signs On into SP ( Salesforce.com )
IDP1 and IDP2 establish a relationship with each other and IDP2 users are created in IDP1.
So essentially the user could login in either IDP1 or IDP2 and should access the same SP instance/data.
It is the case of same user coming from multiple IDP's accessing one SP.
Does salesforce support this scenario ?.
General doc on Salesforce SAML setup:
https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=sso_saml.htm&loc=help&hash=topic-title
Yes, we support RelayState in IDP post and use that as the landing page after logged in.
thanks
Jong Lee
Salesforce.com
Salesforce.com(SP) does not care how users are created in IDPs. As long as the Idp user can be mapped to the SFDC user using username or federation id and the SAML assertion is validated against the settings, i.e:
issuer, acs url, signing cert etc.
thanks
Jong
Jonglee
As always thanks for the reply, we tried the Relaystate in IDP post, but for some reason it was not working. We were always landing on the home page.
Any idea as to what would be causing this issue, also if you could provide us an example of an assertion with relaystate post it would be useful.
Regards
Jong
We did add the Relaystate in POST param and used the absolute path. For eample https://ap1.salesforce.com/i09997877fn
Jonglee,
Thanks for your valuable inputs, we were able to access the page using the Relaystate parameter, thanks for your valuable inputs.
Apparently some additional parameters was causing some issues. Once we removed the same we were able to SSO to the relevant page.
The link that you provided for SP SSO does not provide detailed info for SP intiated SSO, although it does have information for IDP.
Can you provide us the steps for performing a SP POST with Salesforce
For example: From where we could download the Public Cert for Salesforce
The URL that will challenge the IDP for Authn Request etc
Thanks in advance
Sp-init SSO happens automatically
when you tried to access a protected resource without a session
if you define ssostartpage in the Assertion attribute:
see https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=sso_saml_idp_values.htm&loc=help&hash=d644124e367
The following is an example of an <AttributeStatement> for SAML 2.0 that contains both ssoStartPage and logoutURL:
To download outbound SAMLRequest signing cert:
https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=dev_wsdl.htm&loc=help&hash=topic-title
Optionally, you can download a certificate to authenticate Salesforce.com clients. Click Setup | Develop | API, and on the WSDL Download page, right-click Download Client Certificate and save it to an appropriate location. You can then import the downloaded certificate into your application server, and configure your application server to request the client certificate.
Jonglee
Below is the sequence of steps for an SP initiated SSO
a) User logs into IDP(say Amazon.com)
b) User clicks on a protected resource in SP(Salesforce.com)
c) According to the SAML 2.0 web browser specification, the SP initiated SSO message flow should start with SP sending the Authn Request to IdP ( in this case Salesforce.com should challenge Amazon.com with a Authn Request)
We do not see any document detailing these steps in Salesforce nor it is clear as to how Salesforce.com sends the Authn Request.
In one of the earlier posts a contributor quoted the below
" For SalesForce, is it required to send an assertion with an attribute statement containing ssoStartpage and logoutURL first ? As I understand, then only SF is sending the Authn Request using SAML POST binding and follow the message flow depicted in the specification. Is this complete sequence of actions required always when a user logs into SalesForce?
I am concerned on how SP initiated SSO works for SalesForce. Seems like they have a different approach than other service providers who support SSO( eg: Google Apps) "
Is the above statement correct? If yes, then it does not seem to be the standard way of doing SP initiated SSO and the looks more like an IDP post
Hi Expo...
SP initiated SAML with Salesforce is a tad odd at the moment. Let me see if I can explain the background, best practice, and where we are going....
The main difficulty with SP initiated SAML has to do with the way our multi-tenancy works. At the moment, all customers have the same URL ( at least per-instance ) It is only after a user logs into the system that we are able to determine their Org, and hence any unique configuration for that Org.
While this approach works well for many use cases, it does make it difficult to tie Organization specific behavior to un-authenticated requests. In other words, when a request comes into our system, if it doesn't yet have a session, we can't tell what customer it belongs too, and hence can't redirect the request to the appropriate SP.
The way we currently solve this is by setting a cookie in the user's browser. If you you show up to the system, and have this cookie set, we'll redirect you to the appropriate SP.
Unfortunately, given the way that cookies work, we have to set the cookie from a response in the salesforce.com domain...it's not possible for customers to set this cookie directly. We currently accept the values for the cookie in SAML assertions ( for SAML 2.0 ), and then set the cookie on behalf of the customer.
What this means is that in order for SP initiated SAML to work with our system, the user must have gone through IDP initiated SSO at least once, in order to get this cookie. That actually works well for a lot of use cases - for instance, a user might initially access Salesforce via a link to their Intranet, which sends them via IDP initiated SAML....this sets the cookie. During that session they might bookmark something. Later, when they access that bookmark, SP initiated SAML can work, as the cookie has been set.
So - current best practice is to always send the ssoStartPage in your assertions, and try and make sure user's go through IDP initiated SSO the first time they access Salesforce.
All that said, we recognize that this is not perfect, and are working to improve. In the Spring 10 release, there is a new capability being rolled out, that allows customers to have unique URLs. For instance https://Company.my.salesforce.com Once this is available, we'll be working on tying per-org SSO behaviors to these URLs, so SP intiiated Auth can work in a more conventional manner.
Hope this is useful for you.
Hi Chuck,
Thanks for the clarification, we look forward to the Spring 2010 release.
Hi Expo - thanks - we're excited about Spring 10.
Please keep in mind that Spring 10 only releases the basic capability we need to support this feature "Custom Domains". Spring 10 will not yet introduce the SP initated feature you're looking for. However, with that dependency released, we'll be working hard on adding these in the future.
Hi Chuck,
This information was very useful! Thanks for posting it. I've been looking around for quite a while on what it takes to get SP initiated SSO working, and this provided me with the right details.
---
Greg
Hi Chuck,
What is the current strategy for dealing with users that have multiple accounts in SalesForce and allowing for SP-Initiated SSO?
For instance, we are developing a Partner Relationship Management system for our business partners. This means that they'll have a user profile for our partner accounts. Some of those same partners might use SalesForce for their internal sales pipeline management. This means that an employee of that business partner will have two SalesForce logins (one to get to their sales management account, and one to get to their business partner account).
If the ssostartpage cookie is set in their browser to redirect to our authentication page, they will not be able to authenticate as their sales management account user.
How can we avoid this situation?
Is this something that simple has to wait for customized urls (and eventually the underpinnings that allow for configuring SP-initiated SSO)?
Thanks Chuck!
----
Greg
Hi Greg...
Multi-org scenarios are defintely tricky. There is currently only 1 cookie that control's SP initated sso per instance, so there will be difficulty with overlap. If your salesforce orgs are on the same instance ( NA1 for example ), the last account they login as would overwrite the cookie. If your orgs are on different instances ( NA1 and NA6 for example ) then it would work properly.
This should be sorted out once we get these domain dependant features in place.
A short term work around might be to ask your users which account they want before sending the SAML message, but it would take some web development on your side for sure.
Chuck,
Once again, thanks very much for the information. We'll have to determine how important SP-Initiated SSO is at this point before moving forward.
----
Greg
Chuck/ Jong
A user can login to Salesforce.com through any of the options listed below
a) By accessing the login page (login.salesforce.com)
b) Federated Authn(using SAML or SP)
c) Delegated Authn
Can a user login through all the above options without any limitations or does Salesforce.com places certain restrictions For example : If SSO is enabled for a user profile, does Salesforce.com allow accessing through login page and Federated Authn
Thanks in advance
Hi Expo
SAML, if enabled, may always be used for an org.
If Delegated Authentication is enabled, it will handle ALL logins to the system that are done with a userid / password. That includes Login Page, Portal Logins, Site Logins, and API Logins
So, you can do:
1) Just Login
2) SAML and Login Pages
3) SAML and Delegated Auth
4) Just Delegated Auth
Just SAML is not currently an option.
Hi Chuck,
Thanks for your reply.
As per the documentation in your website, which is quoted below it mentions about tokens and passwords
"You can configure the Salesforce.com delegated authentication authority to allow only tokens or to accept either tokensor passwords. If the authority only accepts tokens, a Salesforce.com user cannot log in to Salesforce.com directly, because
they cannot create a valid token. However, many companies choose to allow both tokens and passwords. In this
environment, a user could still log in to Salesforce.com through the login page"
How exactly does this work? How can we allow token and passwords?
With SSO enabled, I dont think I can enter my normal Salesforce.com password, which would mean that I provide my corporate password when logging directly through login.salesforce.com. Is my understanding correct?
Thanks in advance
Hey Expo..
I beleive all this is saying, is that when you implement a Delegated Authentication endpoint, you could choose to have this endpoint accept both tokens and passwords. The implementation of this is really up to you. Here's an example though
1) On your intranet, you'd have a link to a piece of code which generated a cyrptographically secured token of some kind. SAML, some encrypted string, some hash....something that is secure and can verify the identity of the user.
