• Anil_R
  • NEWBIE
  • 0 Points
  • Member since 2009

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 1
    Questions
  • 2
    Replies

Hi,

 

I'm trying to generate SAML according to Salesforce's documentation. After a full day of trying different tweaks I'm still stuck. My SAML (version 1.1) looks correct to me, but when I post it to Salesforce in a "SaMLResponse" field it logs the error "Failed: Assertion Invalid" along with the login name specified in the SAML. Does anyone know how to debug this, or perhaps a comparison to a working SAML response would help...

 

I tried using the SAML validator in Salesforce. It tells me everything is "ok" (in green) execpt for two things:

"6. Checking that the Attribute namespace matches, if provided"  returns "Unknown"

"7. Miscellaneous format confirmations" returns "Unknown"

The validator did not return any red error messages, however I have no clue what the two Uknown messages mean.

 

I've tried different types of SSO configuration in Salesforce, both with a NameIdentifier and User ID is in an Attribute element, neither of the work, however Salesforce always logs the username in the logs - so that appears to be working.

 

Here's a sample SAML - if anyone has ideas on what's wrong I'd really appreciated it:

 

 

<samlp:Response IssueInstant="2009-06-07T18:26:42.8641119-07:00" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com/?saml=EK03Almz90eBaMTm4Lf8DUU3._uQLw9jeP6QZwo.ASrEk7qB4.A.CkD.ICUbSDUnEEDQrlHtPJyJcn5mZX5bFMi4aInRUbd_Flvt1yAQmd08jWN6y6pWt6E3NC" ResponseID="12346626" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
  <samlp:Status>
    <samlp:StatusCode Value="samlp:Success" />
  </samlp:Status>
  <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="TestAnil8382" Issuer="MYISSUER" IssueInstant="2009-06-07T18:26:42.8641119-07:00" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2009-06-07T18:21:42.8641119-07:00" NotOnOrAfter="2009-06-07T18:36:42.8641119-07:00">
      <saml:AudienceRestrictionCondition>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Attribute AttributeName="MyLoginAttributeName" AttributeNamespace="
http://myuri.com">
        <saml:AttributeValue>sfUserLogin@gmail.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2009-06-07T18:26:42.8641119-07:00">
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
    </saml:AuthenticationStatement>
  </saml:Assertion>
  <Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </Transforms>
        <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>UIwW0FHhBNx4PiTLPi9nIRoJfI4=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>[Trimmed]</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>[Trimmed]</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
</samlp:Response>
 

The Force.com IDE for Spring '10 was originally scheduled for release this week, following completion of the Spring '10 server rollouts.  With the rescheduling of those final Spring '10 rollouts, we are also rescheduling the release of the Force.com IDE for Spring '10.

 

The new release date for the Force.com IDE for Spring '10 will be the week following the final Spring '10 server upgrade.  This date will be announced on Friday, February 19th.

 

Jon

salesforce.com Product Manager 

  • February 16, 2010
  • Like
  • 0

Hi,

 

I'm trying to generate SAML according to Salesforce's documentation. After a full day of trying different tweaks I'm still stuck. My SAML (version 1.1) looks correct to me, but when I post it to Salesforce in a "SaMLResponse" field it logs the error "Failed: Assertion Invalid" along with the login name specified in the SAML. Does anyone know how to debug this, or perhaps a comparison to a working SAML response would help...

 

I tried using the SAML validator in Salesforce. It tells me everything is "ok" (in green) execpt for two things:

"6. Checking that the Attribute namespace matches, if provided"  returns "Unknown"

"7. Miscellaneous format confirmations" returns "Unknown"

The validator did not return any red error messages, however I have no clue what the two Uknown messages mean.

 

I've tried different types of SSO configuration in Salesforce, both with a NameIdentifier and User ID is in an Attribute element, neither of the work, however Salesforce always logs the username in the logs - so that appears to be working.

 

Here's a sample SAML - if anyone has ideas on what's wrong I'd really appreciated it:

 

 

<samlp:Response IssueInstant="2009-06-07T18:26:42.8641119-07:00" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com/?saml=EK03Almz90eBaMTm4Lf8DUU3._uQLw9jeP6QZwo.ASrEk7qB4.A.CkD.ICUbSDUnEEDQrlHtPJyJcn5mZX5bFMi4aInRUbd_Flvt1yAQmd08jWN6y6pWt6E3NC" ResponseID="12346626" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
  <samlp:Status>
    <samlp:StatusCode Value="samlp:Success" />
  </samlp:Status>
  <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="TestAnil8382" Issuer="MYISSUER" IssueInstant="2009-06-07T18:26:42.8641119-07:00" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2009-06-07T18:21:42.8641119-07:00" NotOnOrAfter="2009-06-07T18:36:42.8641119-07:00">
      <saml:AudienceRestrictionCondition>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Attribute AttributeName="MyLoginAttributeName" AttributeNamespace="
http://myuri.com">
        <saml:AttributeValue>sfUserLogin@gmail.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2009-06-07T18:26:42.8641119-07:00">
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
    </saml:AuthenticationStatement>
  </saml:Assertion>
  <Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </Transforms>
        <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>UIwW0FHhBNx4PiTLPi9nIRoJfI4=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>[Trimmed]</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>[Trimmed]</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
</samlp:Response>