Apex Code Development You need to sign in to do that
Don't have an account?
mathew leung 6 Unable to exchange a token with validated saml assertion
Hi, hope to see if someone has experienced this before and knows a way to troubleshoot a SAML SSO problem we are experiencing.
We are building a SSO solution to support a community user to access a protected community area through integration (no UI for user to enter password against IdP, and be taken to the protected community site).
We build our IdP component to generate the SAML Response (signed and urlencoded), which is validated successfully via the SAML Validator
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Ok
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
Ok
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
11. Validating the Signature
Is the response signed? true
Is the assertion signed? false
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and Organization ID, if provided
Ok
14. Checking if session security level is valid, if provided
Ok
Subject: testuser@*****.com
AssertionId: _2faf8af5-8ea3-4848-bb7b-712dcb530623
However, been trying with the following flows to exchange for a token (with different SSO setup for each), we always see errors like below.
- OAuth 2.0 SAML Bearer Assertion Flow
{"error":"invalid_grant","error_description":"invalid assertion"}
- SAML Assertion Flow
{"error":"unsupported_grant_type","error_description":"grant type not supported"}
We are not able to see any entries in the Login history regards to the above events, and with a seemlingly valid SAML Response, how would you troubleshoot or investigate this? Thanks for your help in advance.
Mathew
We are building a SSO solution to support a community user to access a protected community area through integration (no UI for user to enter password against IdP, and be taken to the protected community site).
We build our IdP component to generate the SAML Response (signed and urlencoded), which is validated successfully via the SAML Validator
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Ok
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
Ok
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
11. Validating the Signature
Is the response signed? true
Is the assertion signed? false
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and Organization ID, if provided
Ok
14. Checking if session security level is valid, if provided
Ok
Subject: testuser@*****.com
AssertionId: _2faf8af5-8ea3-4848-bb7b-712dcb530623
However, been trying with the following flows to exchange for a token (with different SSO setup for each), we always see errors like below.
- OAuth 2.0 SAML Bearer Assertion Flow
{"error":"invalid_grant","error_description":"invalid assertion"}
- SAML Assertion Flow
{"error":"unsupported_grant_type","error_description":"grant type not supported"}
We are not able to see any entries in the Login history regards to the above events, and with a seemlingly valid SAML Response, how would you troubleshoot or investigate this? Thanks for your help in advance.
Mathew