+ Start a Discussion
Hardik Dhokai 8Hardik Dhokai 8 

SSO through SAML Assertion Flow implementation

Hello!
We are trying to implement SAML 2.0 assertion flow in c#.NET desktop application to allow user to login into Salesforce through his/her domain(Active Directory) credentials. To achieve this, we have done following things so far:

1. We have implemented Salesforce SSO (through ADFS 2.0 & SAML 2.0) and we are able to successfully login into salesforce from browser (Through Identity Provider(IdP) Initiated login approach). URL used in IdP initiated approach: https://adforsfsso.nifdc.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://saml.salesforce.com

2. Now we are trying to implement SAML assertion flow (Reference URL: https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_sso_flow.htm) to allow user to login into Salesforce within custom c#.NET desktop based application through Salesforce SSO implemented in above point #1 (through user's domain(Active Directory) credentials).

3. We have followed steps given in SAML Assertion flow implementation document (Reference URL: https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_sso_flow.htm). 
    3.1 According to it, we need valid a Base-64 encoded, then URL encoded, SAML response that is normally used for web single sign-on. We have captured SAML response from Web SSO URL (https://adforsfsso.nifdc.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://saml.salesforce.com) through fiddler. Below is Base64 decoded version SAML response we received from Web SSO URL:
        
        
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_a811a056-b137-4f3e-a2c3-621301effbb1" Version="2.0" IssueInstant="2017-07-06T09:47:21.243Z" Destination="https://login.salesforce.com?so=00D410000012bMN" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified">
            <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ADforSFSSO.nifdc.com/adfs/services/trust</Issuer>
            <samlp:Status>
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
            </samlp:Status>
            <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d42ebb25-d1cb-4025-aad1-1fe282a9d30b" IssueInstant="2017-07-06T09:47:21.243Z" Version="2.0">
                <Issuer>http://ADforSFSSO.nifdc.com/adfs/services/trust</Issuer>
                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <ds:Reference URI="#_d42ebb25-d1cb-4025-aad1-1fe282a9d30b">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <ds:DigestValue>gIcx+gPXCXxp30W9Fnc2mDvzbzo=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>dKcaZRut8Ebmry3fqRPiRyFEl7hdu1ntBkKKemYIS6dfEsXpCHmvoiOQEGHO1ft/h/TlKC7kZ/8sIgS3DU/b54PU4fN2+n3l1f8US+k282LLjAdXN9KeNeUbVvSD3F290p7ThKg+l0zgActQYnt2lEPsiGHt3Gw8v0tUogXS/3bljP0jnRyzX1meQ68qjWEthGUr11QzMENQSsCr51Qpb7TzofxWYKghgd8wYd2JXAtr5QHaiVlSyZHmPJjyZ8k+30oK7SGP+/i9gytr87Gy89aO+PYoWatSd0fa7/YJZZGGN/2r7fwUH0+S/5ZSOsnBY9K1WeDx5Zt1yApYjKSD/Q==</ds:SignatureValue>
                    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Data>
                            <ds:X509Certificate>MIIC5DCCAcygAwIBAgIQYSbnq+iCZL5KzguC0ED3NDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBBRGZvclNGU1NPLm5pZmRjLmNvbTAeFw0xNzA2MTQxMzMwMzZaFw0xODA2MTQxMzMwMzZaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIEFEZm9yU0ZTU08ubmlmZGMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoX/zXfMlfetGNctUuyo+/77IHEEeg1Vdm9of2zrr+mgd4/O+4SOm1uoaAu3mlSrzgwJaRXdV3rEXi8CeChcl9a4jvddhy54NGzafSoWehp7vtURolhr83biR6XYYwXZw0dH55VV5CjyHEBsX3V7TAfRuxjzjie4xHhnpwNOioHdZ8sG/tw918rE314RfXkyJt4I5YSd9YB4d3eaKLePM7S0uSerm717PP/WcuZtv0SlZPUoRIItjx+a2+qqmmN5jU0UilSUrOd7tlGHYifG6L//b0Ffe+HnIcm5uY3tdMToLs7REkR2Rg3mC+JQ3IFJOPBYgtUCXYL1uwwJii131cQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBpMZNoppRIBi7YSc0DOEw+mLYQIK8PBnDmG3x1jVeEXYE0kxuPJ8C7QqfBgmZ2tPcfFrmtfl6CJlIhpU6U2gRXVyjc9pAkumz+XJ/v23y3TmFtlhS3ajwVSz/1Sp7nR314QEajgQvuCkusxJgM5HCVtM91Hue1q7s6qeUUQsynQ82HgiBXi9y6y5JaIzRexBjRD8iZViXgX0ezfIKdlHApPD1pepHeD4s/vtVl/9At4PXUj1rgK3IM4trP3qpIJeBgP+h5tZ4gK+JmL+n1G3fiL0IL+yjCQeuZWHHinDuI4qe8+goww3bzkOitk8KhAeprK5ziUaFGbO+UwrA/M+AQ</ds:X509Certificate>
                        </ds:X509Data>
                    </KeyInfo>
                </ds:Signature>
                <Subject>
                    <NameID>niadmin@nifdc.com</NameID>
                    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                        <SubjectConfirmationData NotOnOrAfter="2017-07-06T09:52:21.243Z" Recipient="https://login.salesforce.com?so=00D410000012bMN" />
                    </SubjectConfirmation>
                </Subject>
                <Conditions NotBefore="2017-07-06T09:47:21.243Z" NotOnOrAfter="2017-07-06T10:47:21.243Z">
                    <AudienceRestriction>
                        <Audience>https://saml.salesforce.com</Audience>
                    </AudienceRestriction>
                </Conditions>
                <AuthnStatement AuthnInstant="2017-07-06T09:13:07.861Z" SessionIndex="_d42ebb25-d1cb-4025-aad1-1fe282a9d30b">
                    <AuthnContext>
                        <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
                    </AuthnContext>
                </AuthnStatement>
            </Assertion>
        </samlp:Response>