2) You'd also implement a delegated authentication endpoint, that knows how to verify both these tokens, as well as a regular password. It would have to determine which this based upon structure of the token - for instance all your tokens could be XML ( which the passwords wouldn't be ) or could look like TOKEN:<some string here>
When users click on the single sign-on link from #1, a token gets generated and passed over to our system, which passes it back to your delegated auth endpoint. You'd notice this is a token, and not a password, and verify accordingly. If a user came direct to the system, then you'd verify the credential as a password.
More detail here:
http://wiki.developerforce.com/index.php/How_to_Implement_Single_Sign-On_with_Force.com
Als, SAML is of course an option that can be used for web sso as well:
http://wiki.developerforce.com/index.php/Single_Sign-On_with_SAML_on_Force.com
The Salesforce SAML Response validator exposes these dificiencies with our post.
Here is the decoded content:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="bdlkoaidmhchonpniicnmiigmaajiaijinomdljn" IssueInstant="2010-03-12T16:12:35.393Z"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://xifin.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#bdlkoaidmhchonpniicnmiigmaajiaijinomdljn">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml samlp" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>B3EcTl2HeuGzWPtpcEqwvSXoybc=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
f9cLtayEDr+o7oXIx/HyqCeSYZGI2LXvoS3sfESdf8TpLifRY+YoC8VlBSdZRHukXNhkYp9xGfMU
v/jj7l9v6ThXGlYQ5eFYipjhXse43KPJYgJ3UxqNVLWbbDPn4IZlDbxyv2rJPwURC42B5EHT3r0f
sfcX/LfwMzvlC3C8+3U=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIC+TCCAmKgAwIBAgIJANSUf/OPERfdMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEChMLWGlmaW4sIElu
Yy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMRYwFAYDVQQDEw13d3cueGlmaW4uY29t
MSMwIQYJKoZIhvcNAQkBFhRwb3N0bWFzdGVyQHhpZmluLmNvbTAeFw0wOTA3MjIy
MjI0MDFaFw0xMDA3MjIyMjI0MDFaMHQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRQwEgYDVQQKEwtYaWZpbiwgSW5jLjEUMBIGA1UECxMLRW5naW5l
ZXJpbmcxJDAiBgNVBAMTG3hpZmluLWFsaW5rZXIubWJhLnhpZmluLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgDbPkTucIVUBz8JOWWNyu4OvTNNXH6ws
KRgkASJ9EGLb80k8wXo14Fk7zCr0wPVEA+es3rjTKIo78DZnXuhVADY1g3opx61/
3/dhiBf3omO5H9nogTnrVGuNyEEWHbQBj3Wy1xFNxhBd7OKt+/ngOcXzY/lGtNYa
w0ojNGZzS50CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFb3ETnOVxytGFfn
jgFbd+yTjAnUMB8GA1UdIwQYMBaAFJAn3xVxfpJdtTmM+wSjsDCyyCrOMA0GCSqG
SIb3DQEBBQUAA4GBAGGUiQQxPIt8/h5PCGLmAmH+VD9Hi2crtxs7bHDdRdKiKzjW
+AQHaVDuJbQr3QZy1Pqq7xbM4vCvUJzR2I5coAjEc1CaEVWmpYvlgTfuVSByXb1A
JCyG123J05xA/+kfVfvZ1NyNM2G1G1DOgPbnzVCztbJtpSQqymQTu9ndhbQO
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="gmijolpbffdjkebaciaigdampeojioocolbcfgna" IssueInstant="2010-03-12T16:12:35.596Z"
Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://xifin.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
sed_alinker</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
NotOnOrAfter="2010-03-12T16:12:35.596Z"
Recipient="https://cs3.salesforce.com/?saml=02HKiPoin4X5uFW25YtDLo.9NGZZ5YafDc9cY_W4m1uxofESECaN0T8J1t" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2010-03-12T16:12:35.596Z"
NotOnOrAfter="2010-03-12T16:17:35.596Z">
<saml:AudienceRestriction>
<saml:Audience>https://saml.salesforce.com
</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2010-03-12T16:12:35.596Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="portal_id">
<saml:AttributeValue>06030000000Mvaa
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="organization_id">
<saml:AttributeValue>00DQ0000000A9DP
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="ssoStartPage">
<saml:AttributeValue>https://Xifin-alinker.mba.xifin.com/cas/login
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="logoutURL">
<saml:AttributeValue>https://Xifin-alinker.mba.xifin.com/cas/logout
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Is there a Subject Matter Expert available to troubleshoot the error? I do not see the fault and thought another's insight might help.
- Thanks
It's very difficult to tell what the issue might be from just looking at it. Everything looks pretty good by eyeballing it. Often times when we see this error, and you're using the correct private key ( it appears you are since the cert provided in keyinfo matches your configuration ) it comes down to cannonicalization. What are you using for your software? If you're writing this yourself, are you using an existing c14n library?
Please make sure your are using the right key-pair, also if you pass the certificate in the assertion, the SAML validator will also compare that with the cert in your org settings.
Jong Lee
Salesforce.com
Thanks for the reply.
Your assumption is correct. The response is hand-coded using opensaml v. 2.3.2. The c14 implementation package is com.sun.org.apache.xml.internal.security.c14n.
As Jong points out, we off see the wrong keypair being used, but your cert does seem to match, so chances are that's not it. Double check though
My only other suggestion would be to try and validate it yourself using opensaml - that may give you a better idea of what is wrong.
We resolved our signature issue and are now confronted with a problem similar to that detailed by member EXPO last year, for which no solution is posted, i.e., Assertion Validation succeeds but access is denied.
The current error message is "Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information." There is no record of the login attempts in the Login History view.
We are using a sandbox for testing and the copy is configured for:
Salesforce User Id Type = Federation ID
SAML User ID Location = Subject
Here is the posted Response:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo" IssueInstant="2010-03-16T22:19:41.535Z"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://xifin.com</saml2:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>k+3/NhelbXPHnfO0irTZWTnP354=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
ZUvHPz3tSWr141TWMr4tcV8ieYDfEVrzGXLoj+iiIMG6HuNnj174jhThr+4pETR46cdh/4pg1FsE
Fjcb5Otbc1JW/i6S/IOj2xGMAtjkwNNYdSz6d+mSGePlE0gcLES2zrtlz7PMm5FLY8kd+6bpx7Gy
sho707GPr88mvUEUzvc=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIC+TCCAmKgAwIBAgIJANSUf/OPERfdMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEChMLWGlmaW4sIEluYy4xFDASBgNVBAsTC0VuZ2lu
ZWVyaW5nMRYwFAYDVQQDEw13d3cueGlmaW4uY29tMSMwIQYJKoZIhvcNAQkBFhRwb3N0bWFzdGVy
QHhpZmluLmNvbTAeFw0wOTA3MjIyMjI0MDFaFw0xMDA3MjIyMjI0MDFaMHQxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQKEwtYaWZpbiwgSW5jLjEUMBIGA1UECxMLRW5n
aW5lZXJpbmcxJDAiBgNVBAMTG3hpZmluLWFsaW5rZXIubWJhLnhpZmluLmNvbTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAgDbPkTucIVUBz8JOWWNyu4OvTNNXH6wsKRgkASJ9EGLb80k8wXo1
4Fk7zCr0wPVEA+es3rjTKIo78DZnXuhVADY1g3opx61/3/dhiBf3omO5H9nogTnrVGuNyEEWHbQB
j3Wy1xFNxhBd7OKt+/ngOcXzY/lGtNYaw0ojNGZzS50CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglg
hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFb3ETnO
VxytGFfnjgFbd+yTjAnUMB8GA1UdIwQYMBaAFJAn3xVxfpJdtTmM+wSjsDCyyCrOMA0GCSqGSIb3
DQEBBQUAA4GBAGGUiQQxPIt8/h5PCGLmAmH+VD9Hi2crtxs7bHDdRdKiKzjW+AQHaVDuJbQr3QZy
1Pqq7xbM4vCvUJzR2I5coAjEc1CaEVWmpYvlgTfuVSByXb1AJCyG123J05xA/+kfVfvZ1NyNM2G1
G1DOgPbnzVCztbJtpSQqymQTu9ndhbQO</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="aemgmabeokofllhfljfojlgmmndnjnjkfffggakp" IssueInstant="2010-03-16T22:19:41.535Z"
Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://xifin.com
</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sed_alinker
</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
NotOnOrAfter="2010-03-16T22:19:41.535Z"
Recipient="https://cs3.salesforce.com/?saml=02HKiPoin4X5uFW25YtDLo.9NGZZ5YafDc9cY_W4m1uxofESECaN0T8J1t" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2010-03-16T22:19:41.535Z"
NotOnOrAfter="2010-03-16T22:24:41.535Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://saml.salesforce.com
</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2010-03-16T22:19:41.535Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="portal_id">
<saml2:AttributeValue>06030000000Mvaa
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="organization_id">
<saml2:AttributeValue>00DQ0000000A9DP
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="ssoStartPage">
<saml2:AttributeValue>https://Xifin-alinker.mba.xifin.com/cas/login
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="logoutURL">
<saml2:AttributeValue>
https://Xifin-alinker.mba.xifin.com/cas/logout
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Here is the Validation:
Results
Subject: sed_alinker
AssertionId: cihmhmjhlejnblhkjhdoflkfoggledfgmacbbpki
Do you have any insights on this issue? Your suggestion to review canonicalization lead to resolution of the original validation error. Our implementation relied on manual signing procedures instead of using the OpenSAML framework factory methods.
