• nishant
  • NEWBIE
  • 0 Points
  • Member since 2008

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 2
    Questions
  • 0
    Replies
Hello,

I've developed an application to implement SSO using SAML assertion. Earlier i used to post the startURL and logoutURL along-with the SAML assertion to the salesforce login page and after validation of the assertion I was redirected to the start page I had posted. Also when I logged out I was redirected to the logout URL I had posted while logging in. But it has stopped working for me now. Now even though I post these URL's I'm still redirected to the salesforce default start page and logout page. This feature is working for SSO using delegated authentication. Can someone please clarify if there has been changes with respect to support for these features for  SAML assertion based SSO.

Thanks
Nishant


Hi,

I'm trying to implement SSO using SAML. The saml assertion which I'm posting is giving Assertion Invalid error in the login history.
Could anyone please tell me what's the error in my assertion.

I'm posting the following assertion:
<samlp:Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    MajorVersion="1" MinorVersion="1"
    ResponseID="_6ccb8357de3c905349ca14e42d9bf97d1215715364285"
    Recipient="https://login.salesforce.com"
    IssueInstant="2008-08-31T18:42:44.284Z">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod
                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod
                Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference
                URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
                <ds:Transforms>
                    <ds:Transform
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform
                        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces
                            PrefixList="#default saml ds xs xsi"
                            xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod
                    Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>
                    Kclet6XcaOgOWXM4gty6/UNdviI=
                </ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            hq4zk+ZknjggCQgZm7ea8fI7Hr7wHxvCCRwubfZ6RqVL+wNmeWI4=
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxNVBAYTAlVT
                    MRIwEAYDVQQIEwlXaXNjb dnP6Hr7wHxvCCRwubnZAv2FU78pLX
                    8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1ylGPdioG8cCx3w/w==
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="samlp:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
        xmlns="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1"
        MinorVersion="1"
        AssertionID="_818891251f47ba13b15f600c301749df1215715364284"
        Issuer="demoIDP" IssueInstant="2008-08-31T18:42:44.284Z">
        <saml:Conditions NotBefore="2008-08-31T18:42:44.284Z"
            NotOnOrAfter="2008-08-31T18:47:44.284Z">
        </saml:Conditions>
        <saml:AuthenticationStatement
            AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:Password"
            AuthenticationInstant="2008-08-31T18:42:44.284Z">
            <saml:Subject>
                <saml:NameIdentifier>
                    news4nishant@gmail.com
                </saml:NameIdentifier>
                <saml:SubjectConfirmation>
                    <saml:ConfirmationMethod>
                        urn:oasis:names:tc:SAML:1.0:cm:bearer
                    </saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
            </saml:Subject>
        </saml:AuthenticationStatement>
    </saml:Assertion>
</samlp:Response>

