• SAMLIss
  • NEWBIE
  • 25 Points
  • Member since 2009

  • Chatter
    Feed
  • 1
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 1
    Questions
  • 8
    Replies

Hi,

 

I'm trying to generate SAML according to Salesforce's documentation. After a full day of trying different tweaks I'm still stuck. My SAML (version 1.1) looks correct to me, but when I post it to Salesforce in a "SaMLResponse" field it logs the error "Failed: Assertion Invalid" along with the login name specified in the SAML. Does anyone know how to debug this, or perhaps a comparison to a working SAML response would help...

 

I tried using the SAML validator in Salesforce. It tells me everything is "ok" (in green) execpt for two things:

"6. Checking that the Attribute namespace matches, if provided"  returns "Unknown"

"7. Miscellaneous format confirmations" returns "Unknown"

The validator did not return any red error messages, however I have no clue what the two Uknown messages mean.

 

I've tried different types of SSO configuration in Salesforce, both with a NameIdentifier and User ID is in an Attribute element, neither of the work, however Salesforce always logs the username in the logs - so that appears to be working.

 

Here's a sample SAML - if anyone has ideas on what's wrong I'd really appreciated it:

 

 

<samlp:Response IssueInstant="2009-06-07T18:26:42.8641119-07:00" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com/?saml=EK03Almz90eBaMTm4Lf8DUU3._uQLw9jeP6QZwo.ASrEk7qB4.A.CkD.ICUbSDUnEEDQrlHtPJyJcn5mZX5bFMi4aInRUbd_Flvt1yAQmd08jWN6y6pWt6E3NC" ResponseID="12346626" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
  <samlp:Status>
    <samlp:StatusCode Value="samlp:Success" />
  </samlp:Status>
  <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="TestAnil8382" Issuer="MYISSUER" IssueInstant="2009-06-07T18:26:42.8641119-07:00" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2009-06-07T18:21:42.8641119-07:00" NotOnOrAfter="2009-06-07T18:36:42.8641119-07:00">
      <saml:AudienceRestrictionCondition>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Attribute AttributeName="MyLoginAttributeName" AttributeNamespace="
http://myuri.com">
        <saml:AttributeValue>sfUserLogin@gmail.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2009-06-07T18:26:42.8641119-07:00">
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
    </saml:AuthenticationStatement>
  </saml:Assertion>
  <Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </Transforms>
        <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>UIwW0FHhBNx4PiTLPi9nIRoJfI4=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>[Trimmed]</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>[Trimmed]</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
</samlp:Response>
 

I am trying to work on outlook connect. I am System Administrator for the org.  When I go to Tools --> Salesforce Options --> Contacts --> Advanced --> Field Maps, I can't change or edit field mappings. You are currently running in restricted mode. Some options are set by your administrator. I am not sure what needs to be done to enable this.

 

Also this is what I got from cheatsheet. I don't see this tab.

 

Click the User Permissions tab. For reference, the Synchronization Settings area summarizes

the settings you made in the previous step.

Select or deselect the following options:

Users can modify which objects are synchronized

Users can modify field mappings

Users can modify conflict resolution options

Users can modify the direction of synchronizations

Users can use quick create

 

I am trying to sync a contact, it says Invalid field index::assistantphone. Not sure why it dies so. I think mapping is correct.

 

Any help/suggestions would be highly appreciated. Thanks.

Hi,

 

I'm trying to generate SAML according to Salesforce's documentation. After a full day of trying different tweaks I'm still stuck. My SAML (version 1.1) looks correct to me, but when I post it to Salesforce in a "SaMLResponse" field it logs the error "Failed: Assertion Invalid" along with the login name specified in the SAML. Does anyone know how to debug this, or perhaps a comparison to a working SAML response would help...

 

I tried using the SAML validator in Salesforce. It tells me everything is "ok" (in green) execpt for two things:

"6. Checking that the Attribute namespace matches, if provided"  returns "Unknown"

"7. Miscellaneous format confirmations" returns "Unknown"

The validator did not return any red error messages, however I have no clue what the two Uknown messages mean.

 

I've tried different types of SSO configuration in Salesforce, both with a NameIdentifier and User ID is in an Attribute element, neither of the work, however Salesforce always logs the username in the logs - so that appears to be working.

