+ Start a Discussion
Bhushan burujwaleBhushan burujwale 

Oauth2 SAML Assertion not working

Hi,
We are trying to implement SAML 2.0 assertion flow to allow user to login into Salesforce API through Oauth2 authentication, and grant type as saml2.0.

We have configured SSO and connected app, also configured SAML assertion XML, and validated it though salesforce SAML assertion validator. But while using Base46 encoded saml assertion, it says "Invalid assertion".

Below is the assertion XML and its validation snapshot:

<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://atul-sail-dev-ed.my.salesforce.com?so=00Di0000000bTeC" ID="_45c6e79c-22b5a965" IssueInstant="2020-06-11T13:20:25.965Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://atul-sail-dev-ed.my.salesforce.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ds:Reference URI="#_45c6e79c-22b5a965"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>kKeZRO84Eki3ZgHk6Qhs8q3gtgM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>K1fRatNZnDDavMGEwEaP5YsJ2ISUAdgvcOsnC4vAkgQZ+uccQ7U4aQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID0zCCA5GgAwIBAgIEF/uFITALBgcqhkjOOAQDBQAwgboxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJQXhpb20gU1NPMVEwTwYDVQQL
E0hGT1IgREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZLiBETyBOT1QgVVNFIEZPUiBQUk9EVUNU
SU9OIEVOVklST05NRU5UUy4xHzAdBgNVBAMTFkF4aW9tIERlbW8gQ2VydGlmaWNhdGUwHhcNMTQw
NjIwMDQzMDI3WhcNNDExMTA1MDQzMDI3WjCBujELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlBeGlvbSBTU08xUTBPBgNVBAsTSEZPUiBE
RU1PTlNUUkFUSU9OIFBVUlBPU0VTIE9OTFkuIERPIE5PVCBVU0UgRk9SIFBST0RVQ1RJT04gRU5W
SVJPTk1FTlRTLjEfMB0GA1UEAxMWQXhpb20gRGVtbyBDZXJ0aWZpY2F0ZTCCAbgwggEsBgcqhkjO
OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1
ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMC
NVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW
mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozI
puE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtV
JWQBTDv+z0kqA4GFAAKBgQCXr1mp4UvByY6dGbDOyq3wMs6O7MCxmEkU2x32AkEp6s7Xfiy3MYwK
wZQ4sL4BmQYzZ7QOXPP8dKgrKDQKLk9tXWOgvIoOCiNAdQDYlRm2sYgrI2SUcyM1bKDqLwDD8Z5O
oLeuQAtgMfAq/f1C6nREWrQudPxOwaoNdHkYcR+066MhMB8wHQYDVR0OBBYEFE2JAc97wfHK5b42
nKbANn4SMcqcMAsGByqGSM44BAMFAAMvADAsAhR+Cjvp8UwNgKHfx2PWJoRi0/1q8AIUNhTXWlGz
J3SdBlgRsdFgKyFtcxE=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b1cff0c-7976cd78" IssueInstant="2020-06-11T13:20:25.965Z" Version="2.0"><saml2:Issuer>https://atul-sail-dev-ed.my.salesforce.com</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">bhushan.burujwale@36demo.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2020-06-11T13:21:25.965Z" Recipient="https://atul-sail-dev-ed.my.salesforce.com?so=00Di0000000bTeC"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2020-06-11T13:20:25.965Z" NotOnOrAfter="2020-06-11T13:21:25.965Z"><saml2:AudienceRestriction><saml2:Audience>https://saml.salesforce.com</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2020-06-11T13:20:25.965Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://sfsamlappgrant.herokuapp.com/RequestSamlResponse.action</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="logoutURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://atul-sail-dev-ed.my.salesforce.com/services/auth/sp/saml2/logout</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
 

User-added image


But its Base64 encoded value is not working with request:

User-added image
Base64 saml assertion:

