function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
vshyam121vshyam121 

POST to recipient url

Hi,
 
how do you post the saml assertion and the relaystate url to the recipient url? I've tried a bunch of methods but none of them seem to work because I don't even see error messages in the login history. So this means that it's not even getting my assertion properly never mind check the validity of it. Right now i'm just trying this:
 
<form name = "acsForm" action ="(recipient url that salesforce gives)" method = "post">
<input type = "hidden" name = "TARGET" value = https://na2.salesforce.com/home/home.jsp />
<input type = "hidden" name = "SAMLResponse" value = "(assertion that I came up with)" />
<input type = "submit" value = "Submit" />
</form>
 
I also tried replacing TARGET with RelayState and replacing SAMLResponse with SAMLart. None of them seem to work. When I use SAMLResponse, I actually get a general error message initially in the screen. When I use SAMLart, I just go to the page where it prompts me for my salesforce username and password. Both however, don't show any error messages in the login history. PLEASE HELP ME.
 
 
Thanks in advance.
jongleejonglee
The post params should be SAMLResponse and TARGET for SAML 1.1.  If you are getting the SAML general error and no login history, it means we are unable to parse or determine the subject from the posted assertion.  Are you using SFDC username or Federation ID?  For Federation ID, please make sure you define it in the User's page.

thanks

Jong Lee
Salesforce.com
vshyam121vshyam121
i tried both federation ID and username. Both didn't work. With federation ID, yes I set it in the configuration page and put the same federation ID in my assertion. Are the assertion and TARGET elements supposed to be encoded somehow? Maybe that's what i'm missing. Another question I had was that is the assertion supposed to be a response or just a general assertion, meaning is the assertion supposed to start like this...?
 
<samlp:Response>
....with the assertion inside it
 
or just like this
 
<saml:Assertion>
 
If we are supposed to use the response tag, then will the response have its own responseid and issueinstant and the assertion has its own assertionid and issueinstant?
 
Thanks.
 
 
vshyam121vshyam121
If it helps, here is my response template (btw "Shyam" is the issuer that I set in the configuration) :

<samlp:Response
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    MajorVersion="1" MinorVersion="1"
    ResponseID="<RESPONSE_ID>"
    IssueInstant="<ISSUE_INSTANT>">
    <samlp:Status>
        <samlp:StatusCode Value="samlp:Success"/>
    </samlp:Status>
    <saml:Assertion
        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
        MajorVersion="1" MinorVersion="1"
        AssertionID="<ASSERTION_ID>"
        Issuer="Shyam"
        IssueInstant="<ISSUE_INSTANT>">
        <saml:Conditions
            NotBefore="<NOT_BEFORE>"
            NotOnOrAfter="<NOT_ON_OR_AFTER>"/>
        <saml:AuthenticationStatement
    AuhenticationMethod="urn:oasis:names:tc:SAML:1.0:am:Password"
    AuthenticationInstant="<AUTHN_INSTANT>">
        <saml:AttributeStatement>
            <saml:Subject>
            <saml:NameIdentifier>
                <USERNAME_STRING>
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>                                
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
                <saml:SubjectConfirmationData
                    Recipient="<ACS_URL>"
                    NotOnOrAfter="<NOT_ON_OR_AFTER>"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        </saml:AttributeStatement>
        </saml:AuthenticationStatement>
    </saml:Assertion>
</samlp:Response>
jongleejonglee
The SAMLResponse must be base64 encoded <samlp:Response>.
vshyam121vshyam121
ok i'm finally getting an error message in the login history with the base64 encoding. It says Assertion Invalid...probably has something to do with the signature because I'm sure about everything else there.
 