 

Here's a sample SAML - if anyone has ideas on what's wrong I'd really appreciated it:

 

 

<samlp:Response IssueInstant="2009-06-07T18:26:42.8641119-07:00" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com/?saml=EK03Almz90eBaMTm4Lf8DUU3._uQLw9jeP6QZwo.ASrEk7qB4.A.CkD.ICUbSDUnEEDQrlHtPJyJcn5mZX5bFMi4aInRUbd_Flvt1yAQmd08jWN6y6pWt6E3NC" ResponseID="12346626" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
  <samlp:Status>
    <samlp:StatusCode Value="samlp:Success" />
  </samlp:Status>
  <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="TestAnil8382" Issuer="MYISSUER" IssueInstant="2009-06-07T18:26:42.8641119-07:00" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2009-06-07T18:21:42.8641119-07:00" NotOnOrAfter="2009-06-07T18:36:42.8641119-07:00">
      <saml:AudienceRestrictionCondition>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Attribute AttributeName="MyLoginAttributeName" AttributeNamespace="
http://myuri.com">
        <saml:AttributeValue>sfUserLogin@gmail.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2009-06-07T18:26:42.8641119-07:00">
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
    </saml:AuthenticationStatement>
  </saml:Assertion>
  <Signature xmlns="
http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </Transforms>
        <DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>UIwW0FHhBNx4PiTLPi9nIRoJfI4=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>[Trimmed]</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>[Trimmed]</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
</samlp:Response>
 

I would like to sync my Outlook contacts to Salesforce in the following manner:

 

  1. I have several Contacts folders in Outlook.  ALL of the contacts in all of the folders need to be synchronized with Salesforce at all times.
  2. I have custom fields in Salesforce that allow me to designate a contact as being part of one group of people or another.  For example, I work in politics, and have a "GOP" and a "Dem" checkbox field.  In Outlook, I do not have custom fields for the same purpose because I want each group of people listed in its own Outlook folder.

 

Does the Salesforce Outlook/desktop integration plugin have the ability to reconcile these differences when it synchronizes?

 

I don't mind doing a manual import of each Outlook folder to Salesforce, and in the process making sure I set each contact to have the appropriate Salesforce custom fields mapped.  But I only want to do that once.  I manage/create/change most of my contacts and activities in Outlook, and want the sync to be relatively automatic after the first pass.

 

Alternatively, can the plugin synchronize an Outlook category to a Salesforce custom field?  (E.g.: if it has category "GOP", synchronize the contact to make sure the relevant custom field is marked true.  Note that Outlook contacts would have multiple categories, most likely.)

 

 

Any thoughts would be greatly appreciated.  And if I'm massively over-complicating this, please feel free to hit me over the head and let me know!

 

Dan

I've built a saml assertion using OpenSaml, everything seems relatively sane, but I just can't get past the "Failed: Assertion Invalid" message in the Login History. Anyone have any suggestions on what I could be missing?

 

Our SSO settings are set to

SAML EnabledCheckedSAML Version1.1

SAML User ID TypeUsernameIssuerhttp://topherific.com

SAML User ID LocationSubjectIdentity Provider CertificateEMAILADDRESS=topher@topherific.com, CN=saml.test, OU=Topherific, O=Topherific Inc, L=Boulder, ST=Colorado, C=US
Expiration: 11 Mar 2009 06:21:09 GMT

Recipient URLhttps://login.salesforce.com

 

 The generated SAML response is

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2009-03-02T19:06:31.240Z" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com" ResponseID="adkcfghpeogknfnnoggbbocbiefgpglidnanmahg">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#adkcfghpeogknfnnoggbbocbiefgpglidnanmahg">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+eS6/hQ3ULCqmKwBxp8ZCXRoBnA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>I/80xT1W+Yagt3S8KjjMrCJ1EAgkRP+Lqd/hwmunUkHEg3xP1h5DpA==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="kdmclmioaolbncmmdbhihlkihdhaimgncneomecd" IssueInstant="2009-03-02T19:06:31.240Z" Issuer="http://topherific.com" MajorVersion="1" MinorVersion="1">
<saml:AuthenticationStatement AuthenticationInstant="2009-03-02T19:06:31.240Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>topher@topherific.com</saml:NameIdentifier>
<saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
</samlp:Response>

 

Thanks in advance 

Message Edited by Topher on 03-02-2009 01:07 PM
Message Edited by Topher on 03-02-2009 01:08 PM
  • March 02, 2009
  • Like
  • 0
I haven't had much luck getting SSO to work with my SAML assertion. Has anyone got this to work? If so, what does your saml response look like?  I signed my assertion and I believe everything is correct, yet the login history gives me "Failed: Assertion Invalid"

Any ideas?

Thank you.
I was trying to implement SAML1.1 SSO with SalesForce.
I setup SAML and send SAMLResponse to the Recipient.
I get the login fail page and I have no idea what went wrong.
I cannot see the option Setup | Manage Users | Single Sign-On Error History.
 
What should I do to get this history?
 
Thanks
 


Message Edited by yellowriver on 10-30-2008 05:37 PM

I am a question concerning your SAML decision

(ref : http://blog.sforce.com/sforce/2005/07/sforce_single_s.html)

I am full agree with you concerning the SAML issue to implement SAML when you are a SaaS website, but you wrote "Supporting SAML on our website would have been easy. ".

What did you mean with supported SAML would have ben Easy
are you talked about supported SAML document ? accept an SAML RESPONSE assertion only?

How could you easily implemement SAML if you cannot define which Identity provider requested ? Any of your customers will have a specific identity provider/management, and the inital (first) request do not provide you the user, so you cannot find the identity provider....

So how supported SAML in your website would have been easy  ?

Thanks