Thanks
Please make sure the federatoin id actually mapped to a valid SFDC user. If not, there will be no login history, which fits what your described.
sed_alinker ---> is this mapped to a valid user?
thanks
Jong
That's correct.
Sorry we didn't call that out earlier. Given that the assertion contained the portal identifiers, I had assumed you were trying to authenticate a portal user...
Hi Chuck,
We are using the partner portal module to give access to our business partners. Our tests to date have only involved authenticating non-portal users, and all those tests succeeded.
Now that we try with portal users, all our SSO tests are failing. The portal user has no login history, so I can tell that the SAML response is not matching to the user. However, when we switch the same federation ID over to a non-portal user, the SSO attempt succeeds.
Is there something specific we need to include in the SAML Response that indicates that the SSO attempt is for a portal user? It looks like the answer is "yes", based on imalinker's post. However, can you point me to specific documentation on what needs to be included?
I really appreciate your help!
----
Greg
If you look in the partner guide under Enabling Single Sign-On for Portals ( page 538 of the user's guide ) you'll find the following:
In addition to the SAML sign-on information that must be gathered and shared with your identity provider, you must supply your information provider with the Organization ID and the Portal ID. In the SAML assertion that is sent from your identity provider, the portal_id and organization_id must be added as attributes.
So - these need to end up in an Attribute statement in your SAML like this:
<saml:AttributeStatement>
<saml:Attribute Name="portal_id">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">060900000004cDk</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="organization_id">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">00D900000008bX0</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Could you link to the referenced guide?
Thanks!
If you go into "help" in your org, there is a link to "printable user guide" in the upper left.
In addition, the whole guide is there in HTML. The page you're looking for is
/help/doc/en/sso_portals.htm
-cmort
Once again, you're a life saver!
Thanks Chuck!
---
Greg
Hi Chuck or Jonglee,
we are passing assertion encoded in base64 from 3rd party to salesforce and it is failing due to assertion expired. Can you please check saml xml tags posted below for any correction. I found one thing is that issuer is not matching with certificate setting of salesforce. But why salesforce is not showing issuer mismatch in place os assertion expired error status.
<samlp:Response ResponseID="_8e75243a-71e9-406b-9017-b36a00baaa12" MajorVersion="1" MinorVersion="1" IssueInstant="2010-04-29T09:54:38Z" Recipient="https://cs5.salesforce.com" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#_8e75243a-71e9-406b-9017-b36a00baaa12"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>3uK4lXwzPE4ArKopm8kIFd5B03A=</DigestValue></Reference></SignedInfo><SignatureValue>S8YrfFaL/ZlTzz9wQYEn3Y4Qh1hBlJUuXct8CtjPoWj7Xu9xgYrHHdxbDC5CSGWmbiDVBprsGZXJAUKk34UsyI99Ltbv2uZFtqj0PrLOk+oi5JP1y8Ske2sdlNCrouAwRki6tUIcMdGO0mzDYHDAUXCC6cU0CivYH1h79ufLlbY=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIICOjCCAaMCBEnnVw0wDQYJKoZIhvcNAQEEBQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5KMQswCQYDVQQHEwJFSDERMA8GA1UEChMITm92YXJ0aXMxETAPBgNVBAsTCE9uY29sb2d5MRUwEwYDVQQDEwxHb3BhbCBHb3J0aGkwHhcNMDkwNDE2MTYwNDI5WhcNMzYwODMxMTYwNDI5WjBkMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxCzAJBgNVBAcTAkVIMREwDwYDVQQKEwhOb3ZhcnRpczERMA8GA1UECxMIT25jb2xvZ3kxFTATBgNVBAMTDEdvcGFsIEdvcnRoaTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnXNtqzLNe/41JkD9/q5E8QmaA048rnkOPfr1bgcyKn8tb12Nx1n/uLjnHzYfzNoELxPNV5qzl/cRfFprcFJGLMGbLhIlv+PJdKxc8KKcX7RqY+VYyEkBTkP4mMyBXAZeOllaQ4UIZkicm1tpXSocSM1CTKfMwfR+/5WXCDFyYrcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQARCt3lb4lh7/3NnwTj5tadK2ZBEDDEo9sgiOl2wPB2ZT3huMTIqUVEc4QaHndM+VOpuj1eOTvFAm19/vKcFnJzpdNtVFN7hHM2kQ1qjNEBKM0TuC41i7VimyC6smd6aOoMkGaPOlos35jCEGQzxUKg+A9vdhBsFmOMq2rCrUyj1g==</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="samlp:Success" /></samlp:Status><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_88bbd1df-ad00-44f5-bd77-6c052f8df94c" Issuer="124.124.71.99" IssueInstant="2010-04-29T09:54:37Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2010-04-29T00:54:37Z" NotOnOrAfter="2010-04-30T02:54:37Z" /><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2010-04-29T09:54:37Z"><saml:Subject><saml:NameIdentifier>xyz@abc.com</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#_88bbd1df-ad00-44f5-bd77-6c052f8df94c"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>vxTzxN7Y2sKmZlFTlfvp6KQZd+A=</DigestValue></Reference></SignedInfo><SignatureValue>PXY5PHFcrPoVRnhwICAxkLjHv3MWS0/Oafwcz6uCV3uh5Hlsm4ZcAxyfFvb+wJ9TZvjJiRlvFSk7HsmYFNBQKmeN4jOKmPKHdlbYK3/Z6Eg3Rv6/LkbdSLnb9NSas1yLdirXucZPqpMmb8j7bYkWGkZqv6StFGGGAYw8r7gvgtI=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIICOjCCAaMCBEnnVw0wDQYJKoZIhvcNAQEEBQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5KMQswCQYDVQQHEwJFSDERMA8GA1UEChMITm92YXJ0aXMxETAPBgNVBAsTCE9uY29sb2d5MRUwEwYDVQQDEwxHb3BhbCBHb3J0aGkwHhcNMDkwNDE2MTYwNDI5WhcNMzYwODMxMTYwNDI5WjBkMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxCzAJBgNVBAcTAkVIMREwDwYDVQQKEwhOb3ZhcnRpczERMA8GA1UECxMIT25jb2xvZ3kxFTATBgNVBAMTDEdvcGFsIEdvcnRoaTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnXNtqzLNe/41JkD9/q5E8QmaA048rnkOPfr1bgcyKn8tb12Nx1n/uLjnHzYfzNoELxPNV5qzl/cRfFprcFJGLMGbLhIlv+PJdKxc8KKcX7RqY+VYyEkBTkP4mMyBXAZeOllaQ4UIZkicm1tpXSocSM1CTKfMwfR+/5WXCDFyYrcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQARCt3lb4lh7/3NnwTj5tadK2ZBEDDEo9sgiOl2wPB2ZT3huMTIqUVEc4QaHndM+VOpuj1eOTvFAm19/vKcFnJzpdNtVFN7hHM2kQ1qjNEBKM0TuC41i7VimyC6smd6aOoMkGaPOlos35jCEGQzxUKg+A9vdhBsFmOMq2rCrUyj1g==</X509Certificate></X509Data></KeyInfo></Signature></saml:Assertion></samlp:Response>
Did you run this through the SAML validator found on the SSO Settings page? That should help you determine what is wrong. If so, perhaps attach a screenshot of the output. We can't directly debug from just the assertion, as it's only part of the puzzle.
Couple comments:
The issuer does not need to match the certificate - it needs to match the issuer that is configured in your SSO settings.
As far as expired assertion...are you sure it's not expired? Perhaps check the clock on your IDP to make sure it is correct...?
Hi Chuck, validator helped. thanks for you comments.
Several months passed since last post so I thought to check out the current status...
Is "Custom Domains" already supported?
Any news regarding SP-initiated SSO combined with "Custom Domains" ?
Thanks a lot.
Josh
Custom domains is now available and supported for customers.
Current plan is to have the SP initiated behaviors, custom error URLs, and custom SAML entity IDs tied into these domains in the Winter release.
I am looking forward for this release!
Thanks for your reply.
