• eburtsev
  • NEWBIE
  • 0 Points
  • Member since 2012

  • Chatter
    Feed
  • 0
    Best Answers
  • 1
    Likes Received
  • 0
    Likes Given
  • 1
    Questions
  • 0
    Replies

Hello all,

 

I try to login user using SAML but salesforce always return error: 

{"error_uri":"https://na4.salesforce.comnull/setup/secur/SAMLValidationPage.apexp","error":"invalid_grant","error_description":"invalid assertion"}

 

I've validated my assertion by validator and it doesn't return any errors:

Unexpected Exceptions
  Ok
1. Validating the Status
  Ok
2. Looking for an Authentication Statement
  Ok
3. Looking for a Conditions statement
  Ok
4. Checking that the timestamps in the assertion are valid
  Ok
5. Checking that the Attribute namespace matches, if provided
  Not Provided
6. Miscellaneous format confirmations
  Ok
7. Confirming Issuer matches
  Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
  Ok
9. Checking that the Audience matches, if provided
  Ok
10. Checking the Recipient
  Ok
11. Validating the Signature
  Is the response signed? true
  Is the assertion signed? true
  Is the correct certificate supplied in the keyinfo? true
  Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
  Not Provided
13. Looking for portal and organization id, if provided
  Ok

My assertion:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2012-09-05T10:51:05.308Z" Version="2.0">
	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">klkjiwhRLVPCGDVBUJET</saml2:Issuer>
	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
			<ds:Reference URI="">
				<ds:Transforms>
					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</ds:Transforms>
				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
				<ds:DigestValue>DtaxFPhNdZICs/lMWkc4HGoX1bU=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>Up/a92xmHWZnXc59NTAB163UBSWhkGilOVuEJqrkkgJhxAaBWgx2USi4+DzByCHrFWhadqsASrY4xZGZEXQUHJ/76vP1Nnqpf4CxBVxs7vm0CqDoP62gZQOpeu0fo50N6Sw7VQlkCkwI+yl8CQ/neDY97UrrS5QWfWA9PFiRh80=</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:X509Data>
				<ds:X509Certificate>MIIBpzCCARCgAwIBAgIGATg3h50JMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDWdyZXl0b3dlci5jb20wHhcNMTIwNjI5MDkxNzEwWhcNMjIwNjI3MDkxNzEwWjAYMRYwFAYDVQQDDA1ncmV5dG93ZXIuY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDHU9jmrF3yJUxQdllhIyUVqHiC5sOh4ynrulqoRSp3CK3PcO3Eee9vO3VYORGKh5fVHtxcX/GFp1N4Y5qtu+mGJoV6J5p/6sX4RV1gdTxkgf1P2jgPerTgTjHZc77apPw6gZ90qSnb0vIscaUgHpUQ/ZciSNamYsJDZ6NOlWZ5mQIBAzANBgkqhkiG9w0BAQUFAAOBgQA9Ge/k3c7nyXq9lO4Dr7J6WTFTFxKqmkH45drXuG8ll+Yx9wXsFjHMAeHWYeriOLGmjbv0y8IrXs0ovXKNDPNtnvscm0GbaVuZdAoWJyQSYB2reHxMNlHipGe7Oqt3yY+SFNgghcfIHnrPPxuk7oRoSlSHlAPchHZ3JOKd8l4Eig==</ds:X509Certificate>
			</ds:X509Data>
		</ds:KeyInfo>
	</ds:Signature>
	<saml2p:Status>
		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</saml2p:Status>
	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="016580df-ea43-47e4-8137-474b7537f3bc" IssueInstant="2012-09-05T10:51:06.538Z" Version="2.0">
		<saml2:Issuer>klkjiwhRLVPCGDVBUJET</saml2:Issuer>
		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			<ds:SignedInfo>
				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<ds:Reference URI="#016580df-ea43-47e4-8137-474b7537f3bc">
					<ds:Transforms>
						<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:Transforms>
					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					<ds:DigestValue>wmX1fXgQGgatpYRBgTwK+YmMgLg=</ds:DigestValue>
				</ds:Reference>
			</ds:SignedInfo>
			<ds:SignatureValue>IL2Ob4d2oIr2tzuM1cmsTi99zeOga698rRk6FJSo5ZHIcRnwtnLIpUOIyP+3h5eC27EB78T3DFlmZp7fdVP92pv+CDxVTETuBlNBeSTOG4FRlojdDEd+C24yeUP9h3TXMTmr//D/fX9DaHPgB/fwnG8a1OJhYYcgiaDo7IFeimQ=</ds:SignatureValue>
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIIBpzCCARCgAwIBAgIGATg3h50JMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDWdyZXl0b3dlci5jb20wHhcNMTIwNjI5MDkxNzEwWhcNMjIwNjI3MDkxNzEwWjAYMRYwFAYDVQQDDA1ncmV5dG93ZXIuY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDHU9jmrF3yJUxQdllhIyUVqHiC5sOh4ynrulqoRSp3CK3PcO3Eee9vO3VYORGKh5fVHtxcX/GFp1N4Y5qtu+mGJoV6J5p/6sX4RV1gdTxkgf1P2jgPerTgTjHZc77apPw6gZ90qSnb0vIscaUgHpUQ/ZciSNamYsJDZ6NOlWZ5mQIBAzANBgkqhkiG9w0BAQUFAAOBgQA9Ge/k3c7nyXq9lO4Dr7J6WTFTFxKqmkH45drXuG8ll+Yx9wXsFjHMAeHWYeriOLGmjbv0y8IrXs0ovXKNDPNtnvscm0GbaVuZdAoWJyQSYB2reHxMNlHipGe7Oqt3yY+SFNgghcfIHnrPPxuk7oRoSlSHlAPchHZ3JOKd8l4Eig==</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</ds:Signature>
		<saml2:Subject>
			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" NameQualifier="Greytower" SPNameQualifier="https://saml.salesforce.com">eugene@burtsev.net</saml2:NameID>
			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml2:SubjectConfirmationData NotOnOrAfter="2012-09-05T11:01:06.538Z" Recipient="https://login.salesforce.com/services/oauth2/token"/>
			</saml2:SubjectConfirmation>
		</saml2:Subject>
		<saml2:Conditions NotBefore="2012-09-05T10:51:06.538Z" NotOnOrAfter="2012-09-05T11:01:06.538Z">
			<saml2:AudienceRestriction>
				<saml2:Audience>https://saml.salesforce.com</saml2:Audience>
			</saml2:AudienceRestriction>
		</saml2:Conditions>
		<saml2:AuthnStatement AuthnInstant="2012-09-05T10:51:06.540Z">
			<saml2:AuthnContext>
				<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
			</saml2:AuthnContext>
		</saml2:AuthnStatement>
	</saml2:Assertion>
</saml2p:Response>