Thanks a lot.
jongleejonglee
Your template does not seem to be valid, at least I don't see Recipient is set in Response element:


<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-07-10T18:18:23.108Z" MajorVersion="1" MinorVersion="1" Recipient="http://localhost:9000" ResponseID="_5f8235795b782d060b68b2b13e7750a61215713903161"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#_5f8235795b782d060b68b2b13e7750a61215713903161">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>bp0aZGMoSvQ4rGHLkUzmBcat7fo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
eIB3i+dEPbUcLab02kPM3PkRL85qAOKzQFcL5xofhLopCDA+uLpGCN+lnEGp3th3YX443GG+ib+H
QwWpb3ynLsyDQBfVpCygHCSguvcZ1KqTri/PAevMNG+XuKOFn72/IbohGVH762A4d8Le7v1topwz
KCY9BdiFdEoWVAtPstM=

</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICZzCCAdCgAwIBAgIGARg99vNTMA0GCSqGSIb3DQEBBAUAMHcxEjAQBgNVBAMMCVNBTUwgVGVz
dDENMAsGA1UECwwEUEFDUzEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBG
cmFuY2lzY28xEzARBgNVBAgMCkNhbGlmb3JuaWExDDAKBgNVBAYTA1VTQTAeFw0wODAyMjEyMTQ3
MTdaFw0wOTAyMjAyMTQ3MTdaMHcxEjAQBgNVBAMMCVNBTUwgVGVzdDENMAsGA1UECwwEUEFDUzEX
MBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAgM
CkNhbGlmb3JuaWExDDAKBgNVBAYTA1VTQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhw+z
f1riAlFcvVLTa5+8yqEv0Hvr98MSpWDdbs8BAaNtZMvlQoJCrWCuZdCeJp02np7uSQaOSrdxbrOk
TVRC94RZz6rUrl2rWEooiDHNtjvECvCpYM3BmSZSYUUFTmir9IViqHrF1CkmZNfGbH4FMA7jF72f
j32m5LWyipRuj/cCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBgeLTGZjaFldknvXEChQ3Qc6H0uYW5
7LSZMav7I9Lf8PzODm7Dz7tA/yQAjjQFSWl8WeBnRbP3q/DTu63tc30EPy9PnczQ3Knzjxm5FAzJ
9W565xDhl6YY2Wi1Qn3DhksfQZjPFab8CbzoXb3xckGHTvWljeeZiQ1oHKX8XiLdlQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo></ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_43274672d5a9320b3282f27f968f4eba1215713903117" IssueInstant="2008-07-10T18:18:23.108Z" Issuer="https://www.salesforce.com" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2008-07-10T18:18:23.108Z" NotOnOrAfter="2008-07-10T18:23:23.108Z"><AudienceRestrictionCondition><Audience>https://saml.salesforce.com</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant="2008-07-10T18:18:23.161Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier>foobar@salesforce.com</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response>


Jong
jongleejonglee
Your assertion is invalid because you have AttributeStatement as a child of AuthenticationSatement.  AttributeStatement should be a child of Assertion.

See my example where if you use username in the subject mapping, AttributeStatement is optional.

thanks
Jong
jongleejonglee
A sample message using Attribute as the subject, notice I did not include the dsig:Signature.

<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
          xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2008-07-10T18:42:44.284Z" MajorVersion="1"
          MinorVersion="1" Recipient="http://localhost:9000"
          ResponseID="_6ccb8357de3c905349ca14e42d9bf97d1215715364285">
    <Status>
        <StatusCode Value="samlp:Success"></StatusCode>
    </Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
               AssertionID="_818891251f47ba13b15f600c301749df1215715364284" IssueInstant="2008-07-10T18:42:44.284Z"
               Issuer="https://www.salesforce.com" MajorVersion="1" MinorVersion="1">
        <Conditions NotBefore="2008-07-10T18:42:44.284Z" NotOnOrAfter="2008-07-10T18:47:44.284Z">
            <AudienceRestrictionCondition>
                <Audience>https://saml.salesforce.com</Audience>
            </AudienceRestrictionCondition>
        </Conditions>
        <AuthenticationStatement AuthenticationInstant="2008-07-10T18:42:44.284Z"
                                 AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
            <Subject>
                <NameIdentifier>who cares</NameIdentifier>
                <SubjectConfirmation>
                    <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
                </SubjectConfirmation>
            </Subject>
        </AuthenticationStatement>
        <AttributeStatement>
            <Subject>
                <NameIdentifier>who cares</NameIdentifier>
                <SubjectConfirmation>
                    <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
                </SubjectConfirmation>
            </Subject>
            <Attribute AttributeName="SFDC_SUBJECT_ATTR" AttributeNamespace="SFDC_SUBJECT_ATTR_URI">
                <AttributeValue>foobar</AttributeValue>
            </Attribute>
        </AttributeStatement>
    </Assertion>
</Response>
vshyam121vshyam121
Ugh I tried everything...it's still not working....here's what I have right now it looks similar to yours but I still get the assertion invalid error:
 
