• Topher
  • NEWBIE
  • 0 Points
  • Member since 2009

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 1
    Questions
  • 1
    Replies

I've built a saml assertion using OpenSaml, everything seems relatively sane, but I just can't get past the "Failed: Assertion Invalid" message in the Login History. Anyone have any suggestions on what I could be missing?

 

Our SSO settings are set to

SAML EnabledCheckedSAML Version1.1

SAML User ID TypeUsernameIssuerhttp://topherific.com

SAML User ID LocationSubjectIdentity Provider CertificateEMAILADDRESS=topher@topherific.com, CN=saml.test, OU=Topherific, O=Topherific Inc, L=Boulder, ST=Colorado, C=US
Expiration: 11 Mar 2009 06:21:09 GMT

Recipient URLhttps://login.salesforce.com

 

 The generated SAML response is

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2009-03-02T19:06:31.240Z" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com" ResponseID="adkcfghpeogknfnnoggbbocbiefgpglidnanmahg">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#adkcfghpeogknfnnoggbbocbiefgpglidnanmahg">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+eS6/hQ3ULCqmKwBxp8ZCXRoBnA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>I/80xT1W+Yagt3S8KjjMrCJ1EAgkRP+Lqd/hwmunUkHEg3xP1h5DpA==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="kdmclmioaolbncmmdbhihlkihdhaimgncneomecd" IssueInstant="2009-03-02T19:06:31.240Z" Issuer="http://topherific.com" MajorVersion="1" MinorVersion="1">
<saml:AuthenticationStatement AuthenticationInstant="2009-03-02T19:06:31.240Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>topher@topherific.com</saml:NameIdentifier>
<saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
</samlp:Response>

 

Thanks in advance 

Message Edited by Topher on 03-02-2009 01:07 PM
Message Edited by Topher on 03-02-2009 01:08 PM
  • March 02, 2009
  • Like
  • 0
Hi,

I'm trying to implement SSO using SAML. The saml assertion which I'm posting is giving Assertion Invalid error in the login history.
Could anyone please tell me what's the error in my assertion.

I'm posting the following assertion:
<samlp:Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    MajorVersion="1" MinorVersion="1"
    ResponseID="_6ccb8357de3c905349ca14e42d9bf97d1215715364285"
    Recipient="https://login.salesforce.com"
    IssueInstant="2008-08-31T18:42:44.284Z">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod
                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod
                Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference
                URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
                <ds:Transforms>
                    <ds:Transform
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform
                        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces
                            PrefixList="#default saml ds xs xsi"
                            xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod
                    Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>
                    Kclet6XcaOgOWXM4gty6/UNdviI=
                </ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            hq4zk+ZknjggCQgZm7ea8fI7Hr7wHxvCCRwubfZ6RqVL+wNmeWI4=
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxNVBAYTAlVT
                    MRIwEAYDVQQIEwlXaXNjb dnP6Hr7wHxvCCRwubnZAv2FU78pLX
                    8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1ylGPdioG8cCx3w/w==
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="samlp:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
        xmlns="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1"
        MinorVersion="1"
        AssertionID="_818891251f47ba13b15f600c301749df1215715364284"
        Issuer="demoIDP" IssueInstant="2008-08-31T18:42:44.284Z">
        <saml:Conditions NotBefore="2008-08-31T18:42:44.284Z"
            NotOnOrAfter="2008-08-31T18:47:44.284Z">
        </saml:Conditions>
        <saml:AuthenticationStatement
            AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:Password"
            AuthenticationInstant="2008-08-31T18:42:44.284Z">
            <saml:Subject>
                <saml:NameIdentifier>
                    news4nishant@gmail.com
                </saml:NameIdentifier>
                <saml:SubjectConfirmation>
                    <saml:ConfirmationMethod>
                        urn:oasis:names:tc:SAML:1.0:cm:bearer
                    </saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
            </saml:Subject>
        </saml:AuthenticationStatement>
    </saml:Assertion>
</samlp:Response>