 

I've used following request to https://login.salesforce.com/services/oauth2/token:

grant_type=assertion&assertion_type=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprofiles%3ASSO%3Abrowser&assertion=<Base64EncodedAssertion>

Also I tried to send data in http form.

I tried to encode assertion in base64 and base64url, but I always got this error.

 

Can someone help me?

 

Hello all,

 

I try to login user using SAML but salesforce always return error: 

{"error_uri":"https://na4.salesforce.comnull/setup/secur/SAMLValidationPage.apexp","error":"invalid_grant","error_description":"invalid assertion"}

 

I've validated my assertion by validator and it doesn't return any errors:

Unexpected Exceptions
  Ok
1. Validating the Status
  Ok
2. Looking for an Authentication Statement
  Ok
3. Looking for a Conditions statement
  Ok
4. Checking that the timestamps in the assertion are valid
  Ok
5. Checking that the Attribute namespace matches, if provided
  Not Provided
6. Miscellaneous format confirmations
  Ok
7. Confirming Issuer matches
  Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
  Ok
9. Checking that the Audience matches, if provided
  Ok
10. Checking the Recipient
  Ok
11. Validating the Signature
  Is the response signed? true
  Is the assertion signed? true
  Is the correct certificate supplied in the keyinfo? true
  Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
  Not Provided
13. Looking for portal and organization id, if provided
  Ok

