You need to sign in to do that
Don't have an account?
Hardik Dhokai 8
SSO through SAML Assertion Flow implementation
Hello!
We are trying to implement SAML 2.0 assertion flow in c#.NET desktop application to allow user to login into Salesforce through his/her domain(Active Directory) credentials. To achieve this, we have done following things so far:
1. We have implemented Salesforce SSO (through ADFS 2.0 & SAML 2.0) and we are able to successfully login into salesforce from browser (Through Identity Provider(IdP) Initiated login approach). URL used in IdP initiated approach: https://adforsfsso.nifdc.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://saml.salesforce.com
2. Now we are trying to implement SAML assertion flow (Reference URL: https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_sso_flow.htm) to allow user to login into Salesforce within custom c#.NET desktop based application through Salesforce SSO implemented in above point #1 (through user's domain(Active Directory) credentials).
3. We have followed steps given in SAML Assertion flow implementation document (Reference URL: https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_sso_flow.htm).
3.1 According to it, we need valid a Base-64 encoded, then URL encoded, SAML response that is normally used for web single sign-on. We have captured SAML response from Web SSO URL (https://adforsfsso.nifdc.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://saml.salesforce.com) through fiddler. Below is Base64 decoded version SAML response we received from Web SSO URL:
3.2 We have checked above SAML response in "SAML Validator Tool" available in salesforce org under "Setup -> Single Sing-on settings". It is showing it as correct SAML response. Please find below screenshot of the same:
3.3 But when we POST Base64 encoded SAML response on OAuth 2.0 token end point (URL: https://login.salesforce.com/services/oauth2/token?so=00D410000012bMN), it is giving following error in json format:
We have used simple form for now to POST SAML Response. Below is the same:
1. Has anyone has any idea how to resolve this error? (invalid_grant)
2. If you have any valid SAML response, please share.
We are trying to implement SAML 2.0 assertion flow in c#.NET desktop application to allow user to login into Salesforce through his/her domain(Active Directory) credentials. To achieve this, we have done following things so far:
1. We have implemented Salesforce SSO (through ADFS 2.0 & SAML 2.0) and we are able to successfully login into salesforce from browser (Through Identity Provider(IdP) Initiated login approach). URL used in IdP initiated approach: https://adforsfsso.nifdc.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://saml.salesforce.com
2. Now we are trying to implement SAML assertion flow (Reference URL: https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_sso_flow.htm) to allow user to login into Salesforce within custom c#.NET desktop based application through Salesforce SSO implemented in above point #1 (through user's domain(Active Directory) credentials).
3. We have followed steps given in SAML Assertion flow implementation document (Reference URL: https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_sso_flow.htm).
3.1 According to it, we need valid a Base-64 encoded, then URL encoded, SAML response that is normally used for web single sign-on. We have captured SAML response from Web SSO URL (https://adforsfsso.nifdc.