We're having an issue with using Shibboleth as our IDP.    Salesforce is rejectig the Shibboleth SAML assertion because of the presence of the inResponseTo attribute.   Our ITS group won't modify Shibboleth to not send the attribute because that will break other implmentations.  Any Shibboleth users out there with some insight?

Issue: Salesforce rejects the SAML assertion from Shibboleth because of the presence of an attribute called InResponseTo

Taken from Shibboleth users forum http://shibboleth.1660669.n2.nabble.com/IdP-Initiated-SSO-td5741045.html, posting by Brent Putman on 01/25/2011

Many people, including our school, have gotten the Shib IdP to work via
SAML 2 with salesforce.com.  The only real substantive issue is that the
issued Response and Assertion must have the InResponseTo attribute
removed, else they are rejected by Salesforce.  That requires some mods
to the IdP, either code changes or additions.  See the list archive for
some solutions people have come up with.

Taken from Shibboleth users forum http://shibboleth.1660669.n2.nabble.com/IdP-Initiated-SSO-td5741045.html, posting by Scott Cantor on 01/26/2011

That [commenting out the code in  the IdP that sends out a inResponseTo attribute in the SAML response] will simply break other SPs ... that enforce the check. In other words, this is a bad idea.

Previous Salesforce response to Salesforce not sending out the inResponseTo, taken from Developer Force forum postings at http://boards.developerforce.com/t5/Security/Salesforce-com-SAML-IdP-Problem/td-p/218531, posting from Chuck Mortimore at 11/23/2010

 That being said there seem to be enough implementations that favor duplication of the inResponseTo that we need to fix it.   Code wins as they say.

Is it possible for Salesforce to look at adding the inResponseTo attribute?

We're using OpenAM as our IDP, have SSO and OpenAM turned on for Salesforce.  All is working well until we get to the mobile application.  I go into settings, set the mobile app for custom host, input our "My domain" url as the hostname and click the "log off now" slider button.  When I go into the app, I get the OpenAM login screen (so far, so good), input the username and password into OpenAM and get redirected to a full web page in my sandbox with the message

Unable to Access Page
Required parameter "oauth_consumer_key" not defined.

Error: The value of the parameter specified above contains a character that is not allowed or the value exceeds the maximum allowed length. Remove the character from the parameter value or reduce the value length and re-submit. If the error still persists, please report it to our Customer Support team and provide the URL of the page you were requesting as well as any other related information.

I AM signed onto my sandbox however.  I can click around and see the regular web pages.

If I close the app and open it again, I get the OAuth approve/deny screen and then get the regular mobile app screens.

I've checked OpenAM and it not sending a parm called oauth_consumer_key.

Has anybody run into this before, and does anyone have any suggested solutions?

Thanks!

Rose

We're using OpenAM as our IDP, have SSO and OpenAM turned on for Salesforce.  All is working well until we get to the mobile application.  I go into settings, set the mobile app for custom host, input our "My domain" url as the hostname and click the "log off now" slider button.  When I go into the app, I get the OpenAM login screen (so far, so good), input the username and password into OpenAM and get redirected to a full web page in my sandbox with the message

Unable to Access Page
Required parameter "oauth_consumer_key" not defined.

Error: The value of the parameter specified above contains a character that is not allowed or the value exceeds the maximum allowed length. Remove the character from the parameter value or reduce the value length and re-submit. If the error still persists, please report it to our Customer Support team and provide the URL of the page you were requesting as well as any other related information.

I AM signed onto my sandbox however.  I can click around and see the regular web pages.

If I close the app and open it again, I get the OAuth approve/deny screen and then get the regular mobile app screens.

I've checked OpenAM and it not sending a parm called oauth_consumer_key.

Has anybody run into this before, and does anyone have any suggested solutions?

Thanks!

Rose

Folks, I found that OAuth feature (Remote Access) is now available for all orgs at last, but I'm doubting there's a fatal defect.

When reading help page of Remote Access feature (https://na7.salesforce.com/help/doc/en/remoteaccess_authenticate.htm) and referring OAuth core 1.0A spec (http://oauth.net/core/1.0a), I found current salesforce's behaviour is not fullfilling the specification.

In the help page it is described that it requires oauth_consumer_key parameter in Authorization redirect phase (see "Authorizing the User" section), but the 1.0A spec is not (see 6.2.1). It is not only a documentation bug, but it actually raises error when no oauth_consumer_key is passed. 

I'm not sure why salesforce requires consumer key other than oauth_token. Consumer key is considered not to be exposed to the users, so not used as a parameter during the user redirection.

I'm writing code that connects to salesforce using OAuth library on python, but not successful mainly because this spec violation.