<samlp:Response
        xmlns = "urn:oasis:names:tc:SAML:1.0:protocol"
        xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
        xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        MajorVersion="1" MinorVersion="1"
        ResponseID="<RESPONSE_ID>"
        Recipient="<ACS_URL>"
        IssueInstant = "<ISSUE_INSTANT>">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:SignedInfo>
          <ds:CanonicalizationMethod
             Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod
           Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference
           URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
             <ds:Transforms>
                <ds:Transform
                    Algorithm=
          "http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform
                   Algorithm=
                      "http://www.w3.org/2001/10/xml-exc-c14n#">
                   <InclusiveNamespaces
                      PrefixList="#default saml ds xs xsi"
                      xmlns=
                       "http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transform>
             </ds:Transforms>
             <ds:DigestMethod
              Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
             <ds:DigestValue>
                Kclet6XcaOgOWXM4gty6/UNdviI=
             </ds:DigestValue>
          </ds:Reference>
       </ds:SignedInfo>
       <ds:SignatureValue>
         hq4zk+ZknjggCQgZm7ea8fI7...Hr7wHxvCCRwubfZ6RqVL+wNmeWI4=
       </ds:SignatureValue>
       <ds:KeyInfo>
          <ds:X509Data>
              <ds:X509Certificate>
     MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxNVBAYTAlVT
     MRIwEAYDVQQIEwlXaXNjb .....  dnP6Hr7wHxvCCRwubnZAv2FU78pLX
     8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1ylGPdioG8cCx3w/w==
              </ds:X509Certificate>
          </ds:X509Data>
       </ds:KeyInfo>
    </ds:Signature>
        <samlp:Status>
                <samlp:StatusCode Value="samlp:Success"/>
        </samlp:Status>
        <saml:Assertion
                xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                MajorVersion="1" MinorVersion="1"
                AssertionID="<ASSERTION_ID>"
                Issuer="Shyam"
                IssueInstant="<ISSUE_INSTANT>">
                <saml:Conditions
                        NotBefore="<NOT_BEFORE>"
                        NotOnOrAfter="<NOT_ON_OR_AFTER>">
                        <AudienceRestrictionCondition>
                                <Audience>
                                        https://saml.salesforce.com
                                </Audience>
                        </AudienceRestrictionCondition>
                </saml:Conditions>
                <saml:AuthenticationStatement
        AuhenticationMethod="urn:oasis:names:tc:SAML:1.0:am:Password"
        AuthenticationInstant="<AUTHN_INSTANT>">
                        <saml:Subject>
                          <saml:NameIdentifier>
         <USERNAME_STRING>
       </saml:NameIdentifier>
                        <saml:SubjectConfirmation>                                                                 <saml:ConfirmationMethod>
                                        urn:oasis:names:tc:SAML:1.0:cm:bearer
                                </saml:ConfirmationMethod>
                        </saml:SubjectConfirmation>
                        </saml:Subject>
                </saml:AuthenticationStatement>
        </saml:Assertion>
</samlp:Response>

Thanks for your responses.
jongleejonglee
I can't find obvious problem by just quickly scanning through your sample assertion.  It seems you might need to log a support case and send us the whole base64 encoded Response for us to take a closer look why we are rejecting it.  Sorry for the inconvenience.

thanks
Jong Lee
Salesforce.com
vshyam121vshyam121
I'm sorry but I'm having some trouble finding the place where you can submit cases. Could you give me the link?
 