Hi, this explanation helped me clear most of my doubts on why Salesforce can't initiate SAMLRequest to start a user session. As you mentioned that there is a cookie on browser based on which you determine user's org and fetch SAML request information and initiated SAMLRequest from Salesforce.
I looked at the cookies and found that two cookies are important to make the call.
ssostartpage=https://mycompany/loginurl;
saml_request_id=_s.baBasdadsdasdasmsasdaa8asdaFaDsdav;
What do you suggest on using this cookie values and initiate a request to https://naX.salesforce.com/home/home.jsp to help salesforce initiated SAML request even at the beginning of the session? Basically, IdP already has ssostartpage value, but find out saml_request_id and use that value to create two cookies and send request to one of the protected page so that Salesforce initiates SAML request?
What are pros and cons of this approach? Main question would be what's the life time of saml_request_id?
Thanks,
Mihir
Instead of setting cookies...what about using URL below?
https://login.salesforce.com/saml/authn-request.jsp?RelayState=%2Fhome%2Fhome.jsp&saml_request_id=samlrequestidfromoneofthecookie&saml_acs=valuefromthessoconfigpage&saml_binding_type=HttpPost&ssostartpage=https%3A%2F%2Fmycompany.domain%3A8443%2Flogin
Hi Mihar...
Actually we can perform SP initiated Single Sign-On and send our a SAMLRequest to your IDP. At the moment you need to first do IDP initiated SAML at least once for a user, and include a ssoStartPage parameter in an Attribute statement in the assertion. We will turn this into a cookie for the user. On subsequent visits when we see this cookie, we will initiate SAML with a SAMLRequest as you are hoping. The SAML docs cover this in specific detail.
In the winter release we'll be releasing the ability for orgs using the "My Domains" feature to have a org configured URL. In that case, no need for the one time IDP initiated SSO....it will just as you expect based upon the org config.
As far as your URL suggestion, yes - we do support a URL for initiating SP initiated SSO. In most cases this isn't what customers want, as they really want request for bookmarks, deeplinks, etc to kick of the SAML exchange. However the URL sometimes comes in handy, and can be used for specific use-cases.
Hope that helps
Thanks for the quick reply.
So now we have two options...
1) Having a URL pointing to IdP with SAMLRequest with login url of our SAML sso setup (or what other way you think we could initiate request from IdP?).
e.g. https://mycompany.com/sso/login?SAMLRequest=<base64encodedxmlrequest>
2) Having a URL pointing to Salesforce (auth_request.jsp) and pass saml_request_id, ssostartpage, relaystate so that salesforce has enough information to initiate the SAML request to our sso.
Can you please tell how unique is the saml_request_id and how long is it valid? I prefer to send request to Salesforce as it gives you control of generating the request instead of hardcoding saml request itself within the URL. Both approach are similar though.
Hey Mihar...
I'm a bit confused by your reply. It might help if you spelled out in a little more detail the use-case you were trying to support. It sounds like you might simply be trying to do IDP initiated SAML. To address your questions as best I can:
#1 ) ( where you have a URL pointing at your local SAML service):
You shouldn't need a SAML Request Your IDP should can just generate an un-solicited SAML Response. This is completely valid, and we will accept them...there is no need to hit salesforce.com first ( unless your SAML infrastructure requires it for some odd reason )
#2) (where you hit us first ):
Typically you only see SAML Requests from Salesforce if the user actually requests a protected resource...like a speciific or account or contact, and they aren't authenticated. Are you saying your SAML service MUST receive a SAML Request, and hence want to kick off a SAML request directly?
Technically, the SAML request ID is unique, and is not a value you can generate. It must be generated by salesforce.com However, you can hit our service with your orgid set as the request_id, and we'll handle sending you a SAML response.
First, could you please spell out in a little more detail the exact flow you're trying to support so I don't send you down the wrong path? Also, what software are you using for your SAML service?
thanks
Hi Chuck-
First off thanks for all the coherent and thoughtful posts you've been making. My understanding of Salesforce's SAML support has improved tremendously as a result.
The above response you made is intriguing. I would like to have Salesforce play the role of identity provider to our Saas service provider but have not found any documentation indicating how to do it. Can you shed some light on that for us?
Thanks,
Carl
Thanks CarlinAustin
While that particular quote is really focused on Salesforce acting as a Service Provider, we do also have the ability to act as an Identity Provider. This is currently in Pilot and can be enabled for you if you are interested. Goal is to GA in Winter 11.
If you're interested, please log a support ticket, and have them direct it to me. We can discuss directly off the board and see if your use-case is a good fit for the pilot.
Thanks Chuck.
That's great news and we may look to leverage it once you've released it. Next year is probably the earliest that we would need such a capability in any case.
For now, I am advocating the use of the platform's current Service Provider role implementation. With that said, I need to visit with our product management team and CTO to get a consensus. If they feel the need to investigate it sooner, I will open that support ticket.
Cheers,
Carl
Hi Chuck,
This thread gave me a good understanding of the SP initiated SSO currently supported in SFDC, and I have some questions on the same topic in the context of Sites. "My Domain" would have addressed my need but I guess its not going to be available till winter release (do you have a date yet?).
Given that a site uses custom domain, shouldn't SP initiated SSO work seamlessly with Sites? I haven't tried but based on other posts here, looks like it doesn't. So, I'm trying to figure out how to make SP initiated SSO work because we can't do IdP initiated even the first time.
I came across this in the help-
<apex:page showHeader="false" sidebar="false"> <script> var PingSpURL = "https://my.pingserver.com:9031/idp/startSSO.ping?PartnerSpId=salesforce.com.sp"; var siteLoginPage = "&TargetResource={!$Site.CurrentSiteUrl}siteLogin?startUrl={!$Site.OriginalUrl}"; window.location = PingSpURL+siteLoginPage; </script> </apex:page>Where does this page go? as the error page on Sites?
A few other questions-
1. When SAML is enabled in Single Sign-On settings, does it apply to all users including Sites/Customer portal users? Is it possible to have SAML apply to only a set of users, and how?
2. Is it possible to have Delegated SSO for regular users and SAML SSO for Sites/portal users?
Thanks in advance.
<apex:page showHeader="false" sidebar="false"> <script> var PingSpURL = "https://my.pingserver.com:9031/idp/startSSO.ping?PartnerSpId=salesforce.com.sp"; var siteLoginPage = "&TargetResource={!$Site.CurrentSiteUrl}siteLogin?startUrl={!$Site.OriginalUrl}"; window.location = PingSpURL+siteLoginPage; </script> </apex:page>The SP initiated SSO features for My Domain are rolling out already. Winter 11 shipped to a number of instances last friday 10/1/10 - it you don't yet have it, you will by this 10/9/10
SP initiated for Sites is quite a different animal. You should only be interested in this if you're actually using Sites - it won't work for CRM or force.com platform users.
If you're still interested, the workaround for sites below basically tries to simulate SP initiated SAML by kicking off IDP initiated SAML. When an un-authenticated request comes to the site, it detects the URL you are trying to access, and then attempts to kick off IDP initiated SAML at your IDP.
To answer your direct questions,
1) Yes - SAML can be used for both CRM/force.com user and Sites/Portal users. However, the contents of the assertion that you send needs to be slightly different for each. You should read the manual on SAML with Portals / Sites to see extra attributes you need to pass.
2) Yes - Delegated SSO and SAML are distinct from eachother and can be used together or separate. SAML is on or off for an org, but always technically optional. Delegated Auth is controlled by the user's profile. Which gets used depends on how the user shows up and authenticates
Chuck,
I hope this is my final question related to Salesforce SSO
I have delegated and SAML turned on for my Org. I have a user Id : test@salesforce.com and SSO is enabled for the profile associated to this ID
For the above mentioned ID can I login through Delegated Authn wherein I provide the ID/password and regular SAML where I only provide the login ID.
Hi Chuck,
Thanks for your response. I see that the release was done on the weekend. So, assuming My Domain is configured and SAML is enabled with appropriate settings, typing the url (my-domain-name.my.salesforce.com) in a browser should route the users to IdP where the authentication is done, right?
I'm also interested in SP initiated for Sites but I don't understand why I still need that workaround (vf page forwarding) for sites. Are sites domains not supported for SP initiated?
I understand that portal_id should be included in the SAML assertion for Sites but how I do know on IdP side whether the user is CRM user or Customer portal user so that I can create the SAML assertion with appropriate info?
Thanks
Expo - yes you can. If you show up to the salesforce with SAML, we'll process it as a SAML. If you go to any login form ( web, portal, or any API client ) if the profile says to use delegated auth, we'll use delegated auth. They work together great.
vas
1) yes - that is how it works, assuming you have it configured in that manner. Type in that URL, or click on a bookmark / deeplink / email and we'll initiated a SAML Request to your IDP
2) Sites does not support a full SP initiated SAML - only IDP initiated SAML. Using the workaround you can simulate the same behavior by kicking of IDP initiated.
