+ Start a Discussion
Sachin_KSachin_K 

Salesforce SSO SAML Validation

Hi All,

 

I am creating a SAML assertion for the Salesforce SSO. I used OPEN SAML for creating the assertion.

Used keytool to create the certificates.

 

I am getting the following error when I validate my SAML response against the SAML validator in Salesforce 

 

11. Validating the Signature
  Is the response signed? false
  Is the assertion signed? true
  Is the correct certificate supplied in the keyinfo? true
  An exception was thrown on signature validation: java.security.SignatureException: Signature encoding error
  Certificate specified in settings: CN=dev.comityworks.com Expiration: 21 Oct 2012 07:15:05 GMT
  Certificate specified in this assertion: CN=dev.comityworks.com Expiration: 21 Oct 2012 07:15:05 GMT

 

The SAML Response is below

 

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2012-07-20T06:5:17.364Z" Destination="https://login.salesforce.com">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">dev.com
</saml:Issuer>

<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="1234" IssueInstant="2012-07-20T06:5:17.364Z" Version="2.0">

<saml:Issuer>dev.com</saml:Issuer>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#1234">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Xz8bJqroWKcnrUzBypQy87Z3fNU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
RjZ6JDl3HpFw+Jy8t19tKG9E0ED0cN7Xr7Ax56sPjSQaEFT9nSsM7NonzK6C/DHzJe63Jnv4+rXg
ZFjcTrfzlXSwGkcUREyTgLM4vOjBEz459bBcWVEMuMPUUXDOpCrdP3lSSuhrBzzEb3SXOlma8+lg
qf7WUrxv1z6VswxQEgzIwsObZNWshQ5LWuysw5txdN/8vmOgvlG+9X2PTP+K+dBEolPiRvscnj/K
vDWHueO7NU2AmVEKR0Lv3F7CJC/cY21xRAoyIILoAcUj+8sXkUI4jwib/Ik2T9+jYKN6+ZmTFo9k
cdcSXKlXNEt1jROC+YeZXaalkxY7yo8Dey/GvA==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIC2zCCAcOgAwIBAgIEWXZOdjANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNkZXYuY29taXR5
d29ya3MuY29tMB4XDTEyMDcyMzA3MTUwNVoXDTEyMTAyMTA3MTUwNVowHjEcMBoGA1UEAxMTZGV2
LmNvbWl0eXdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKccqicXXmPX
DuqQWGWRgoUz+aqMGGhKyJVQ9XOn4a+AigweNI3GncY40yaO6GtqUjzxp7XeGCqhEG+KDP41NalK
e2QrOxGuSa6WVgomZ5txukw8B9sSJKFkJOFe+wwDW+X4rLeELMG8suAivfsr359aU9QOL4XP7GlL
G+h5/92BR3LTfe9nKjlyAgHH3KfgrXWydgK31jOeZnsBFmPKI8Qyyzyji/qeyfkC3/N+9a49L4Me
Oc960JyZdiv8lmQp+5H7ysPkqAwDGtPF6swai9i1PHe17KtsMLTQVlXQtG4L55keQ5WXGvmbjkJO
jkBY485IC9st39ZHWmPsqs51FmkCAwEAAaMhMB8wHQYDVR0OBBYEFAb7nCXQ8qZg7xEAWyH1VI/C
aRYTMA0GCSqGSIb3DQEBBQUAA4IBAQB0XDtB86sHDdm8W+BmTQvmZMF/CmI2g+URKdPPIyjy0YKc
oZ4o7F9lup+ns7cq/NkuBNCBprbKth6XN/mNDsHCxqDfykCryKQjTWFcj1KBY1of0+I225uO8mff
jKDpoENIHenvXXj82W3IKdl+tggJZar9A7SzOdtwUi4uBhA1v9gFl1Xo4+w8tIrlyV7s5/K+yLSr
S1I1USDw8lxIfWpcAza5Oshh0yN/uDURVTzr5P38E0UUbkT74J4brL6EM+TpGpZ6FGsC4YVgIcUo
NywNAeL2Dp/608Npus8HSyFefVE08xDY2q5jMFDIQSrvTp/ga7HctnikRcbU05QVxcty
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >sachin@cloudsquads.com
</saml:NameID>

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2013-07-20T05:23:17.364Z" Recipient="https://login.salesforce.com"/> </saml:SubjectConfirmation>
</saml:Subject>

<saml:Conditions NotBefore="2012-07-20T05:23:17.364Z" NotOnOrAfter="2013-07-20T05:23:17.364Z">

<saml:AudienceRestriction>

<saml:Audience>https://saml.salesforce.com</saml:Audience>

</saml:AudienceRestriction>

</saml:Conditions>

<saml:AuthnStatement AuthnInstant="2012-07-20T06:5:17.364Z" SessionIndex="1234"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

 

kranjankranjan

Hey Sachin,

 

I am also trying to implement the SAML assertion and while validating the same I am getting the same signed errors which you also got. Would really appreciate if you can tell how did you resolved your issue. Because we have uploaded the certificate and supplying the same in the X509Certificate element, however its throwing the following errors still.

 

Is the response signed? false
Is the assertion signed? false
Is the correct certificate supplied in the keyinfo? false
Certificate specified in settings: OU=IT Department, O=Make Positive, EMAILADDRESS=mandeep.singh@makepositive.com, C=UK, ST=NH, CN=MakePositive Root Certificate Authority Expiration: 11 Nov 2017 09:52:55 GMT

 

Thanks in advance

 

Regards

kranjankranjan

Hi,

 

I could resolve the first 3 errors out of these. They were because the SAML XML used for signature was missing the ds prefix which is required and its namespace assigned appropriately. Example is shown below:

 

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_0f551f9288c8b76f21c3d4d15c9cd1df1290476801091">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>4NVTbQ2WavD+ZBiyQ7ufc8EhtZw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>---</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>---</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

 

 

However I am still not able to get past the following errors for the signature:

 

Signature or certificate problems
The signature in the response is not valid

 

I have supplied the private key as Signature and also tried its MD5 hash, but it did not worked. :(

 

Regards

fgwarb_devfgwarb_dev
Did you ever find a solution?