Thanks.
vshyam121vshyam121
never mind...got it.
vshyam121vshyam121

I was able to make a case in my salesforce account but I'm not too sure if i did it correctly...anyway here is the base64 encoded SAML response. The signature is actually invalid but still it should say signature invalid and not assertion invalid in the login history.

PHNhbWxwOlJlc3BvbnNlCXhtbG5zID0gInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpwcm90b2NvbCIJeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiIgCXhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiCXhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiCXhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiCU1ham9yVmVyc2lvbj0iMSIgTWlub3JWZXJzaW9uPSIxIglSZXNwb25zZUlEPSJtYmpiamtmY2FqbmRhY2FoaW9qb2NqaGFmYW1ibm5tZmppY2ZmZmJqIglSZWNpcGllbnQ9Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20iCUlzc3VlSW5zdGFudCA9ICIyMDA4LTA3LTEwVDIzOjM5OjU1WiI+ICAgPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+ICAgICAgIDxkczpTaWduZWRJbmZvPiAgICAgICAgICA8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCAgICAgICAgICAgICBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPiAgICAgICAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kICAgICAgICAgICBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPiAgICAgICAgICA8ZHM6UmVmZXJlbmNlICAgICAgICAgICBVUkk9IiNfYTc1YWRmNTUtMDFkNy00MGNjLTkyOWYtZGJkODM3MmViZGZjIj4gICAgICAgICAgICAgPGRzOlRyYW5zZm9ybXM+ICAgICAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gICAgICAgICAgICAgICAgICAgIEFsZ29yaXRobT0gICAgICAgICAgImh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+ICAgICAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gICAgICAgICAgICAgICAgICAgQWxnb3JpdGhtPSAgICAgICAgICAgICAgICAgICAgICAiaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj4gICAgICAgICAgICAgICAgICAgPEluY2x1c2l2ZU5hbWVzcGFjZXMgICAgICAgICAgICAgICAgICAgICAgUHJlZml4TGlzdD0iI2RlZmF1bHQgc2FtbCBkcyB4cyB4c2kiICAgICAgICAgICAgICAgICAgICAgIHhtbG5zPSAgICAgICAgICAgICAgICAgICAgICAgImh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPiAgICAgICAgICAgICAgICA8L2RzOlRyYW5zZm9ybT4gICAgICAgICAgICAgPC9kczpUcmFuc2Zvcm1zPiAgICAgICAgICAgICA8ZHM6RGlnZXN0TWV0aG9kICAgICAgICAgICAgICBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+ICAgICAgICAgICAgIDxkczpEaWdlc3RWYWx1ZT4gICAgICAgICAgICAgICAgS2NsZXQ2WGNhT2dPV1hNNGd0eTYvVU5kdmlJPSAgICAgICAgICAgICA8L2RzOkRpZ2VzdFZhbHVlPiAgICAgICAgICA8L2RzOlJlZmVyZW5jZT4gICAgICAgPC9kczpTaWduZWRJbmZvPiAgICAgICA8ZHM6U2lnbmF0dXJlVmFsdWU+ICAgICAgICAgaHE0emsrWmtuamdnQ1FnWm03ZWE4Zkk3Li4uSHI3d0h4dkNDUnd1YmZaNlJxVkwrd05tZVdJND0gICAgICAgPC9kczpTaWduYXR1cmVWYWx1ZT4gICAgICAgPGRzOktleUluZm8+ICAgICAgICAgIDxkczpYNTA5RGF0YT4gICAgICAgICAgICAgIDxkczpYNTA5Q2VydGlmaWNhdGU+ICAgICBNSUlDeWpDQ0FqT2dBd0lCQWdJQ0FuVXdEUVlKS29aSWh2Y05BUUVFQlFBd2dha3hOVkJBWVRBbFZUICAgICBNUkl3RUFZRFZRUUlFd2xYYVhOamIgLi4uLi4gIGRuUDZIcjd3SHh2Q0NSd3ViblpBdjJGVTc4cExYICAgICA4STNic2JtUkFVZzRVUDloSDZBQlZxNEtRS01rbnh1MXhReExocFIxeWxHUGRpb0c4Y0N4M3cvdz09ICAgICAgICAgICAgICA8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4gICAgICAgICAgPC9kczpYNTA5RGF0YT4gICAgICAgPC9kczpLZXlJbmZvPiAgICA8L2RzOlNpZ25hdHVyZT4gCTxzYW1scDpTdGF0dXM+CQk8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0ic2FtbHA6U3VjY2VzcyIvPgk8L3NhbWxwOlN0YXR1cz4JPHNhbWw6QXNzZXJ0aW9uCQl4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6YXNzZXJ0aW9uIgkJeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iCQlNYWpvclZlcnNpb249IjEiIE1pbm9yVmVyc2lvbj0iMSIJCUFzc2VydGlvbklEPSJsY2FpY2FuYXBvbHBpcHBrYWxuZWZncHBkZ2djaG9mbmhtZ2prZG9mIgkJSXNzdWVyPSJTaHlhbSIJCUlzc3VlSW5zdGFudD0iMjAwOC0wNy0xMFQyMzozOTo1NVoiPgkJPHNhbWw6Q29uZGl0aW9ucyAJCQlOb3RCZWZvcmU9IjIwMDgtMDctMTBUMjM6MzQ6NTVaIgkJCU5vdE9uT3JBZnRlcj0iMjAwOC0wNy0xMFQyMzo0OTo1NVoiPgkJCTxBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPgkJCQk8QXVkaWVuY2U+CQkJCQlodHRwczovL3NhbWwuc2FsZXNmb3JjZS5jb20JCQkJPC9BdWRpZW5jZT4JCQk8L0F1ZGllbmNlUmVzdHJpY3Rpb25Db25kaXRpb24+CQk8L3NhbWw6Q29uZGl0aW9ucz4JCTxzYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50CUF1aGVudGljYXRpb25NZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphbTpQYXNzd29yZCIJQXV0aGVudGljYXRpb25JbnN0YW50PSIyMDA4LTA3LTEwVDIzOjM5OjU1WiI+CQkJCQkJCTxzYW1sOlN1YmplY3Q+CQkJICA8c2FtbDpOYW1lSWRlbnRpZmllcj4gICAgICAgICB2LnNoeWFtMTIxQGdtYWlsLmNvbSAgICAgICA8L3NhbWw6TmFtZUlkZW50aWZpZXI+CQkJPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4gCQkJCQkJCQk8c2FtbDpDb25maXJtYXRpb25NZXRob2Q+CQkJCQl1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206YmVhcmVyCQkJCTwvc2FtbDpDb25maXJtYXRpb25NZXRob2Q+CQkJPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+CQkJPC9zYW1sOlN1YmplY3Q+CQk8L3NhbWw6QXV0aGVudGljYXRpb25TdGF0ZW1lbnQ+CTwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=