3) If possible, I'd suggest two separate SP configurations in your IDP.
Hi Chuck- Could you tell me, for #2 how to actually use the workaround (the redirecting vf page)? Where does that page go?
And, can you explain #3 in more detail? Let's say I have CRM users, Partners and Customer portal users, and all of them need to be SSO. How do I figure out, on IdP end, whether or not to include portal id in the assertion, and if I do include it then how do I find out which portal the request is coming from so that appropriate portal id is included in the assertion?
Thank you so much for your responses.
Just wanted to provide some clarification-
I'm only interested in SP initiated here. When SFDC initiates SAML request, I believe all the requests go to same URL on IdP but I'm not sure if SFDC sends the portal id with the request. How does IdP know which portal the request is for and what portal id to include in the assertion?
Hello Chuck,
Salesforce as IDP, the first glance to this post got me very excited. Appreciate your time and information you contributed here, great value.
I have this very requirement here in my ORG, I went through the winter 11 release notes but didn't see it mentioned there. Is it available? I have skimmed through wiki and there seems no documentation out there. Can you guide me to an appropriate place for documention. I would like to present this idea to my team here and talk about it before escalating it to salesforce support. I would grealtly appreciate if you can forward me any supporting docs.
email: vinay.k.sw@gmail.com
Detail on the IDP in Winter 11 is available in the Help system. Simply search for:
"Enabling Salesforce.com as an Identity Provider"
Hi,
SP-Initiated SSO is working ok (using SAML 2.0) however it appears that the RelayState (Salesforce.com URL) is not passed in the Post to our IDP and therefore our IDP cannot return this following successful authentication. For example:
1. User clicks the link ---> https://cs4.salesforce.com/09999999999WKUu
2. Salesforce performs an internal get (maintaining relay state) ---> https://cs4.salesforce.com/saml/authn-request.jsp?RelayState=%2F099999999999WKUu.............
3. Salesforce performs the post to our IDP, but does not include the RelayState.
4. IDP has no RelayState so sends the browser to ssoStartPage.
Any ideas?
Hi Simon...
From your POST, it certainly looks like we have what we need to send RelayState ( the authnrequest.jsp seem to have the correct param ) There isn't really any good explanation for why it wouldn't be passed.
Could you capture the HTTP traffic with something like the Live HTTP Headers plugin for Firefox? It would be good to see what's actually happening on the wire, as all indications are RelayState should be there.
Hi Chuck,
It appears that the issue is on our side.
I was given the results of the httpwatch from an internal group however closer investigation reveals that the RelayState is being included in the Post so hopefully we should be able to get this resolved. At least this will mean that we have actually got SAML SSO working and this will be a great feature for our users.
Best,
Simon.
Hi,
In my organization we are implementing Single sign on.
I am trying to access salesforce site by sending SAML assertion but i am getting following error and i dont see any failure attempts in login history of salesforce site
Pretty hard to tell from just your SAML assertion.
As a first step towards debugging you should send an assertion, and then go to your Single Sign-On Settings page and click on the SAML Assertion Validator. This will automatically save the last failed SAML login attempt, and tell you what went wrong. If nothing is there, then we weren't able to figure out your org so there is something wrong with your username or ACS url.
Let me know if you have trouble interpretting the validator.
Thank you for your reply.
I am getting following errors with my SAML assertion code.
13)Subject:
Unable to map the subject to a Salesforce.com user
AssertionId: uuid-D91F59CF-400E-4CD4-B2AF-6AA50BBB271C
I really appreciate for your help .
In your SAML Response we expect an AudienceRestriction ( as per SAML Spec ) that targets the entity id of your org. It might look something like this:
Thank you for your reply.
In my SAMl assertion code i am sending AudienceRestriction.Here i am sending my SAML assertion code.
<?xml version="1.0" encoding="utf-16"?><samlp:Response ResponseID="uuid-1C42869F-6F84-4E1D-AAA1-E6E0FE68F347" IssueInstant="2011-04-14T17:21:27Z" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com/?saml=02HKiPoin4xIs2Ih8JTricxp8fyeHHR1n373RZsgeyLR4tK2Pz4lD1GHGsPwkGzvBzz1oFCaqa0ZjSMRbSTgzWwAhr.O5Rgj3JYl4=" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#uuid-1C42869F-6F84-4E1D-AAA1-E6E0FE68F347"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>rkkhDUNSdQf1JCuk64u9ZTrDGRo=</DigestValue></Reference></SignedInfo><SignatureValue>YgVBuOZrJ1B62NMct0jf+ciuX/99VWtmypD1UU3BWs0a5xygxkp+k+Rse7GzPx8ljV8rOavhn6QiNsXqEODgpf1oWQvI/PNh6TKeXI9O+QkxCJ7Wd2oFrYCi4684Gn0L7XbjN7893hNPllH/PJj/JAhQmK4tWjoh4BOOmWZlzjI=</SignatureValue></Signature><samlp:Status><samlp:StatusCode Value="samlp:Success" /></samlp:Status><saml:Assertion AssertionID="uuid-2A4BF965-FFB5-4E9D-A607-6890EDF0B854" Issuer="xyz-developer-edition.my.salesforce.com" IssueInstant="2011-04-14T17:21:27Z" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2011-04-14T17:20:28Z" NotOnOrAfter="2011-04-14T17:26:28Z" /><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2011-04-14T17:21:28Z"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xyz@gmail.com</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:AudienceRestriction><saml:Audience>https://xyz-developer-edition.my.salesforce.com </saml:Audience></saml:AudienceRestriction></saml:AuthenticationStatement></saml:Assertion></samlp:Response>
but still i am getting the following errors.
3)Subject:
Unable to map the subject to a Salesforce.com user
AssertionId: uuid-2A4BF965-FFB5-4E9D-A607-6890EDF0B854
I appreciate your help.
If you could message me directly with your orgid or userid that would help. I need to take a quick look at your configuration
Thank you chuckmortimore.
my user id is praveen0224@gmail.com.
I have SAML 2.0 SSO working.. but not the SP initiated.. currently the ssoStartPage attribute is being sent but seemingly ignored by Salesforce.
</saml:Attribute>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute FriendlyName="ssoStartPage" Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">http://sso.lorealusa.com/sso/SSO?SPEntityID=https://saml.salesforce.com</saml:AttributeValue>
Help!!
Hey seanpdoyle - if you're trying to do SP-Initiated SAML you should really setup My Domain ( Setup -> Company -> My Domain ) - this feature allows you to have your own URL for your salesforce org, and makes SP initated SAML work really well. Once you have it setup you can simply configure your endpoint in your SAML config. It's best practice for SSO and SP initated SAML.
The do have their own domain name with salelsforce.. does this mean the metadata needs to change for the assertion? currently it's https://www.salesforce.com.
When I analyze the the response from the SAML service I'm not seeing the ssostartpage cookie.. isn't this how SF does IDP discovery? Will the SAML service honor the ssostartpage attribute if it's of type basic? All of the examples I've found specifiy it as unspecified.
You should ignore ssostartpage ahd the cookie. It's an old way of doing things that doens't work very well.
If they already have My Domain setup, then simply go into the SAML configuration in Setup, and add your Login URL. We'll send SP-Initiated SAML to that endpoint when we see an ua-authenticated request to the My Domain
Ok!! I'll try that!! I'll let you know what I see.
Sean
Now we are getting somewhere!
Problem is now, the signature is being rejected.. where do I get the CA root cert for cert being used to sign the SP initiated SSO request?
Setup > Develop > API > Client Cert
HI chuck
My requirement is rhat when a user clicks on SP Link he should be redirected to Salesforce site Login Page and then redirected to SP-initiated POST endpoint . Here Salesforce is the identity provider but i need to access the relay state parameter in controller. So How can i do that ?
Hi SSO Experts,
Could anyone please help me with my issue?
We are looking for a SAML SSO solution for allowing User to login to Salesforce from web portal and from Salesforce to login to another web application.
Steps involved:
1. User logs into corporate web portal by providing his/her corporate credentials.
2. By clicking on a link provided on website, user must be able to login to Salesforce.com.
3. When user click on a custom link provided on Salesforce, user must be able to login to another web application.
Design proposal:
For step#2, Assume Federated Authentication (SAML) is implemented by providing federatedID and token(generated by one of the application within our environment) in the SAML assertion. While Salesforce uses federated ID for user authentication into salesforce, token is retrieved from SAML assertion and passed to the client’s authentication services for authenticating the user into 3rd application.
Questions:
1. Can we include a token (generated by one of the application within our environment) along with federatedID in the SAML assertion? If yes, can we retrieve this token from the assertion and store in salesforce for using it for login to another application?
2. Can Salesforce act as service provider (SP) and also as an Identity Provider (Idp).
Please advise.
Thanks,
Vimal
HI
what extra parameters are required in SAML request to implement Just In Time Provision when using Salesforce as IDP ?
