+ Start a Discussion
Emmanuel telmonEmmanuel telmon 

why is the saml response invalid

Hi,

I received a successful login in the SAML RESPONSE using SAML SSO (SP originated)

But I do not understand that why the SAML Response validator tool (in the SF website) returns the following:
invalid_grant, invalid assertion


What is wrong with the following SAML Reponse?

<?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://zimit.dyndns.biz:5000/acs" ID="_b4f506626f60836832fec8afe3a6e43c1560292940423" InResponseTo="_97d26c1d-f354-4d98-af9f-e473a8021ed2" IssueInstant="2019-06-11T22:42:20.423Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://zimit-dev-ed.my.salesforce.com</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_b4f506626f60836832fec8afe3a6e43c1560292940423"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp xs xsi"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>psjhGPpxucOBnXvtzOJz6eP+QyM=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Q1TomO/zVxOFx89xE0wKg53CzFk6jfBk/hjbOILSIoZbgpbLWmLPUSUhQdVGFn4M1ofdw4gw7kbX in7Ir56TuKGqMINRfK9bzk52x+z1Ma9tp0bmSoSB6Si7U2GCrDMezDcU4T0zEm+zOPg1rgcE6Xit kndjpbXWSkwUvM2CTPkf8R5/5gIFGvAKmmGs6s4hyxs8ytAA4D31LOk4nT4gH/MFeyvcA+b5O8oy TkRmi4EX5dmzgVeLC/H5v2xCDsBsEKTwcRa5sIpu0xxslvqv7EQJKn9zYTpi0JTHfc9DR/NnWaQH 9PCBhi0f4njazX2jNZ6NqiDpfGkMxNyCi9rNeg== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIEgTCCA2mgAwIBAgIOAWdQmsavAAAAADtTBpYwDQYJKoZIhvcNAQELBQAwgYIxGjAYBgNVBAMM EVppbWl0X1NTXzExXzI2XzE4MRgwFgYDVQQLDA8wMEQzNjAwMDAwMFp0SXExFzAVBgNVBAoMDlNh bGVzZm9yY2UuY29tMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQswCQYDVQQIDAJDQTEMMAoGA1UE BhMDVVNBMB4XDTE4MTEyNjE1MTkzOVoXDTE5MTEyNjEyMDAwMFowgYIxGjAYBgNVBAMMEVppbWl0 X1NTXzExXzI2XzE4MRgwFgYDVQQLDA8wMEQzNjAwMDAwMFp0SXExFzAVBgNVBAoMDlNhbGVzZm9y Y2UuY29tMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQswCQYDVQQIDAJDQTEMMAoGA1UEBhMDVVNB MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutF5Z7nKVe57tAxckUjf3uU+5bzP7+8R NUNlmp49LKz9TQEHu98K8TRNjLll8LiyKWx1ETHQd7He5yo0Mb8TSLd+LZ+8lhw3BzO13/BrQWN6 4YBlaJptHCRWlKh/qjLZq2ctVztUZ8GkaUPM+Xu8gJYXxqOm4vcCeC0G0uKDHZFn23ZftLseFI2K 5krG3aFZX4SOOsFF0gyV2rynNpaaAFegShweqLY9cRGbjAGSaTT7BwFxU0cTrAUzDs7EsQYiOKIG jSDjqE4QR3FfSsSCP6a0KHT4WwHHzdNHTLcQo2BPnsnwI1f+eK03wRIkomqW2qtvK2XiYC/PjUqp 89ygnQIDAQABo4HyMIHvMB0GA1UdDgQWBBRDqm9UpG3NeCtbDE7/xTGup9ogpTAPBgNVHRMBAf8E BTADAQH/MIG8BgNVHSMEgbQwgbGAFEOqb1Skbc14K1sMTv/FMa6n2iCloYGIpIGFMIGCMRowGAYD VQQDDBFaaW1pdF9TU18xMV8yNl8xODEYMBYGA1UECwwPMDBEMzYwMDAwMDBadElxMRcwFQYDVQQK DA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAK BgNVBAYTA1VTQYIOAWdQmsavAAAAADtTBpYwDQYJKoZIhvcNAQELBQADggEBAGBpLAJax4efGSlH 8V6M24q/6Tm5Li8S6/s925/LVjooqonqsqqsemaR13Bxq6GIszHOJIU1BiyB9kxnMcxFsOfyorR7 oNfc5RvfjSNn8QRHy/xpDBOtx/QBEuOWKPwDqV3fXiMStNEN3NMiX/t2RepnZle45tMiPi/vnWsa n9EnYxlNcRmfan+liRYL+KFsIY2BycyHugyzpMAwjsRZPYhPxYewtyQj0RUV3mb0wNgjiCDKydPX KmNDwTMb0a9erjEJ7twttBsE7/AwLNO3Y3a+Kbhh2+3LLxJ5DQmGZorfZoLz3dVJHYbLFO4y13mK wwSxIPoCRT+LjG3cfcu/0js=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_729b075a9ae3301514cbeb7db39f204e1560292940423" IssueInstant="2019-06-11T22:42:20.423Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://zimit-dev-ed.my.salesforce.com</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_729b075a9ae3301514cbeb7db39f204e1560292940423"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>aYZmrvjN40qDA0gB2Y7ml69YNms=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> gcAkJTW8vY1E3pIY595NWPvNHKYQQwhXdIT5U8HheS/Q58WWkVbc1ef2wsYKHjOBBzJKC04YQu8J ODYxpB9sZ9PW3YyWwq6XJssmv9+H9J+n1jZL/yomZI98yTIwhmK/YY6YWW+lnLgMAcna0iqtb+la XqP+wNQnLhG3tuyIFkde4jNzg52ToS8ntPqTksVeXeJ0cdD73LyFJpxBVmCGtTMvkZrGgiMMIL4J Ysw5ny5mfTZf66vRsX5oUklHXP41Iluj/NQaNf4IiVYZHiQV1Paimvh4pDMWhszazZxpBhXWXHFw