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://saml.salesforce.com) through fiddler. Below is Base64 decoded version SAML response we received from Web SSO URL:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_a811a056-b137-4f3e-a2c3-621301effbb1" Version="2.0" IssueInstant="2017-07-06T09:47:21.243Z" Destination="https://login.salesforce.com?so=00D410000012bMN" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ADforSFSSO.nifdc.com/adfs/services/trust</Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d42ebb25-d1cb-4025-aad1-1fe282a9d30b" IssueInstant="2017-07-06T09:47:21.243Z" Version="2.0"> <Issuer>http://ADforSFSSO.nifdc.com/adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_d42ebb25-d1cb-4025-aad1-1fe282a9d30b"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>gIcx+gPXCXxp30W9Fnc2mDvzbzo=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>dKcaZRut8Ebmry3fqRPiRyFEl7hdu1ntBkKKemYIS6dfEsXpCHmvoiOQEGHO1ft/h/TlKC7kZ/8sIgS3DU/b54PU4fN2+n3l1f8US+k282LLjAdXN9KeNeUbVvSD3F290p7ThKg+l0zgActQYnt2lEPsiGHt3Gw8v0tUogXS/3bljP0jnRyzX1meQ68qjWEthGUr11QzMENQSsCr51Qpb7TzofxWYKghgd8wYd2JXAtr5QHaiVlSyZHmPJjyZ8k+30oK7SGP+/i9gytr87Gy89aO+PYoWatSd0fa7/YJZZGGN/2r7fwUH0+S/5ZSOsnBY9K1WeDx5Zt1yApYjKSD/Q==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIC5DCCAcygAwIBAgIQYSbnq+iCZL5KzguC0ED3NDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBBRGZvclNGU1NPLm5pZmRjLmNvbTAeFw0xNzA2MTQxMzMwMzZaFw0xODA2MTQxMzMwMzZaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIEFEZm9yU0ZTU08ubmlmZGMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoX/zXfMlfetGNctUuyo+/77IHEEeg1Vdm9of2zrr+mgd4/O+4SOm1uoaAu3mlSrzgwJaRXdV3rEXi8CeChcl9a4jvddhy54NGzafSoWehp7vtURolhr83biR6XYYwXZw0dH55VV5CjyHEBsX3V7TAfRuxjzjie4xHhnpwNOioHdZ8sG/tw918rE314RfXkyJt4I5YSd9YB4d3eaKLePM7S0uSerm717PP/WcuZtv0SlZPUoRIItjx+a2+qqmmN5jU0UilSUrOd7tlGHYifG6L//b0Ffe+HnIcm5uY3tdMToLs7REkR2Rg3mC+JQ3IFJOPBYgtUCXYL1uwwJii131cQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBpMZNoppRIBi7YSc0DOEw+mLYQIK8PBnDmG3x1jVeEXYE0kxuPJ8C7QqfBgmZ2tPcfFrmtfl6CJlIhpU6U2gRXVyjc9pAkumz+XJ/v23y3TmFtlhS3ajwVSz/1Sp7nR314QEajgQvuCkusxJgM5HCVtM91Hue1q7s6qeUUQsynQ82HgiBXi9y6y5JaIzRexBjRD8iZViXgX0ezfIKdlHApPD1pepHeD4s/vtVl/9At4PXUj1rgK3IM4trP3qpIJeBgP+h5tZ4gK+JmL+n1G3fiL0IL+yjCQeuZWHHinDuI4qe8+goww3bzkOitk8KhAeprK5ziUaFGbO+UwrA/M+AQ</ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature> <Subject> <NameID>niadmin@nifdc.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2017-07-06T09:52:21.243Z" Recipient="https://login.salesforce.com?so=00D410000012bMN" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2017-07-06T09:47:21.243Z" NotOnOrAfter="2017-07-06T10:47:21.243Z"> <AudienceRestriction> <Audience>https://saml.salesforce.com</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2017-07-06T09:13:07.861Z" SessionIndex="_d42ebb25-d1cb-4025-aad1-1fe282a9d30b"> <AuthnContext> <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response>
3.2 We have checked above SAML response in "SAML Validator Tool" available in salesforce org under "Setup -> Single Sing-on settings". It is showing it as correct SAML response. Please find below screenshot of the same:
3.3 But when we POST Base64 encoded SAML response on OAuth 2.0 token end point (URL: https://login.salesforce.com/services/oauth2/token?so=00D410000012bMN), it is giving following error in json format:
{"error":"invalid_grant","error_uri":"https://na35.salesforce.com/setup/secur/SAMLValidationPage.apexp","error_description":"invalid assertion"}
We have used simple form for now to POST SAML Response. Below is the same:
<html> <body> <form enctype="application/x-www-form-urlencoded" name="testform" action="https://login.salesforce.com/services/oauth2/token?so=00D410000012bMN" method="POST"> <input type="hidden" name="grant_type" value="assertion" /> <input type="hidden" name="assertion_type" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" /> <input type="hidden" name="format" value="json" /> <input type="hidden" name="assertion" value="<<BASE64 ENCODED SAML RESPONSE >>" /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html>Question / Help required:
1. Has anyone has any idea how to resolve this error? (invalid_grant)
2. If you have any valid SAML response, please share.
We have a similar scenario as above.
Please let me know if you found any solution around it.
Thanks & Regards,
Preeti
http://kjur.github.io/jsjws/tool_b64uenc.html
Ángel.
Facing same issue, does anybody know how to fix this or get it work?
Sharing snapshots of SAML assertion validator and postman API call.