You have to enable provisioning in Setup on your SAML config, and then send us attributes in a SAML attribute statement.
Details here: http://www.salesforce.com/us/developer/docs/sso/Content/sso_jit_requirements.htm
"Once you have it setup you can simply configure your endpoint in your SAML config"
Can someone explain what this actually means? On the SSO settings page you do not have the ability to configure the endpoint. My problem is if I paste the "Salesforce Login URL" value on the SSO Settings page into an unauthenticated web browser, I end up at the Salesforce login page and not the identity provider login page.
Salesforce Login URL -- it should be the idp endpoint that accepts SAMLRequest generated by Salesforce when you are trying to access a protected page without a valid session. SFDC will generate a SAMLRequest and auto-post to your Idp, if you already have an active session with your IDP, it should then autopost back a SAMLResponse to the Salesforce ACS URL. If you don't have a session, then your IDP should ask you to login first.
thanks
Jong Lee
Salesforce.com
Jong Lee:
Thanks for the info, it certaintly helps and would explain my results. However, the Salesforce Login URL is not something I can modify, it is generated by Salesforce. We are at cs10, not sure if that makes a difference.
Regaring the SSO Settings page, for our Dev and Full environments:
The Salesforce Login URL begins with "https://test.salesforce.com/?saml=".
The "OAuth 2.0 Token Endpoint" begins with "https://test.salesforce.com/services/oauth2/token?saml="
However, at one point the Full environment had "...cs10.salesforce.com..." in the Salesforce Login URL field. I just changed the "SAML User ID Type" so it matched the DEV environment and that is when the ".../test.salesforce.com..." URL first appeared in the FULL environment. This must be a reflection of changes Salesforce recently made on their end as changing the "SAML User ID Type" back did not restore the initial 'cs10' URL.
Here is a list of the settings I have access to on the SSO Settings edit page in both environments:
SAML Enabled: checked
SAML Version: 2.0
User Provisioning Enabled: unchecked
Issuer: This is the URL for the IDP server that the IDP admin provided us.
Identity Provider Certificate: Here we uploaded the certificate the IDP admin provided us.
Current Certificate: This displays the IDP server info and future expiration date.
Identity Provider Login URL:
This conains our IDP server URL with SAML related path info. I believe you indicated is the "endpoint that accepts SAMLRequests".
It was provided by our IDP admin.
Identity Provider Login URL:
This conains our IDP server URL along with the parh to a logout servlet.
Custom Error URL: This is blank for now.
SAML User ID Type: Set to - "Assertion contains the Federation ID from the User object"
SAML User ID Location: Set to - "User ID is in an Attribute element"
Attribute Name: Name of the user identifier that was provided by our IDP admin.
Name ID Format: This is blank.
Thanks for the correction. My previous post mixed up Idp login URL and ACS URL which is the one Salesforce generated to accept the SAMLResponse autopost from Idp. when you directly enter that url to a browser without actaully doing a SAML login, we will display the login page as a result. So that's really expected behavior.
Now are you just confused with the terminology of what "Salesforce Login URL" means or you actually having an issue to login with SAML?
thanks
Jong Lee
Salesforce.com
Jong Lee:
Thanks for sticking with this as I had assumed some of the many users would have recognized my problem and responded.
Our IDP is not in Salesforce, it is in a local server. We have an SP configured in a DEV and Full envirronment. We have installed the IDP certificate into the DEV and Full environments. We have downloaded the SP metadata from our DEV and Full environments and sent it to our IDP admin.
We expect to be able to have a login attempt in the DEV and Full environment be redirected to "our" IDP login page. Then after the user is authenticated, be redirected back to the initially targeted environment. The redirect to our IDP does not occur.
This process is described on your "Single_Sign-On_with_SAML_on_Force.com" page, which states, "Service Provider Initiated Login, where a user starts by clicking a link to the the service provider (e.g. a bookmark, mailed link, etc) and temporarily redirected to the identity provider for authentication, then returned to the link they initially requested."
As long as your Idp is configured properly, I assume either SP-init where you start from Salesforce or Idp-init where you start from your IDP should work.
thanks
Jong Lee
Salesforce.com
This is now working, but to assist developers in the future it seems salesforce should come up with a cheatsheet that targets the important point of the implementation. The current documentation seems to be an attempt at teaching SSO basics, which is a good thing. However, even with this knowledge you will be hard pressed to come up with the list of (less that 10) bullet items that would (based on my experience) be helpful in guiding the developer to a successful implementation.
Good suggestion. I will forward to our doc writer, and also explore options on developer.force.com
I'm reaching out to our SSO customers today to make sure you know about a Certificate Rotation that is happening this afternoon. This could impact your processing of SAML Requests
http://wiki.developerforce.com/page/Client_Certificate
If you receive SAML Requests from us and validate the signature, your best bet would be to immediately download and trust the new cert, or temporarily disable signature validation.
Sorry if this catches you off-guard - let me know if you have questions.
Hi shanuman
You didn't mention how it was resolved. because I also have the same issue. Can anyone help me on this.
I am trying this with ADFS and SAML.
Thanks
Mani Sundaram
Hi i am new to salesforce. I am doing Saml sso. I have created java code for saml assertion. When i ran this assertion to SAML salesforce assertion validation i got error message
I am stuck at this point very long time. please give any idea to solve this.
Thanks in Advance
Shibani
Sounds like you're not constructing the XML digital signature properly, or you are signing with the wrong private key. Fairly impossible to tell from the level of detail you've provided I'm afraid. Perhaps post a sample SAML assertion
I have created jks file and got trial certificate. My saml assertion is
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo" IssueInstant="2013-01-31T07:08:12.750Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"></saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="............">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp xs xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>W00fFhandPjn5xTKd8nAArwGmQY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
7k3cZSpMxSQxBlKYbG3FfkuinVr+MgRP+OrcvX2EG+hOmqu/ssPIhay9deW9EvPHotgsrD32D/L
o7tNmcwaRFicDQSBoLuQ+C9TmC4DTYOZG6GwDg==
</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>VxAMQQie9a
hS+htrZH4g==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo"
IssueInstant="2013-01-31T07:08:12.750Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="" SPNameQualifier=""></saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2013-01-31T07:10:12.750Z" Recipient=""/></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2013-01-31T07:08:12.750Z" NotOnOrAfter="2013-04-30T07:08:12.750Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AudienceRestriction><saml:Audience></saml:Audience></saml:AudienceRestriction>
</saml:Conditions><saml:AuthnStatement AuthnInstant="2013-01-31T07:08:12.797Z"
SessionIndex="kkkcbdgnohpjlnpeioibfbjecbmejfaocadkcigo" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Attribute Name="federation-id"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
My Idp and SP is Salesforce. Let me know What did i wrong. Give idea
Thanks for your reply.
Figure this out by going to:
Administration Setup | Security Controls | Single Sign-On settings | SAML Assertion Validator. Recreate the problem to get a current SAML Response and paste it in the provided textarea. This facility will analyze the response for you.
OK, I see you have already done that. I just recevied your xml post in an email. There are a number of ways to display your certificate. For example:
keytool -printcert -file test.pem
Owner: CN=xx, OU=yy, O=zz, L=aa, ST=bb, C=cc
Issuer: CN=xx, OU=yy, O=zz, L=aa, ST=bb, C=cc
In the above, "test.pem" is your certificate file. I am not an expert in the certificate area (or any other area), but I have never seen a CN value that was not a hostname/domain. If the cert is bad you should review the information you used to guide you through cert creation to ensure you provided the correct information. I believe a certificate is associated with a specific domain, which (I believe) is not possible with the certificate you provided. If you have openssl installed, the following provides another way of displaying the certificate:
openssl x509 -text -in test.pem
Your cert looks fine - no issue there. CN doesn't really matter in this case.
Have you made sure you're using the correct private key that is associated with this cert?
Is the Reference URI really "................" or did you ommit that from the post for some reason?
Yes. I alreay done. I have posted that error only. I got Signature verification problem
Thanks for your reply.
I have omitted only. I got private key When run the code. But how can i verify it is correct private key. I think this may be the error i did. How can i overcome this. Please guide.
Thanks
1) You probably should have created a separate thread, which would make this easier to follow.
2) Have you looked at the "salesforce_single_sign_on.pdf" document? It has all of the info you need, but on your first pass at this it is hard to decipher. However, if you are not referencing it you will have problems.
3) I do not believe you have provided detail on your setup. You say you are using Salesforce. Does this mean you are using a Salesforce org as the IdP and a Salesforce org as the SP? If so, I believe you should use the IdP to generate (i.e. download) the certificate. That certificate is then consumed by the SP (i.e. SSO Settings, Identity Provider Certificate, Chose File). If this has not been done you will have problems.