y43KwcagIbXI/1LRjYaovMAD63VkSnC8bOtqUA== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIEgTCCA2mgAwIBAgIOAWdQmsavAAAAADtTBpYwDQYJKoZIhvcNAQELBQAwgYIxGjAYBgNVBAMM EVppbWl0X1NTXzExXzI2XzE4MRgwFgYDVQQLDA8wMEQzNjAwMDAwMFp0SXExFzAVBgNVBAoMDlNh bGVzZm9yY2UuY29tMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQswCQYDVQQIDAJDQTEMMAoGA1UE BhMDVVNBMB4XDTE4MTEyNjE1MTkzOVoXDTE5MTEyNjEyMDAwMFowgYIxGjAYBgNVBAMMEVppbWl0 X1NTXzExXzI2XzE4MRgwFgYDVQQLDA8wMEQzNjAwMDAwMFp0SXExFzAVBgNVBAoMDlNhbGVzZm9y Y2UuY29tMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQswCQYDVQQIDAJDQTEMMAoGA1UEBhMDVVNB MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutF5Z7nKVe57tAxckUjf3uU+5bzP7+8R NUNlmp49LKz9TQEHu98K8TRNjLll8LiyKWx1ETHQd7He5yo0Mb8TSLd+LZ+8lhw3BzO13/BrQWN6 4YBlaJptHCRWlKh/qjLZq2ctVztUZ8GkaUPM+Xu8gJYXxqOm4vcCeC0G0uKDHZFn23ZftLseFI2K 5krG3aFZX4SOOsFF0gyV2rynNpaaAFegShweqLY9cRGbjAGSaTT7BwFxU0cTrAUzDs7EsQYiOKIG jSDjqE4QR3FfSsSCP6a0KHT4WwHHzdNHTLcQo2BPnsnwI1f+eK03wRIkomqW2qtvK2XiYC/PjUqp 89ygnQIDAQABo4HyMIHvMB0GA1UdDgQWBBRDqm9UpG3NeCtbDE7/xTGup9ogpTAPBgNVHRMBAf8E BTADAQH/MIG8BgNVHSMEgbQwgbGAFEOqb1Skbc14K1sMTv/FMa6n2iCloYGIpIGFMIGCMRowGAYD VQQDDBFaaW1pdF9TU18xMV8yNl8xODEYMBYGA1UECwwPMDBEMzYwMDAwMDBadElxMRcwFQYDVQQK DA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAK BgNVBAYTA1VTQYIOAWdQmsavAAAAADtTBpYwDQYJKoZIhvcNAQELBQADggEBAGBpLAJax4efGSlH 8V6M24q/6Tm5Li8S6/s925/LVjooqonqsqqsemaR13Bxq6GIszHOJIU1BiyB9kxnMcxFsOfyorR7 oNfc5RvfjSNn8QRHy/xpDBOtx/QBEuOWKPwDqV3fXiMStNEN3NMiX/t2RepnZle45tMiPi/vnWsa n9EnYxlNcRmfan+liRYL+KFsIY2BycyHugyzpMAwjsRZPYhPxYewtyQj0RUV3mb0wNgjiCDKydPX KmNDwTMb0a9erjEJ7twttBsE7/AwLNO3Y3a+Kbhh2+3LLxJ5DQmGZorfZoLz3dVJHYbLFO4y13mK wwSxIPoCRT+LjG3cfcu/0js=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">etelmon@zimit.io</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_97d26c1d-f354-4d98-af9f-e473a8021ed2" NotOnOrAfter="2019-06-11T22:47:20.423Z" Recipient="http://zimit.dyndns.biz:5000/acs"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2019-06-11T22:41:50.423Z" NotOnOrAfter="2019-06-11T22:47:20.423Z"> <saml:AudienceRestriction> <saml:Audience>https://zimit-dev-ed.my.salesforce.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2019-06-11T22:42:20.423Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">00536000005dfvk</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">etelmon@zimit.io</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">etelmon@zimit.io</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="is_portal_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">false</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>

Regards,

Emmanuel
Newbie
Raj VakatiRaj Vakati
Can u please use the  Validating SAML Settings for Single Sign-On

https://help.salesforce.com/articleView?id=sso_saml_validation.htm&type=5
Emmanuel telmonEmmanuel telmon
Hi, That is the issue. The validator returns the following and there is no error in the login history. Results *Unexpected Exceptions* Unable to load a config from the assertion's issuer and audience *1. Validating the Status* Unknown *2. Looking for an Authentication Statement* Unknown *3. Looking for a Conditions statement* Unknown *4. Checking that the timestamps in the assertion are valid* Unknown *5. Checking that the Attribute namespace matches, if provided* Unknown *6. Miscellaneous format confirmations* Unknown *7. Confirming Issuer matches* Unknown *8. Confirming a Subject Confirmation was provided and contains valid timestamps* Unknown *9. Checking that the Audience matches* Unknown *10. Checking the Recipient* Unknown *11. Validating the Signature* Unknown *12. Checking that the Site URL Attribute contains a valid site url, if provided* Unknown *13. Looking for portal and organization id, if provided* Unknown *14. Checking if session security level is valid, if provided* Unknown