You need to sign in to do that
Don't have an account?
Oauth2 SAML Assertion not working
Hi,
We are trying to implement SAML 2.0 assertion flow to allow user to login into Salesforce API through Oauth2 authentication, and grant type as saml2.0.
We have configured SSO and connected app, also configured SAML assertion XML, and validated it though salesforce SAML assertion validator. But while using Base46 encoded saml assertion, it says "Invalid assertion".
Below is the assertion XML and its validation snapshot:
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://atul-sail-dev-ed.my.salesforce.com?so=00Di0000000bTeC" ID="_45c6e79c-22b5a965" IssueInstant="2020-06-11T13:20:25.965Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://atul-sail-dev-ed.my.salesforce.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ds:Reference URI="#_45c6e79c-22b5a965"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>kKeZRO84Eki3ZgHk6Qhs8q3gtgM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>K1fRatNZnDDavMGEwEaP5YsJ2ISUAdgvcOsnC4vAkgQZ+uccQ7U4aQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID0zCCA5GgAwIBAgIEF/uFITALBgcqhkjOOAQDBQAwgboxCzAJBgNVBAYTAlVTMQswCQYDVQQI EwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJQXhpb20gU1NPMVEwTwYDVQQL E0hGT1IgREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZLiBETyBOT1QgVVNFIEZPUiBQUk9EVUNU SU9OIEVOVklST05NRU5UUy4xHzAdBgNVBAMTFkF4aW9tIERlbW8gQ2VydGlmaWNhdGUwHhcNMTQw NjIwMDQzMDI3WhcNNDExMTA1MDQzMDI3WjCBujELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlBeGlvbSBTU08xUTBPBgNVBAsTSEZPUiBE RU1PTlNUUkFUSU9OIFBVUlBPU0VTIE9OTFkuIERPIE5PVCBVU0UgRk9SIFBST0RVQ1RJT04gRU5W SVJPTk1FTlRTLjEfMB0GA1UEAxMWQXhpb20gRGVtbyBDZXJ0aWZpY2F0ZTCCAbgwggEsBgcqhkjO OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1 ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMC NVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozI puE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtV JWQBTDv+z0kqA4GFAAKBgQCXr1mp4UvByY6dGbDOyq3wMs6O7MCxmEkU2x32AkEp6s7Xfiy3MYwK wZQ4sL4BmQYzZ7QOXPP8dKgrKDQKLk9tXWOgvIoOCiNAdQDYlRm2sYgrI2SUcyM1bKDqLwDD8Z5O oLeuQAtgMfAq/f1C6nREWrQudPxOwaoNdHkYcR+066MhMB8wHQYDVR0OBBYEFE2JAc97wfHK5b42 nKbANn4SMcqcMAsGByqGSM44BAMFAAMvADAsAhR+Cjvp8UwNgKHfx2PWJoRi0/1q8AIUNhTXWlGz J3SdBlgRsdFgKyFtcxE=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b1cff0c-7976cd78" IssueInstant="2020-06-11T13:20:25.965Z" Version="2.0"><saml2:Issuer>https://atul-sail-dev-ed.my.salesforce.com</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">bhushan.burujwale@36demo.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2020-06-11T13:21:25.965Z" Recipient="https://atul-sail-dev-ed.my.salesforce.com?so=00Di0000000bTeC"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2020-06-11T13:20:25.965Z" NotOnOrAfter="2020-06-11T13:21:25.965Z"><saml2:AudienceRestriction><saml2:Audience>https://saml.salesforce.com</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2020-06-11T13:20:25.965Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://sfsamlappgrant.herokuapp.com/RequestSamlResponse.action</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="logoutURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://atul-sail-dev-ed.my.salesforce.com/services/auth/sp/saml2/logout</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
But its Base64 encoded value is not working with request:
Base64 saml assertion:
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIERlc3RpbmF0aW9uPSJodHRwczovL2F0dWwtc2FpbC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb20/c289MDBEaTAwMDAwMDBiVGVDIiBJRD0iXzQ1YzZlNzljLTIyYjVhOTY1IiBJc3N1ZUluc3RhbnQ9IjIwMjAtMDYtMTFUMTM6MjA6MjUuOTY1WiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2F0dWwtc2FpbC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb208L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZHNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NWM2ZTc5Yy0yMmI1YTk2NSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPmtLZVpSTzg0RWtpM1pnSGs2UWhzOHEzZ3RnTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+SzFmUmF0TlpuRERhdk1HRXdFYVA1WXNKMklTVUFkZ3ZjT3NuQzR2QWtnUVordWNjUTdVNGFRPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUQwekNDQTVHZ0F3SUJBZ0lFRi91RklUQUxCZ2NxaGtqT09BUURCUUF3Z2JveEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUkKRXdKRFFURVdNQlFHQTFVRUJ4TU5VMkZ1SUVaeVlXNWphWE5qYnpFU01CQUdBMVVFQ2hNSlFYaHBiMjBnVTFOUE1WRXdUd1lEVlFRTApFMGhHVDFJZ1JFVk5UMDVUVkZKQlZFbFBUaUJRVlZKUVQxTkZVeUJQVGt4WkxpQkVUeUJPVDFRZ1ZWTkZJRVpQVWlCUVVrOUVWVU5VClNVOU9JRVZPVmtsU1QwNU5SVTVVVXk0eEh6QWRCZ05WQkFNVEZrRjRhVzl0SUVSbGJXOGdRMlZ5ZEdsbWFXTmhkR1V3SGhjTk1UUXcKTmpJd01EUXpNREkzV2hjTk5ERXhNVEExTURRek1ESTNXakNCdWpFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZdwpGQVlEVlFRSEV3MVRZVzRnUm5KaGJtTnBjMk52TVJJd0VBWURWUVFLRXdsQmVHbHZiU0JUVTA4eFVUQlBCZ05WQkFzVFNFWlBVaUJFClJVMVBUbE5VVWtGVVNVOU9JRkJWVWxCUFUwVlRJRTlPVEZrdUlFUlBJRTVQVkNCVlUwVWdSazlTSUZCU1QwUlZRMVJKVDA0Z1JVNVcKU1ZKUFRrMUZUbFJUTGpFZk1CMEdBMVVFQXhNV1FYaHBiMjBnUkdWdGJ5QkRaWEowYVdacFkyRjBaVENDQWJnd2dnRXNCZ2NxaGtqTwpPQVFCTUlJQkh3S0JnUUQ5ZjFPQkhYVVNLVkxmU3B3dTdPVG45aEczVWp6dlJBRERIaitBdGxFbWFVVmRRQ0pSKzFrOWpWajZ2OFgxCnVqRDJ5NXRWYk5lQk80QWRORy95Wm1DM2E1bFFwYVNmbitnRWV4QWl3ays3cWRmK3Q4WWIrRHRYNThhb3BoVVBCUHVEOXRQRkhzTUMKTlZRVFdoYVJNdloxODY0cllkY3E3L0lpQXhtZDBVZ0J4d0lWQUpkZ1VJOFZJd3ZNc3BLNWdxTHJoQXZ3V0J6MUFvR0JBUGZob0lYVwptejNleTd5clhEYTRWN2w1bEsrNytqcnFndmxYVEFzOUI0Sm5VVmxYanJyVVdVL21jUWNRZ1lDMFNSWnhJK2hNS0JZVHQ4OEpNb3pJCnB1RThGbnFMVkh5TktPQ2pyaDRyczZaMWtXNmpmd3Y2SVRWaThmdGllZ0VrTzh5azhiNm9VWkNKcUlQZjRWcmxud2FTaTJaZWdIdFYKSldRQlREdit6MGtxQTRHRkFBS0JnUUNYcjFtcDRVdkJ5WTZkR2JET3lxM3dNczZPN01DeG1Fa1UyeDMyQWtFcDZzN1hmaXkzTVl3Swp3WlE0c0w0Qm1RWXpaN1FPWFBQOGRLZ3JLRFFLTGs5dFhXT2d2SW9PQ2lOQWRRRFlsUm0yc1lnckkyU1VjeU0xYktEcUx3REQ4WjVPCm9MZXVRQXRnTWZBcS9mMUM2blJFV3JRdWRQeE93YW9OZEhrWWNSKzA2Nk1oTUI4d0hRWURWUjBPQkJZRUZFMkpBYzk3d2ZISzViNDIKbktiQU5uNFNNY3FjTUFzR0J5cUdTTTQ0QkFNRkFBTXZBREFzQWhSK0NqdnA4VXdOZ0tIZngyUFdKb1JpMC8xcThBSVVOaFRYV2xHegpKM1NkQmxnUnNkRmdLeUZ0Y3hFPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfYjFjZmYwYy03OTc2Y2Q3OCIgSXNzdWVJbnN0YW50PSIyMDIwLTA2LTExVDEzOjIwOjI1Ljk2NVoiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3Vlcj5odHRwczovL2F0dWwtc2FpbC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb208L3NhbWwyOklzc3Vlcj48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPmJodXNoYW4uYnVydWp3YWxlQDM2ZGVtby5jb208L3NhbWwyOk5hbWVJRD48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDYtMTFUMTM6MjE6MjUuOTY1WiIgUmVjaXBpZW50PSJodHRwczovL2F0dWwtc2FpbC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb20/c289MDBEaTAwMDAwMDBiVGVDIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjAtMDYtMTFUMTM6MjA6MjUuOTY1WiIgTm90T25PckFmdGVyPSIyMDIwLTA2LTExVDEzOjIxOjI1Ljk2NVoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5odHRwczovL3NhbWwuc2FsZXNmb3JjZS5jb208L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM+PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMC0wNi0xMVQxMzoyMDoyNS45NjVaIj48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3Nlczp1bnNwZWNpZmllZDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ic3NvU3RhcnRQYWdlIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVuc3BlY2lmaWVkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+aHR0cDovL3Nmc2FtbGFwcGdyYW50Lmhlcm9rdWFwcC5jb20vUmVxdWVzdFNhbWxSZXNwb25zZS5hY3Rpb248L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibG9nb3V0VVJMIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVuc3BlY2lmaWVkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+aHR0cHM6Ly9hdHVsLXNhaWwtZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tL3NlcnZpY2VzL2F1dGgvc3Avc2FtbDIvbG9nb3V0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=
Can someone please help me on this? how can I get the assertion working.
The below answers your query,
https://salesforce.stackexchange.com/questions/198011/possible-causes-of-invalid-assertion-error-in-saml-assertion-oauth-flow
I hope you find the above information is helpful. If it does, please mark as Best Answer to help others too.
Thanks.
Hi Abhishek
I went through the link you have provided, I have already done the steps provided there. Even tried the saleforce SAML Assertion validator for the generated assertion,and as per that Everything was valid. You can find snapshot of the same in my question.
Any more suggestions?
Thanks.