4) I notice in your posted SAML Response that (among other things) the saml:Issuer is blank, which I do not think is correct. Are you deleting information for security reasons? If so, you should consider getting two developer orgs and setting up one as an IdP and one as an SP. I know that this works (as of 6 months ago). If you have problems getting the dev orgs working you should be able to post screenshots (e.g. SSO settings) and the full request/respose values. Once you get the dev orgs working you should have a good enough understanding of the setup process to get SSO set up in the actual orgs.
*** IMPORTANT ***
I will just add that if you will have multiple orgs (e.g. integration, uat, prod), you will need to specify a domain in each. Otherwise the SSO domain will default to "https://saml.salesforce.com", and your IdP will have no way to distinguish the orgs. This needs to be done before you enable SSO on the SSO settings page. A reference to this domain can be found by searching on "domain" in the "salesforce_single_sign_on.pdf" (Single Sign-on Implementation Guide) document.
I have deleted issuer. I already downloaded self signed certificate from salesforce. Shall i take idp and sp in same developer org. Is it possible. I have already done. But i got same error before. Thats why i went to CA signed certificate.
All saml assertion validator gave ok message. But i got error in signature or certificate problem.
Thanks for your reply.
"I have deleted issuer. "
I do not believe you need to do this, and it is likely to be part of your problem. I also believe the cert the SP uses should be from the IdP. How else can the SP be sure the response it received is from the IdP?
Maybe you should consider the two developer environment approach I previously suggested. This would be indepentent of your real environment, so you could post the SSO settings screen and all of the SAML request/responses without having any security concerns. You would likely get more feedback on your problem as well. I would not use the same org for the IdP and SP. Once that setup is working you should have no problem getting your real environment set up.
I will just add that I ran into issues with the SP not being able to handle encrypted responses. So if you come accross such a setting you might consider waiting until this is working before looking into encrypting your responses.
When you enable SSO SAML, the SSO settings page is completed in the SP. The IdP must also be enabled, but that page is not similar to the SP page.
Regarding the error, part of the setup process involves downloading the SP metadata and making it available to the IdP. I have not googled the error, but you may want to ensure the metadata exchanged step was performed.
I have not used the wiki, but maybe someone else can comment on the procedure. I will just add that until you can provided detail associated with your installation it is unlikely anyone will be able to help, the main reason being it is more time consuming. If I were in your position (and I was) I would try the '2 DE org' scenario that I suggested. If you are unable to get it working there it is unlikely you will get it workng in a real world environment which is a little more complex. Again, the idea is in the 2-DE-org scenario you can post your settings to the forum
Thanks For your help. When i tried sso SAML with two organisation it works fine. But When i access from java code i got Error: Unable to resolve request into a Service Provider.
Shibani
Not enough information to advise you here I'm afraid. What java code, and what was providing this error?
I'm trying to setup SSO with Active Directory. I've done this a few times with no problem but this instance is giving me an error. When I plug the response xml below into the assertion validator in Salesforce I get nothing too useful. It says Unexpected Exceptions
Unable to parse the response
Premature end of file.
All of the numbered checks in the validator come back with 'Unknown'
Any help anyone can provide would be greatly appreciated!
The error url I'm presented with is this:
https://na16.salesforce.com/_nc_external/identity/saml/SamlError
My response xml:
<samlp:Response ID="_b8dcaf93-af29-4ea7-a4aa-c521df14de23"
Version="2.0"
IssueInstant="2015-01-28T19:40:52.043Z"
Destination="https://login.salesforce.com?so=00Dj0000000I3xf"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://fs.af-group.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial>
<ds:X509IssuerName>C=USA, S=CA, L=San Francisco, O=Salesforce.com, OU=00Dj0000000I3xf, CN=SSO_with_AD</ds:X509IssuerName>
<ds:X509SerialNumber>26236850872755761797980282336291</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</KeyInfo>
<e:CipherData>
<e:CipherValue>e6cemiHsh4n1XyXzf4rGeHZ/fVEhzK7p9V/Vo4+djVrHB1mtFvAJrGowl5f2wzGGSZ2sg9rUvWB5V+2uHNURGoMJARsxlFuuLrlVLIc5i/+JRP7AdYchJfZtE+Rz8Y5o8pcFGPA5GJLFRa/VEGYk6/K+wxQlyRZLa+p0VHS1em7hRguKI5uhdOlSSb+iDEAxKH3IQKQ00nVOcV8NQkmhg/lqiSoY3Bv0QVMaH9wxGr9wJIaNrIK/9UvI9nmUQ5vP611dTOJaTjAyXRGojKR7qyWgqURpCIlJ3MaMU0SwooIM3mEONfyqTpcy3OLIzBWjFt4N0HjRixJl4ds7VfdlBw==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>EcQwh4HVZIef2quybxdzssbxcdo2K9jQemSpuo8P7JeNRnIHtcZ6ID+R1xLr4gjmOrXPMUwpiWO14n5oJXvIVrrRnTJ6v9jQV6DKf+9s6X1B7Cjmu8uhmj1T/3azxKEM73NNBgawzaBY9tPYGChy9/ECUoFf0mKysz/CD4ONNNQjfXGQ70/6FvNRm8jgJx+vjCa1oFDRX8jTsJkxm+/yFx9tlCMyGeYXcVcITdDvHBnNOqCHBdHpxUKRVSGUoWztDR691l+vS3KbM7TN0mFQdoRm9ZrqeDgOxPEuGDachzeJjwKmyJ2rqZgiFuRbSATa9RyDY3wTyVKub2tiFDu3ZCXGKwuJFBLNBfbuIw9Qc5h7wTP18hrWJYX1oofi/j8/gNZ7jH3diLH2g7aTdbGDN4vQ6JVYyaSg2FYIGfy1Lw5CrDZq4+AdpamQ+BM+HlQK8sAbDbMYr4BPbFwlJD++yk5yFQ0LQ7KwULFBb2VPuPBbrBgcZMZSxpl+ATj/m1kp+jiSbqwWp/FCinyQbQYoyECmqnYVOtMKR0ca5U48JJ8zWzcwsa0a7pxOqX9oWuNMHADhlH8+Sz57VrZpvYFCaGp53xlHoJF3LgII/DhfI21d9EzQLCnkBLrhdVbNDRfK0vTTUv+zd7c3X9DSnGXv7fHXc14sZso2+OeiNxqJNWcG9n9DMnV4rNIEKf7YIfLEl0+PTyTa76zUIgbhVxd7vttJfLK+TpV3aaEcPuY66IlOimDXew5kFrBYvmKiZg0DB3a3ukIpilPDvE2jRbqiXEWQTf8ha9exi0lON6fs9oI2+QpBAcHLSkzOVzYcWBxmFzuJ8BG+JbE8Ve5B40C43ImRNg6gPAzE58l22T9xKLu7l2GEe2gLXsdmq3YBPlwK9/kesNaK1FnTeq8M8C5Bp2XrsuJIgREisCAcADO+qpqK9td00Rqibk5MLKLzv5LGM4VxAbqaSg1+m+VYx629ITKjIJzO0n66W+H+IanevxwEweVc/rYKRjgbkT9ipnnt0OHtE6NmCfWZaJraY6O2uFe7AMhIx89bE1iLOhh1q4+a2w4ezMOL70P1ZneKJ2rEjNvoKUNkMmmyi3aDEcJty70rkBbX7rmZmQJJcJHWVDBVyX7HdcNshRAd9s7T5AWOWxitdRApyw9N4LhWrc3hXiVkjxSs7PRRrzQwG9AJe4CRHSlE81FtmpAr1owaCToXyH6kZH0IYJlufHLx2xtXOPaT6KrmP66me17vhUizyNMFDnRISVaHVAU0G5qTiPcFfGhcdaJQMFOv7EYYfQpwzhfBYCjp2o1KZrXzdK/Fbm5kRwY+9xGLwl50KGXhJGLgfT0sqq5zw/AK/gBBndp+JeIt7Tm815+RAmFzhc49suvlw6/G6cAZhAZvrsEmCaVkmiOuTxiMXPwmGmh7DM2gq/bJXwBqyvNxQCTMl+rrxyPuVIxdTup3q1jBajEBRJAzswMbhsHMfC1qTRYvHovhoXdoP9d6iJrtnMPkAXUpU7/3FbiE95N0UFWPZUS/joJw8Jf2o99+YPjQ2zCF5w/2SNq0KcKox5g2rxJS+4ABIvJG74ly7RdlVOohgAdWQNeZX12j9w+zsIQW6ppp0Nf3Oa9qjTPE1QWI/msEOI83U8tvedBEk551kYdOxG/OrPBLs2gaaGAthD6BZluQ4yXsx+fLGEvdcwzmZLxOopZlAiPyCxaVkpXG2R9QCnScL1LyZLn/5v62PPGpuRPrI7+zK36olIxScXFRTkLZRQeD7inG0PUj9lyKUBACnKDsFHG+ccnDmGLGxelZyWiIXRzwKhOD1gCJUauM7cVWJXF8WG4jglPQqfv+GXRReobY7/xnw/UQI4pkyEJMhYA+I2m5a6wqxdrAnKDP3sOuk44eOA7+hVVNPtF7702DmPKdhM7Azrm2OiiFMuuqITDoi2QbTL/JhQ35SvP9bVnLHA3Pf7meeoG2c1xtmyHfNckVWOIHvcL+8nIftycxt6Js7ntraOptjcYxifziJGTSV6kvic4T+NEzRquL/LjTSY5ePqzcyNDuza4u0+73YcO3/Wmu5DVQ6jy7PgjTLI9OG2mzatt6Ypf6zV95ck/6mMncg3Qg6fUiRFXNSlOAY6LzCM/PG5w+pS1MZ560ffrw8zPfTnnXSU2Sh4PC1STk+bmk4o13xz1W0wEFu6bB4ZmqZ2jF5rbkotw/UbJtwqF5TkLGfgSdO44rVklQ9wg4qY3FBda8rm6KtwtmsBDzOJdTnG/jK7eldqVpBbOIlSoLench1wdpFvaqA3W9QmsM4Lulcncn88JDnZulf7NW/Vk2M/eObJ9Vx1F5pdCef1xWeaRc+Mk2FAtSwbfALfkjxpuT27US2isABT5ICB64z9r3RFPA8OUf29sxWA1X+luWZ4IhLL2ah2mhjOSrUqkmkjLeBlF41XV6Qa5BOnnxfhf7J9dIgIWlzHFumXeOT26Bot9HUW26AaHERavScKxyjPd1cxkFZy9xrSUGhePatAlO/wV3gxS1lJ+ClUkK3HtIkb5ZfwBoYL8P+p6DZ1/VV+SBsmxLUjysY9XNS6I3pQk2llKO+jJcnsmMXxN9KunyxHeLBsSxaxbuFbJ2VKeJPtkXGnwWNhcSj7mC41lVU3sP6//KzytCDsL2cm7j+gt8hsujLSrMDjGrW7Ia/5T1A3p28kqtYvlj0nebUnGpeFBVU5yi6eqcjvZqaiJMnNvemPWq1Pum0IQbk9aJnbzSsnK4J/IXV7P6PiurtcKg1HkX6oFZUTD+TlSggL39xGopUX35AOsUli76ytAGXWfmxn4fRMo7NwGA1vmLXGVatSSZ9M/5WfPigdWGjIGaPxiogU0Lt5L+bNaWW7KOQJ1bYBYMBkJhc6F2VP1zywgWwuV1r4NI1PuxBUzlbGVe8K25oOx4vs36GW9A7DPkDC6rNlFTfhsqLyUqcMmQagKwRnEC+zNaSoisz0NTjZoV7YTpbktgzY8LfzQXNVIHSWkbXzW2slacOHWYnvPGjCFIiIEB5rATuUc4un2Fw+9XDvoVXCe0HeTxI30/SK40NI9ZfbL2HdaT1bt1QG65WSh7zA4LKQ8L6S1AKzF3GRuG/jCW0HfFTFyFheVxUNhe78VVfj+2IWscn2wfBeIZhgw02LJUrM2MDGkH9foGoIGzI/uJepLliLOOhEKRsBpXQidMh4PbrKz4f26gnuF2y7jT4MtKOrDn7iz0Srmsb0hBNYE+UiJUGeNvAY7rRKOS0JTCQpYUbq0XrKp91TWAa4TnJKqHw6YG2JGCsp1Rcp0Bbryzpmzf06I8A4+oyODuifaS3i1A3IItfvtdWGZbWVOBIL5OYnH0cYFyY4aC2qD3e8slfQ8+IipUWPRVRlFYKeTjR1rnVhplgpq29zfWIwgavkUKJXKfWi+ftMzskpxEXBlbLRWv3UFDybq2IkfgUsQRLK26cm6un7id5UgkCDOufkWNbap2ZCvhxLUzCJAXkoupBdYo5dyCsIwcQIbAAoddmtLPL/ShLcXD8UG/fsOzyt0dLL4PRnUYn2R+HSUSafsvWxPNzFdqSKYEB3A+9Q/WZaFxlP7z1CUaZEgxttBSXMvOUQd1hObtXuvDVQyCO4LNI+d8r24QFq5tG6J0xkNMCZ5e+DmbNJG9W1t9c44ryHTU6KWnfRgkhtK3U3I+ENlAIST7vK3gKy/VIHhZgrqk1w0uEWVCjJjLzKINgjGt4WDiPpN0JR+820t59fkVYbaOIqCYEZMSL8G0U9pa9881+JC6Hy7rR9aWm+Tlos3mI84uv1RLYpuBNNug3y5KOUJEAIaXAzKwgDcvgqtDRx3C5rAZ0LdkI/taBec7IBAbxwjvBhdbH3LZ0Iy7nu4sG4GSKx+g2wZFcMYeG0zYyrOkoiHoL6SYv6eoqZezdmlcj7cqEndW21TsIDvEcsIH97lnRIvnvUcrQAFv7M0rXq5oAQuNFO955US6Blpcuxv0ou8YsIT9L28jOYl+vrj8oJMml+ts/NGwjn30spGQaGBpiFBj6cvzeMR4g4Hw7xKNGer5Y6PejAVeFtcOcpE55v0I4iuEyyZCvkW7zU4Hjx/SdPVhQpniuEOJ3Aahh6h5uvSvx9UQkPTbkQJA9zn6ErgsMqDgQMfrzFy9OBbq8e3ZMEmQWpfNmKhkUTqmRjFtOFZsa2QV8M1RW4R23BbBqnPhvtliZic6D2s/31upa2YOIRdwhgMByr4eyZ+MuDf58b/m67xZEqjjdl+NJYcURO69d0Zl6QwXgs9/YloUfrrOnvs9WKlfdaegxDxFYWGE7x9PXDwX+71gZB+Ee9vlKUC7rcDi7nwDJOEibs/ScFXg0kjN//hBeheD3KVo/Lj5zQi8/oJlobnDUHUMzhQR6+Wzv6VtmYpuIB/KN7xQEfv/C6GhjiYFPo0qmlAmnO5rr4U7Fl8qMKiWRlK9uHeB1AmKnWvrgWW3ngXT+nADACmSgvfqC2ja4qgn65x/4B4/+VUSP6yKTW37hxDkrGgPv/i4xHrdKV9V5MC+zeuljjZMYqr65ViIEcIAbido/gZoGrdN4WYW1tfaWkODMuu1fcxGNiQ6VtWIn+aHFFjJNqA2zMlIGwpNj8N/qF6Wipix5eBWpw7NU8Yg4WYCmKB5QG54yHBDVN/nJa93xiO/dWnwygh+aMEmcHDW3jDJVeqOJH3EEGE52T3v7kG6URhDfUIkNH1t2GuFB8Ic1jpKEnNwpEnfzZWmbrSRtGj3mSatz7OFLbB6uDRhi7JDEBYjOKWO5dXevC9kjy4SrNN4wLoxNgEZa8tYD04S1mtbtnTla4X5PVpBHmlmLqUfvymTrnaKWYblTjQotM/hTi7FCpXxytJde3HEwi6l0k9ZbTVsUfFpA9bbc2SvYrBet2xlYM99mqNQ8txh76ZpfPy/BHvZyHsJBLnMp7Fj/soHSFiYMFHGgSMFtEwG96mmiLA6WmrPnafm+7iEWHQHqTU1ZRzVqmWaHhni60g4BSSnZ3StrqUEl7GBoM+I80HGfjmX/4Hpo3UDoI5edefGKIPMeDSKOgCQaegwQdB68SuxwsG+QOSKaC1Yp8YNc7VcMYH+R2hnmB/44eOxDe0tX+6FJlNGqO7ceWKdjVJtqahYNDa68DRaTaeQXseFevswngSVe8ryHUFMq6xDL7P7X+QK+mVK8VE4Mq46HFJRzHbxXVvGqW4WpcsCyK0RGRk3Mc33FOLC1J5hicda/QpZ1R1J/9Z3jTveTVlKMC+DhxmGdYvJsZwmLRNyvEhTPza+UlPU6jxfJmOlljI=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
</samlp:Response>
I've established SSO with Salesforce to CAS server. The connection is established well but once the redirection happened im not able to login to salesforce. Its throwing SSO error and when used SAML validator i get Signature or certificate problems
The signature in the response is not valid (Is the assertion signed? false) How do i make the assertion true and execute succesful login?
I've checked the idp certificate its all good and also the timestamp assertion. Can you please help to resolve it. Thanks in advance!
I have checked all the settings, the test account works fine with SSO and redirects to O365 and validation succeeded. But for other accounts giving SAML validation error. Please help