    3.2 We have checked above SAML response in "SAML Validator Tool" available in salesforce org under "Setup -> Single Sing-on settings". It is showing it as correct SAML response. Please find below screenshot of the same:
SAML Validator result of SAMLResponse received from Web SSO URL
    
    3.3 But when we POST Base64 encoded SAML response on OAuth 2.0 token end point (URL: https://login.salesforce.com/services/oauth2/token?so=00D410000012bMN), it is giving following error in json format:
{"error":"invalid_grant","error_uri":"https://na35.salesforce.com/setup/secur/SAMLValidationPage.apexp","error_description":"invalid assertion"}

We have used simple form for now to POST SAML Response. Below is the same:
<html>
<body>
	<form enctype="application/x-www-form-urlencoded" name="testform" action="https://login.salesforce.com/services/oauth2/token?so=00D410000012bMN" method="POST">
	<input type="hidden" name="grant_type" value="assertion" />
	<input type="hidden" name="assertion_type" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" />
	<input type="hidden" name="format" value="json" />
	<input type="hidden" name="assertion" value="<<BASE64 ENCODED SAML RESPONSE >>" />
	<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>
Question / Help required:
1. Has anyone has any idea how to resolve this error? (invalid_grant
)
2. If you have any valid SAML response, please share.
Preeti AgarwalPreeti Agarwal
Hi Hardik,

We have a similar scenario as above.
Please let me know if you found any solution around it.

Thanks & Regards,
Preeti
Angel del OlmoAngel del Olmo
Have you tested with base64url encoding?

    http://kjur.github.io/jsjws/tool_b64uenc.html

Ángel.
Bhushan burujwaleBhushan burujwale

Facing same issue, does anybody know how to fix this or get it work?

Sharing snapshots of SAML assertion validator and postman API call.

User-added image

 

User-added image

 

Ugur KayaUgur Kaya
Any updates on this issue?