Thanks.
vshyam121vshyam121
i just noticed that the base64 encoded message that i put up got cut off cuz i think it was too long. Here's the rest of it:
 
 
b2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphbTpQYXNzd29yZCIJQXV0aGVudGljYXRpb25JbnN0YW50PSIyMDA4LTA3LTEwVDIzOjM5OjU1WiI+CQkJCQkJCTxzYW1sOlN1YmplY3Q+CQkJICA8c2FtbDpOYW1lSWRlbnRpZmllcj4gICAgICAgICB2LnNoeWFtMTIxQGdtYWlsLmNvbSAgICAgICA8L3NhbWw6TmFtZUlkZW50aWZpZXI+CQkJPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4gCQkJCQkJCQk8c2FtbDpDb25maXJtYXRpb25NZXRob2Q+CQkJCQl1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206YmVhcmVyCQkJCTwvc2FtbDpDb25maXJtYXRpb25NZXRob2Q+CQkJPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+CQkJPC9zYW1sOlN1YmplY3Q+CQk8L3NhbWw6QXV0aGVudGljYXRpb25TdGF0ZW1lbnQ+CTwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=

 
Thanks.
jongleejonglee
Got both parts, but when I did base64 decode, I notice there are garbage data after the SAMLResponse, e.g:
</saml:Assertion></samlp:Response> � H�\�

So please make sure you encode the base64 properly. 
vshyam121vshyam121
Hmm that's weird because when I decode it, I don't see any garbage at the end.
All i'm doing to encode it is the following:
 
Base64 base64Encoder = new Base64();
byte [] base64EncodedByteArray = base64Encoder.encode(responseXmlString.getBytes());
String base64EncodedMessage = new String (base64EncodedByteArray);
 
 
where responseXmlString is the actual saml response in string format. I don't see anything wrong with the code maybe you can...
jongleejonglee
Two possibilities:
a) the xmlResponse contains bad characters then translated into garbage data after doing base64
not likely but possible
b) some cut/paste issue here, most likely

Anyway, I went ahead and hand modified your sample, removed the garbage data and fixed up the SignatureValue
and X509Certificate data(since you removed some data and put "..." and our parser complains they are not valid
base64Binary).

Then the real problem is in the AuthenticationStatement, where you have "AuhenticationMethod" attribute -- notice the typo there.
vshyam121vshyam121
wow yes it works!! There were some things that bugged me though. One was when I put in the audience as https://saml.salesforce.com it kept saying audience invalid. I had it exactly like how you had it. But when I took it out, since it wasn't required, it worked. Good thing you found that typo with the authentication method or else I would have gone crazy. I figured my xml signer would have caught any syntax errors when it went through the response, but I guess not.
 
Anyway, thanks for your time and patience. I really appreciate it, jong lee!
 
 
vshyam121vshyam121
I do have one more question though...if the company decides to use a federation id, then it would be ridiculous for the administrator to go through each of the users (say this company has like over 1000 employees) and put in a federation id in their salesforce accounts. Is this the only way that it can be done now? Is there any way to automate this part?
 
If not what I was thinking was, we could have the federation id associated with the salesforce username in a database that is accessible by the client application. So when a user wants to SSO, then we look up the associated salesforce username and send that in the assertion...seems like that might work. I did have a problem with sending the username in the assertion. It kept saying subject confirmation error. My username is v.shyam121@gmail.com, so does this username need to be like xxxx@salesforce.com?
 
 
Thanks again.
jongleejonglee
Audience is optional, but if it's present, it must be "https://saml.salesforce.com".  Your sample worked for me after I corrected the "AuthenticationMethod".  I did not see invalid Audience error.  Please doubly check if your runtime actually passing in the right value.  But as I said, it's optional.
jongleejonglee
You can use dataloader or your own api client to set the FederationId:

code snippet:

SObject[] objs = connection.retrieve(SSOID_FIELD, "User", new String[]{userid});
((User) objs[0]).setFederationIdentifier(samlSubject);
SaveResult[] result = connection.update(new SObject[]{objs[0]});

If you are using username as the subject, it must be your SFDC username, which does not have to be xxx@salesforce.com, it should work if v.shyam121@gmail.com is the actual SFDC username. 

Subject confirmation error indicates the SubjectConfimration is not "urn:oasis:names:tc:SAML:1.0:cm:bearer".

thanks
Jong Lee
Salesforce.com