You need to sign in to do that
Don't have an account?
eburtsev
SSO, SAML2 invalid_grant error on valid Assertion
Hello all,
I try to login user using SAML but salesforce always return error:
{"error_uri":"https://na4.salesforce.comnull/setup/secur/SAMLValidationPage.apexp","error":"invalid_grant","error_description":"invalid assertion"}
I've validated my assertion by validator and it doesn't return any errors:
Unexpected Exceptions Ok 1. Validating the Status Ok 2. Looking for an Authentication Statement Ok 3. Looking for a Conditions statement Ok 4. Checking that the timestamps in the assertion are valid Ok 5. Checking that the Attribute namespace matches, if provided Not Provided 6. Miscellaneous format confirmations Ok 7. Confirming Issuer matches Ok 8. Confirming a Subject Confirmation was provided and contains valid timestamps Ok 9. Checking that the Audience matches, if provided Ok 10. Checking the Recipient Ok 11. Validating the Signature Is the response signed? true Is the assertion signed? true Is the correct certificate supplied in the keyinfo? true Ok 12. Checking that the Site URL Attribute contains a valid site url, if provided Not Provided 13. Looking for portal and organization id, if provided Ok
My assertion:
<?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2012-09-05T10:51:05.308Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">klkjiwhRLVPCGDVBUJET</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>DtaxFPhNdZICs/lMWkc4HGoX1bU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Up/a92xmHWZnXc59NTAB163UBSWhkGilOVuEJqrkkgJhxAaBWgx2USi4+DzByCHrFWhadqsASrY4xZGZEXQUHJ/76vP1Nnqpf4CxBVxs7vm0CqDoP62gZQOpeu0fo50N6Sw7VQlkCkwI+yl8CQ/neDY97UrrS5QWfWA9PFiRh80=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIBpzCCARCgAwIBAgIGATg3h50JMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDWdyZXl0b3dlci5jb20wHhcNMTIwNjI5MDkxNzEwWhcNMjIwNjI3MDkxNzEwWjAYMRYwFAYDVQQDDA1ncmV5dG93ZXIuY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDHU9jmrF3yJUxQdllhIyUVqHiC5sOh4ynrulqoRSp3CK3PcO3Eee9vO3VYORGKh5fVHtxcX/GFp1N4Y5qtu+mGJoV6J5p/6sX4RV1gdTxkgf1P2jgPerTgTjHZc77apPw6gZ90qSnb0vIscaUgHpUQ/ZciSNamYsJDZ6NOlWZ5mQIBAzANBgkqhkiG9w0BAQUFAAOBgQA9Ge/k3c7nyXq9lO4Dr7J6WTFTFxKqmkH45drXuG8ll+Yx9wXsFjHMAeHWYeriOLGmjbv0y8IrXs0ovXKNDPNtnvscm0GbaVuZdAoWJyQSYB2reHxMNlHipGe7Oqt3yY+SFNgghcfIHnrPPxuk7oRoSlSHlAPchHZ3JOKd8l4Eig==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="016580df-ea43-47e4-8137-474b7537f3bc" IssueInstant="2012-09-05T10:51:06.538Z" Version="2.0"> <saml2:Issuer>klkjiwhRLVPCGDVBUJET</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#016580df-ea43-47e4-8137-474b7537f3bc"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>wmX1fXgQGgatpYRBgTwK+YmMgLg=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>IL2Ob4d2oIr2tzuM1cmsTi99zeOga698rRk6FJSo5ZHIcRnwtnLIpUOIyP+3h5eC27EB78T3DFlmZp7fdVP92pv+CDxVTETuBlNBeSTOG4FRlojdDEd+C24yeUP9h3TXMTmr//D/fX9DaHPgB/fwnG8a1OJhYYcgiaDo7IFeimQ=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIBpzCCARCgAwIBAgIGATg3h50JMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDWdyZXl0b3dlci5jb20wHhcNMTIwNjI5MDkxNzEwWhcNMjIwNjI3MDkxNzEwWjAYMRYwFAYDVQQDDA1ncmV5dG93ZXIuY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDHU9jmrF3yJUxQdllhIyUVqHiC5sOh4ynrulqoRSp3CK3PcO3Eee9vO3VYORGKh5fVHtxcX/GFp1N4Y5qtu+mGJoV6J5p/6sX4RV1gdTxkgf1P2jgPerTgTjHZc77apPw6gZ90qSnb0vIscaUgHpUQ/ZciSNamYsJDZ6NOlWZ5mQIBAzANBgkqhkiG9w0BAQUFAAOBgQA9Ge/k3c7nyXq9lO4Dr7J6WTFTFxKqmkH45drXuG8ll+Yx9wXsFjHMAeHWYeriOLGmjbv0y8IrXs0ovXKNDPNtnvscm0GbaVuZdAoWJyQSYB2reHxMNlHipGe7Oqt3yY+SFNgghcfIHnrPPxuk7oRoSlSHlAPchHZ3JOKd8l4Eig==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" NameQualifier="Greytower" SPNameQualifier="https://saml.salesforce.com">eugene@burtsev.net</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2012-09-05T11:01:06.538Z" Recipient="https://login.salesforce.com/services/oauth2/token"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2012-09-05T10:51:06.538Z" NotOnOrAfter="2012-09-05T11:01:06.538Z"> <saml2:AudienceRestriction> <saml2:Audience>https://saml.salesforce.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2012-09-05T10:51:06.540Z"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response>
I've used following request to https://login.salesforce.com/services/oauth2/token:
grant_type=assertion&assertion_type=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprofiles%3ASSO%3Abrowser&assertion=<Base64EncodedAssertion>
Also I tried to send data in http form.
I tried to encode assertion in base64 and base64url, but I always got this error.
Can someone help me?
Hello!
I am having the same issue. Have you resolved your issue? If yes, please share the solutions.
Thank you :)