The base64 encoded value of the above assertion that I post is:
PHNhbWxwOlJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiDQoJeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiINCgl4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOnByb3RvY29sIg0KCXhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiDQoJTWFqb3JWZXJzaW9uPSIxIiBNaW5vclZlcnNpb249IjEiDQoJUmVzcG9uc2VJRD0iXzZjY2I4MzU3ZGUzYzkwNTM0OWNhMTRlNDJkOWJmOTdkMTIxNTcxNTM2NDI4NSINCglSZWNpcGllbnQ9Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20iDQoJSXNzdWVJbnN0YW50PSIyMDA4LTA3LTEwVDE4OjQyOjQ0LjI4NFoiPg0KCTxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KCQk8ZHM6U2lnbmVkSW5mbz4NCgkJCTxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kDQoJCQkJQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+DQoJCQk8ZHM6U2lnbmF0dXJlTWV0aG9kDQoJCQkJQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiIC8+DQoJCQk8ZHM6UmVmZXJlbmNlDQoJCQkJVVJJPSIjX2E3NWFkZjU1LTAxZDctNDBjYy05MjlmLWRiZDgzNzJlYmRmYyI+DQoJCQkJPGRzOlRyYW5zZm9ybXM+DQoJCQkJCTxkczpUcmFuc2Zvcm0NCgkJCQkJCUFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+DQoJCQkJCTxkczpUcmFuc2Zvcm0NCgkJCQkJCUFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj4NCgkJCQkJCTxJbmNsdXNpdmVOYW1lc3BhY2VzDQoJCQkJCQkJUHJlZml4TGlzdD0iI2RlZmF1bHQgc2FtbCBkcyB4cyB4c2kiDQoJCQkJCQkJeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz4NCgkJCQkJPC9kczpUcmFuc2Zvcm0+DQoJCQkJPC9kczpUcmFuc2Zvcm1zPg0KCQkJCTxkczpEaWdlc3RNZXRob2QNCgkJCQkJQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgLz4NCgkJCQk8ZHM6RGlnZXN0VmFsdWU+DQoJCQkJCUtjbGV0NlhjYU9nT1dYTTRndHk2L1VOZHZpST0NCgkJCQk8L2RzOkRpZ2VzdFZhbHVlPg0KCQkJPC9kczpSZWZlcmVuY2U+DQoJCTwvZHM6U2lnbmVkSW5mbz4NCgkJPGRzOlNpZ25hdHVyZVZhbHVlPg0KCQkJaHE0emsrWmtuamdnQ1FnWm03ZWE4Zkk3SHI3d0h4dkNDUnd1YmZaNlJxVkwrd05tZVdJND0NCgkJPC9kczpTaWduYXR1cmVWYWx1ZT4NCgkJPGRzOktleUluZm8+DQoJCQk8ZHM6WDUwOURhdGE+DQoJCQkJPGRzOlg1MDlDZXJ0aWZpY2F0ZT4NCgkJCQkJTUlJQ3lqQ0NBak9nQXdJQkFnSUNBblV3RFFZSktvWklodmNOQVFFRUJRQXdnYWt4TlZCQVlUQWxWVA0KCQkJCQlNUkl3RUFZRFZRUUlFd2xYYVhOamIgZG5QNkhyN3dIeHZDQ1J3dWJuWkF2MkZVNzhwTFgNCgkJCQkJOEkzYnNibVJBVWc0VVA5aEg2QUJWcTRLUUtNa254dTF4UXhMaHBSMXlsR1BkaW9HOGNDeDN3L3c9PQ0KCQkJCTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KCQkJPC9kczpYNTA5RGF0YT4NCgkJPC9kczpLZXlJbmZvPg0KCTwvZHM6U2lnbmF0dXJlPg0KCTxzYW1scDpTdGF0dXM+DQoJCTxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJzYW1scDpTdWNjZXNzIiAvPg0KCTwvc2FtbHA6U3RhdHVzPg0KCTxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6YXNzZXJ0aW9uIg0KCQl4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiIgTWFqb3JWZXJzaW9uPSIxIg0KCQlNaW5vclZlcnNpb249IjEiDQoJCUFzc2VydGlvbklEPSJfODE4ODkxMjUxZjQ3YmExM2IxNWY2MDBjMzAxNzQ5ZGYxMjE1NzE1MzY0Mjg0Ig0KCQlJc3N1ZXI9ImRlbW9JRFAiIElzc3VlSW5zdGFudD0iMjAwOC0wOC0zMVQxODo0Mjo0NC4yODRaIj4NCgkJPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMDgtMDgtMzFUMTg6NDI6NDQuMjg0WiINCgkJCU5vdE9uT3JBZnRlcj0iMjAwOC0wOC0zMVQxODo0Nzo0NC4yODRaIj4NCgkJPC9zYW1sOkNvbmRpdGlvbnM+DQoJCTxzYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50DQoJCQlBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOlBhc3N3b3JkIg0KCQkJQXV0aGVudGljYXRpb25JbnN0YW50PSIyMDA4LTA4LTMxVDE4OjQyOjQ0LjI4NFoiPg0KCQkJPHNhbWw6U3ViamVjdD4NCgkJCQk8c2FtbDpOYW1lSWRlbnRpZmllcj4NCgkJCQkJbmV3czRuaXNoYW50QGdtYWlsLmNvbQ0KCQkJCTwvc2FtbDpOYW1lSWRlbnRpZmllcj4NCgkJCQk8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KCQkJCQk8c2FtbDpDb25maXJtYXRpb25NZXRob2Q+DQoJCQkJCQl1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206YmVhcmVyDQoJCQkJCTwvc2FtbDpDb25maXJtYXRpb25NZXRob2Q+DQoJCQkJPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQoJCQk8L3NhbWw6U3ViamVjdD4NCgkJPC9zYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50Pg0KCTwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==

The signature and time limits would be invalid but instead of giving these errors I get assertion invalid error. Please help me.

Thanks
Nishant