• BradF
  • NEWBIE
  • 0 Points
  • Member since 2012

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 3
    Questions
  • 0
    Replies

I'm trying to authenticate from my .Net app to salesforce via SAML - however salesforce doesn't seem to like my signed certificate portion of the xml I'm sending to it (I keep gettin an invalid signature error).

 

Does anyone have an .net example of how to sign the certificate so salesforce recognizes it???

 

My current code for signing the certificate (borrowed from codeproject http://www.codeproject.com/Articles/56640/Performing-a-SAML-Post-with-C) is:

 

public static XmlElement SignDoc(XmlDocument doc, X509Certificate2 cert2, string referenceId, string referenceValue)

        {

           

SamlSignedXml sig = newSamlSignedXml(doc, referenceId);

           

// Add the key to the SignedXml xmlDocument.

sig.SigningKey = cert2.PrivateKey;

           

// Create a reference to be signed.

           

Reference reference = newReference();

            reference.Uri = String.Empty;

            reference.Uri = "#" + referenceValue;

           

// Add an enveloped transformation to the reference.

           

XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();

 

XmlDsigC14NTransform env2 = newXmlDsigC14NTransform();

            reference.AddTransform(env);

            reference.AddTransform(env2);

           

// Add the reference to the SignedXml object.

            sig.AddReference(reference);

           

// Add an RSAKeyValue KeyInfo

           

// (optional; helps recipient find key to validate).

           

KeyInfo keyInfo = newKeyInfo();

           

KeyInfoX509Data keyData = newKeyInfoX509Data(cert2);

            keyInfo.AddClause(keyData);

            sig.KeyInfo = keyInfo;

           

// Compute the signature.

            sig.ComputeSignature();

           

// Get the XML representation of the signature

           

// and save it to an XmlElement object.

           

XmlElement xmlDigitalSignature = sig.GetXml();

           

return xmlDigitalSignature;

        }

 

 

  • April 10, 2012
  • Like
  • 0

I'm running into an error when trying to authenticate to salesforce using SAML (my localhost app is the identity provider, salesforce is the Service Provider). In the SAML validator tool I get:



Signature or certificate problems       

The signature in the response is not valid       

 

The certificate I'm using is one that I just created locally using IIS - it validates fine if I use the SignedXML class in .Net, but Salesforce is having issues with it. Does the certificate have to be signed by a trusted authority to use with Salesforce? If not then has anyone got any ideas what I can try?

 

thanks

  • March 07, 2012
  • Like
  • 0

Hi All,

 

In preperation for intergrating with salesforce, I'm using the saml validator tool to verify the xml response that we'll be generating. The response itself is generated via .Net code and I can verify that the certificate in the reponse is valid using the .Net SignedXML class. However the saml validator keeps spitting out:

 

Signature or certificate problems        

The signature in the response is not valid        

Is the correct certificate supplied in the keyinfo? false

 

I've already tried re-uploading my certificate. Has anyone else experienced this issue or has a suggestion on what I should try next? Also the saml validator seems to be stuck in the past - all the validation time stamps it is using are 7 hours in the past (maybe thats the problem). I've read on some older posts (like 2008) that the CanonicalizationMethod may not be supported but I've seen other posts where others are using it.

 

cheers

 

Brad

 

Here's my response xml:

 

<Response xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_f852314a-7f5e-4308-a01f-66d20a8bbd96" Version="2.0" IssueInstant="2012-03-03T00:47:48Z" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://e4.localhost.com:80/samltester/</saml:Issuer>   

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<Reference URI="#_f852314a-7f5e-4308-a01f-66d20a8bbd96">

<Transforms>

<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

</Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<DigestValue>HPGYiDDltAsp9sb3pG7+rWSUS/o=</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>mbwggKm66i0Zr4iMx7cV54tNAYCuKe7/57sdNB+gNQGsaMycrWKulg+lb600k25FAZd35HgERkdxQhxzRXQ5Bsj0Cih/lp72dCzVatdaS3Rq6vyhXDmJUY+2h3lxx2LSv9ZaB2n1Qf0nBk8yNbw9FwR02K9IylZ7Oo/MXEZ9NZQ=</SignatureValue>

<KeyInfo>

<X509Data>

<X509Certificate>MIIB7jCCAVugAwIBAgIQV+MQJbQVy5pCwrl/4YTOZzAJBgUrDgMCHQUAMBQxEjAQBgNVBAMTCWV2b2NvLmNvbTAeFw0xMTEyMTUxODMxNTZaFw0zOTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMTCWV2b2NvLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAomWw7fF8Ibs90ZFvOgBTnHlWwXdVm58Uvp+6OywHjQRbxP9KdWOK1llIKmj4tzOwEle76TaO7i0zAQWY3gQhsllDlwN7vRPLKFBqafv5gTEeXflqPUVEEc+vflDMo3rqOwdenWuhAob+f29SRCb6hT4UMXicCHY0nEFa/9n1V1kCAwEAAaNJMEcwRQYDVR0BBD4wPIAQ1XnBOOit6jpdnjhOuNn80aEWMBQxEjAQBgNVBAMTCWV2b2NvLmNvbYIQV+MQJbQVy5pCwrl/4YTOZzAJBgUrDgMCHQUAA4GBAC5WqW3xH5MIp7seMom8ezzYbwTrvef2WMPHhpkPdMXl0/xs6s+s1lNp+9ntV0OSJ60DVWmA1GywpLgNt6/nIAePLBNHdKND+ypWqCEPbYNbH4QbA6Q+q1okuOg0/crgf2cq312tFJjZJb3pWoOL9HctHyywVzyZq5XmVHWzMhrs</X509Certificate>

</X509Data>

</KeyInfo>

</Signature>

<Status>    

<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />  

</Status>  

<Assertion Version="2.0" ID="_0ca4a862-e9ed-4c2a-8c10-f1c5ff500e3c" IssueInstant="2012-03-03T00:47:48Z" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">    

<Issuer>http://e4.localhost.com:80/samltester/</Issuer>    

<Subject>      

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">brad.furdyk@evoco.com</NameID>       <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">        

<SubjectConfirmationData NotOnOrAfter="2012-03-03T01:47:48.0000000Z" Recipient="https://login.salesforce.com" />       </SubjectConfirmation>    

</Subject>    

<Conditions NotBefore="2012-03-03T00:47:48Z" NotOnOrAfter="2012-03-03T01:47:48Z">      

<AudienceRestriction>        

<Audience>https://saml.salesforce.com</Audience>      

</AudienceRestriction>    

</Conditions>    

<AuthnStatement AuthnInstant="2012-03-03T00:47:48Z">      

<AuthnContext>        

<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>      

</AuthnContext>    

</AuthnStatement>  

</Assertion>

</Response>



  • March 02, 2012
  • Like
  • 0