The base64 encoded value of the above assertion that I post is:
PHNhbWxwOlJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiDQoJeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiINCgl4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOnByb3RvY29sIg0KCXhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiDQoJTWFqb3JWZXJzaW9uPSIxIiBNaW5vclZlcnNpb249IjEiDQoJUmVzcG9uc2VJRD0iXzZjY2I4MzU3ZGUzYzkwNTM0OWNhMTRlNDJkOWJmOTdkMTIxNTcxNTM2NDI4NSINCglSZWNpcGllbnQ9Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20iDQoJSXNzdWVJbnN0YW50PSIyMDA4LTA3LTEwVDE4OjQyOjQ0LjI4NFoiPg0KCTxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KCQk8ZHM6U2lnbmVkSW5mbz4NCgkJCTxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kDQoJCQkJQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+DQoJCQk8ZHM6U2lnbmF0dXJlTWV0aG9kDQoJCQkJQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiIC8+DQoJCQk8ZHM6UmVmZXJlbmNlDQoJCQkJVVJJPSIjX2E3NWFkZjU1LTAxZDctNDBjYy05MjlmLWRiZDgzNzJlYmRmYyI+DQoJCQkJPGRzOlRyYW5zZm9ybXM+DQoJCQkJCTxkczpUcmFuc2Zvcm0NCgkJCQkJCUFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+DQoJCQkJCTxkczpUcmFuc2Zvcm0NCgkJCQkJCUFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj4NCgkJCQkJCTxJbmNsdXNpdmVOYW1lc3BhY2VzDQoJCQkJCQkJUHJlZml4TGlzdD0iI2RlZmF1bHQgc2FtbCBkcyB4cyB4c2kiDQoJCQkJCQkJeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz4NCgkJCQkJPC9kczpUcmFuc2Zvcm0+DQoJCQkJPC9kczpUcmFuc2Zvcm1zPg0KCQkJCTxkczpEaWdlc3RNZXRob2QNCgkJCQkJQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgLz4NCgkJCQk8ZHM6RGlnZXN0VmFsdWU+DQoJCQkJCUtjbGV0NlhjYU9nT1dYTTRndHk2L1VOZHZpST0NCgkJCQk8L2RzOkRpZ2VzdFZhbHVlPg0KCQkJPC9kczpSZWZlcmVuY2U+DQoJCTwvZHM6U2lnbmVkSW5mbz4NCgkJPGRzOlNpZ25hdHVyZVZhbHVlPg0KCQkJaHE0emsrWmtuamdnQ1FnWm03ZWE4Zkk3SHI3d0h4dkNDUnd1YmZaNlJxVkwrd05tZVdJND0NCgkJPC9kczpTaWduYXR1cmVWYWx1ZT4NCgkJPGRzOktleUluZm8+DQoJCQk8ZHM6WDUwOURhdGE+DQoJCQkJPGRzOlg1MDlDZXJ0aWZpY2F0ZT4NCgkJCQkJTUlJQ3lqQ0NBak9nQXdJQkFnSUNBblV3RFFZSktvWklodmNOQVFFRUJRQXdnYWt4TlZCQVlUQWxWVA0KCQkJCQlNUkl3RUFZRFZRUUlFd2xYYVhOamIgZG5QNkhyN3dIeHZDQ1J3dWJuWkF2MkZVNzhwTFgNCgkJCQkJOEkzYnNibVJBVWc0VVA5aEg2QUJWcTRLUUtNa254dTF4UXhMaHBSMXlsR1BkaW9HOGNDeDN3L3c9PQ0KCQkJCTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KCQkJPC9kczpYNTA5RGF0YT4NCgkJPC9kczpLZXlJbmZvPg0KCTwvZHM6U2lnbmF0dXJlPg0KCTxzYW1scDpTdGF0dXM+DQoJCTxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJzYW1scDpTdWNjZXNzIiAvPg0KCTwvc2FtbHA6U3RhdHVzPg0KCTxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6YXNzZXJ0aW9uIg0KCQl4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiIgTWFqb3JWZXJzaW9uPSIxIg0KCQlNaW5vclZlcnNpb249IjEiDQoJCUFzc2VydGlvbklEPSJfODE4ODkxMjUxZjQ3YmExM2IxNWY2MDBjMzAxNzQ5ZGYxMjE1NzE1MzY0Mjg0Ig0KCQlJc3N1ZXI9ImRlbW9JRFAiIElzc3VlSW5zdGFudD0iMjAwOC0wOC0zMVQxODo0Mjo0NC4yODRaIj4NCgkJPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMDgtMDgtMzFUMTg6NDI6NDQuMjg0WiINCgkJCU5vdE9uT3JBZnRlcj0iMjAwOC0wOC0zMVQxODo0Nzo0NC4yODRaIj4NCgkJPC9zYW1sOkNvbmRpdGlvbnM+DQoJCTxzYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50DQoJCQlBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOlBhc3N3b3JkIg0KCQkJQXV0aGVudGljYXRpb25JbnN0YW50PSIyMDA4LTA4LTMxVDE4OjQyOjQ0LjI4NFoiPg0KCQkJPHNhbWw6U3ViamVjdD4NCgkJCQk8c2FtbDpOYW1lSWRlbnRpZmllcj4NCgkJCQkJbmV3czRuaXNoYW50QGdtYWlsLmNvbQ0KCQkJCTwvc2FtbDpOYW1lSWRlbnRpZmllcj4NCgkJCQk8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KCQkJCQk8c2FtbDpDb25maXJtYXRpb25NZXRob2Q+DQoJCQkJCQl1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206YmVhcmVyDQoJCQkJCTwvc2FtbDpDb25maXJtYXRpb25NZXRob2Q+DQoJCQkJPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQoJCQk8L3NhbWw6U3ViamVjdD4NCgkJPC9zYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50Pg0KCTwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==

The signature and time limits would be invalid but instead of giving these errors I get assertion invalid error. Please help me.

Thanks
Nishant