My assertion:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2012-09-05T10:51:05.308Z" Version="2.0">
	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">klkjiwhRLVPCGDVBUJET</saml2:Issuer>
	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
			<ds:Reference URI="">
				<ds:Transforms>
					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</ds:Transforms>
				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
				<ds:DigestValue>DtaxFPhNdZICs/lMWkc4HGoX1bU=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>Up/a92xmHWZnXc59NTAB163UBSWhkGilOVuEJqrkkgJhxAaBWgx2USi4+DzByCHrFWhadqsASrY4xZGZEXQUHJ/76vP1Nnqpf4CxBVxs7vm0CqDoP62gZQOpeu0fo50N6Sw7VQlkCkwI+yl8CQ/neDY97UrrS5QWfWA9PFiRh80=</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:X509Data>
				<ds:X509Certificate>MIIBpzCCARCgAwIBAgIGATg3h50JMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDWdyZXl0b3dlci5jb20wHhcNMTIwNjI5MDkxNzEwWhcNMjIwNjI3MDkxNzEwWjAYMRYwFAYDVQQDDA1ncmV5dG93ZXIuY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDHU9jmrF3yJUxQdllhIyUVqHiC5sOh4ynrulqoRSp3CK3PcO3Eee9vO3VYORGKh5fVHtxcX/GFp1N4Y5qtu+mGJoV6J5p/6sX4RV1gdTxkgf1P2jgPerTgTjHZc77apPw6gZ90qSnb0vIscaUgHpUQ/ZciSNamYsJDZ6NOlWZ5mQIBAzANBgkqhkiG9w0BAQUFAAOBgQA9Ge/k3c7nyXq9lO4Dr7J6WTFTFxKqmkH45drXuG8ll+Yx9wXsFjHMAeHWYeriOLGmjbv0y8IrXs0ovXKNDPNtnvscm0GbaVuZdAoWJyQSYB2reHxMNlHipGe7Oqt3yY+SFNgghcfIHnrPPxuk7oRoSlSHlAPchHZ3JOKd8l4Eig==</ds:X509Certificate>
			</ds:X509Data>
		</ds:KeyInfo>
	</ds:Signature>
	<saml2p:Status>
		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</saml2p:Status>
	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="016580df-ea43-47e4-8137-474b7537f3bc" IssueInstant="2012-09-05T10:51:06.538Z" Version="2.0">
		<saml2:Issuer>klkjiwhRLVPCGDVBUJET</saml2:Issuer>
		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			<ds:SignedInfo>
				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<ds:Reference URI="#016580df-ea43-47e4-8137-474b7537f3bc">
					<ds:Transforms>
						<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:Transforms>
					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					<ds:DigestValue>wmX1fXgQGgatpYRBgTwK+YmMgLg=</ds:DigestValue>
				</ds:Reference>
			</ds:SignedInfo>
			<ds:SignatureValue>IL2Ob4d2oIr2tzuM1cmsTi99zeOga698rRk6FJSo5ZHIcRnwtnLIpUOIyP+3h5eC27EB78T3DFlmZp7fdVP92pv+CDxVTETuBlNBeSTOG4FRlojdDEd+C24yeUP9h3TXMTmr//D/fX9DaHPgB/fwnG8a1OJhYYcgiaDo7IFeimQ=</ds:SignatureValue>
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIIBpzCCARCgAwIBAgIGATg3h50JMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDWdyZXl0b3dlci5jb20wHhcNMTIwNjI5MDkxNzEwWhcNMjIwNjI3MDkxNzEwWjAYMRYwFAYDVQQDDA1ncmV5dG93ZXIuY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDHU9jmrF3yJUxQdllhIyUVqHiC5sOh4ynrulqoRSp3CK3PcO3Eee9vO3VYORGKh5fVHtxcX/GFp1N4Y5qtu+mGJoV6J5p/6sX4RV1gdTxkgf1P2jgPerTgTjHZc77apPw6gZ90qSnb0vIscaUgHpUQ/ZciSNamYsJDZ6NOlWZ5mQIBAzANBgkqhkiG9w0BAQUFAAOBgQA9Ge/k3c7nyXq9lO4Dr7J6WTFTFxKqmkH45drXuG8ll+Yx9wXsFjHMAeHWYeriOLGmjbv0y8IrXs0ovXKNDPNtnvscm0GbaVuZdAoWJyQSYB2reHxMNlHipGe7Oqt3yY+SFNgghcfIHnrPPxuk7oRoSlSHlAPchHZ3JOKd8l4Eig==</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</ds:Signature>
		<saml2:Subject>
			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" NameQualifier="Greytower" SPNameQualifier="https://saml.salesforce.com">eugene@burtsev.net</saml2:NameID>
			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml2:SubjectConfirmationData NotOnOrAfter="2012-09-05T11:01:06.538Z" Recipient="https://login.salesforce.com/services/oauth2/token"/>
			</saml2:SubjectConfirmation>
		</saml2:Subject>
		<saml2:Conditions NotBefore="2012-09-05T10:51:06.538Z" NotOnOrAfter="2012-09-05T11:01:06.538Z">
			<saml2:AudienceRestriction>
				<saml2:Audience>https://saml.salesforce.com</saml2:Audience>
			</saml2:AudienceRestriction>
		</saml2:Conditions>
		<saml2:AuthnStatement AuthnInstant="2012-09-05T10:51:06.540Z">
			<saml2:AuthnContext>
				<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
			</saml2:AuthnContext>
		</saml2:AuthnStatement>
	</saml2:Assertion>
</saml2p:Response>

 

I've used following request to https://login.salesforce.com/services/oauth2/token:

grant_type=assertion&assertion_type=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprofiles%3ASSO%3Abrowser&assertion=<Base64EncodedAssertion>

Also I tried to send data in http form.

I tried to encode assertion in base64 and base64url, but I always got this error.

 

Can someone help me?