function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
satyapsatyap 

SSO to sites using ping federate

Hi,

 

We are using ping identity (SAML 2.0) for SSO into sites. Site is associated with a partner portal. If I don't give siteURL i'm able to successfully login into partner portal. However if I use SiteURL i'm getting "replay detected" error. It logs in and I guess somehow a new request is comming in. below is the error and SAML assertion.

 

 8/19/2010 10:12:55 PM PDT

 

   58.32.239.82

 

   SAML Site SSO

 

   Failed: Replay Detected

 

    

 

   cs3.salesforce.com

  8/19/2010 10:12:52 PM PDT

 

   58.32.239.82

 

   SAML Site SSO

 

   Success

 

    

 

   cs3.salesforce.com 

  

 

 <Response IssueInstant="2010-08-20T04:42:45.371Z" ID="jxF4EUmkBlHYokyA91_c5F7RssS" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <saml:Issuer>https://ssod1.xxxxxxxx.com/saml2</saml:Issuer>
  <Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </Status>
  <saml:Assertion Version="2.0" IssueInstant="2010-08-20T04:42:45.373Z" ID="t74fyF1Bax6ZZ8gIFIAU.ChQsTE">
    <saml:Issuer>https://ssod1.xxxxxxxx.com/saml2</saml:Issuer>
    <ds:Signature>
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#t74fyF1Bax6ZZ8gIFIAU.ChQsTE">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>6hmEvvGmeN/Ukz1u/yeeivegMz4=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>WMLxDMqHXteSmt5Z4AL81jPYjOF5hk9oT6pA4l4a24bhhC9XYH6JbHw9Ln4CXwAwpDebUwtCWa1N
NZkwGa6U4PhlXn6Xlnazc/JuEz51hWemkINiBQOWFlqLyEUhv7yiKAKGQJE8nIR+pkOC+NU+1f/p
jUt29UdCMirSJZ/gO+0=</ds:SignatureValue>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">200709120228664</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2010-08-20T04:46:45.374Z" Recipient="https://cs3.salesforce.com/?saml=MgoTx78aEPC5RZR2VydTkscLHwiqT5gc8SMOClzEN0Sj4oKjpfyR.xxxxxxxxxxxxxxxxxx=="/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotOnOrAfter="2010-08-20T04:46:45.374Z" NotBefore="2010-08-20T04:41:45.374Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2010-08-20T04:42:45.373Z" SessionIndex="t74fyF1Bax6ZZ8gIFIAU.ChQsTE">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="siteUrl">
        <saml:AttributeValue xsi:type="xs:string">https://xxxxxxxxsupport.xxxxsfdev.cs3.force.com/ppSiteLogin</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="GUID">
        <saml:AttributeValue xsi:type="xs:string">200709120228664</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="portal_id">
        <saml:AttributeValue xsi:type="xs:string">060300000005W44</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="organization_id">
        <saml:AttributeValue xsi:type="xs:string">00DQ0000000AnvB</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="startUrl">
        <saml:AttributeValue xsi:type="xs:string">pphomepagelinks</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="userId">
        <saml:AttributeValue xsi:type="xs:string">rluke</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="SFDC_USER_ID">
        <saml:AttributeValue xsi:type="xs:string">200709120228664@xxxxxxxx.com.xxxxsfdev</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="userType">
        <saml:AttributeValue xsi:type="xs:string">external</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</Response>

entityId: https://saml.salesforce.com (SP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: https://xxxxxxxxsupport.xxxxsfdev.cs3.force.com
Endpoint: https://cs3.salesforce.com/?saml=MgoTx78aEPC5RZR2VydTkscLHwiqT5gc8SMOClzEN0Sj4oKjpfyR.cZYMP5e5V0thmAA14D6E2YV1XZYwty==
SignaturePolicy: DO_NOT_SIGN

GHpingGHping

Hello,

 

I understand that you use Ping for SAML SSO. I happen to work for Ping and would like to get you in contact with the right people who can support you. Feel free to email me at ghilgers@pingidentity.com so I can get you help from our technical staff. Your organization and contact info would be appreciated so we can get to the bottom of this.

 

Best Regards,

 

Graham
TooTallSidTooTallSid

I am a little unclear on the configuration.  I assume that you are using Ping Federate as part of your identity provider (IDP) and attempting to SSO to Salesforce (SFDC) as the relying party (RP).  I am not sure what the "siteURL" means.

 

Anyhow, I see a success response from SFDC followed by a replay response 3 seconds later.   It would seem that somehow the same request got submitted twice, before the expiration time in NotOnOrAfter. To quote the SAML spec:

  • 4.1.4.5 POST-Specific Processing Rules
    If the HTTP POST binding is used to deliver the <Response>, the enclosed assertion(s) MUST be
    signed.
    The service provider MUST ensure that bearer assertions are not replayed, by maintaining the set of used
    ID values for the length of time for which the assertion would be considered valid based on the
    NotOnOrAfter attribute in the <SubjectConfirmationData>.

To echo Graham, we'd love to help you so open a support case, either through the customer portal or by sending an email to support@pingidentity.com.  In the unlikely event that you are not already a paying support customer, that's okay - we'll still try to help you so that we can convince you of the quality of our world-class support.  When you buy Ping Identity products, you're not just a customer, you're a partner.

 

    Sid