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIERlc3RpbmF0aW9uPSJodHRwczovL2F0dWwtc2FpbC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb20/c289MDBEaTAwMDAwMDBiVGVDIiBJRD0iXzQ1YzZlNzljLTIyYjVhOTY1IiBJc3N1ZUluc3RhbnQ9IjIwMjAtMDYtMTFUMTM6MjA6MjUuOTY1WiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2F0dWwtc2FpbC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb208L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZHNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI180NWM2ZTc5Yy0yMmI1YTk2NSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPmtLZVpSTzg0RWtpM1pnSGs2UWhzOHEzZ3RnTT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+SzFmUmF0TlpuRERhdk1HRXdFYVA1WXNKMklTVUFkZ3ZjT3NuQzR2QWtnUVordWNjUTdVNGFRPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUQwekNDQTVHZ0F3SUJBZ0lFRi91RklUQUxCZ2NxaGtqT09BUURCUUF3Z2JveEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUkKRXdKRFFURVdNQlFHQTFVRUJ4TU5VMkZ1SUVaeVlXNWphWE5qYnpFU01CQUdBMVVFQ2hNSlFYaHBiMjBnVTFOUE1WRXdUd1lEVlFRTApFMGhHVDFJZ1JFVk5UMDVUVkZKQlZFbFBUaUJRVlZKUVQxTkZVeUJQVGt4WkxpQkVUeUJPVDFRZ1ZWTkZJRVpQVWlCUVVrOUVWVU5VClNVOU9JRVZPVmtsU1QwNU5SVTVVVXk0eEh6QWRCZ05WQkFNVEZrRjRhVzl0SUVSbGJXOGdRMlZ5ZEdsbWFXTmhkR1V3SGhjTk1UUXcKTmpJd01EUXpNREkzV2hjTk5ERXhNVEExTURRek1ESTNXakNCdWpFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05CTVJZdwpGQVlEVlFRSEV3MVRZVzRnUm5KaGJtTnBjMk52TVJJd0VBWURWUVFLRXdsQmVHbHZiU0JUVTA4eFVUQlBCZ05WQkFzVFNFWlBVaUJFClJVMVBUbE5VVWtGVVNVOU9JRkJWVWxCUFUwVlRJRTlPVEZrdUlFUlBJRTVQVkNCVlUwVWdSazlTSUZCU1QwUlZRMVJKVDA0Z1JVNVcKU1ZKUFRrMUZUbFJUTGpFZk1CMEdBMVVFQXhNV1FYaHBiMjBnUkdWdGJ5QkRaWEowYVdacFkyRjBaVENDQWJnd2dnRXNCZ2NxaGtqTwpPQVFCTUlJQkh3S0JnUUQ5ZjFPQkhYVVNLVkxmU3B3dTdPVG45aEczVWp6dlJBRERIaitBdGxFbWFVVmRRQ0pSKzFrOWpWajZ2OFgxCnVqRDJ5NXRWYk5lQk80QWRORy95Wm1DM2E1bFFwYVNmbitnRWV4QWl3ays3cWRmK3Q4WWIrRHRYNThhb3BoVVBCUHVEOXRQRkhzTUMKTlZRVFdoYVJNdloxODY0cllkY3E3L0lpQXhtZDBVZ0J4d0lWQUpkZ1VJOFZJd3ZNc3BLNWdxTHJoQXZ3V0J6MUFvR0JBUGZob0lYVwptejNleTd5clhEYTRWN2w1bEsrNytqcnFndmxYVEFzOUI0Sm5VVmxYanJyVVdVL21jUWNRZ1lDMFNSWnhJK2hNS0JZVHQ4OEpNb3pJCnB1RThGbnFMVkh5TktPQ2pyaDRyczZaMWtXNmpmd3Y2SVRWaThmdGllZ0VrTzh5azhiNm9VWkNKcUlQZjRWcmxud2FTaTJaZWdIdFYKSldRQlREdit6MGtxQTRHRkFBS0JnUUNYcjFtcDRVdkJ5WTZkR2JET3lxM3dNczZPN01DeG1Fa1UyeDMyQWtFcDZzN1hmaXkzTVl3Swp3WlE0c0w0Qm1RWXpaN1FPWFBQOGRLZ3JLRFFLTGs5dFhXT2d2SW9PQ2lOQWRRRFlsUm0yc1lnckkyU1VjeU0xYktEcUx3REQ4WjVPCm9MZXVRQXRnTWZBcS9mMUM2blJFV3JRdWRQeE93YW9OZEhrWWNSKzA2Nk1oTUI4d0hRWURWUjBPQkJZRUZFMkpBYzk3d2ZISzViNDIKbktiQU5uNFNNY3FjTUFzR0J5cUdTTTQ0QkFNRkFBTXZBREFzQWhSK0NqdnA4VXdOZ0tIZngyUFdKb1JpMC8xcThBSVVOaFRYV2xHegpKM1NkQmxnUnNkRmdLeUZ0Y3hFPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfYjFjZmYwYy03OTc2Y2Q3OCIgSXNzdWVJbnN0YW50PSIyMDIwLTA2LTExVDEzOjIwOjI1Ljk2NVoiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3Vlcj5odHRwczovL2F0dWwtc2FpbC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb208L3NhbWwyOklzc3Vlcj48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPmJodXNoYW4uYnVydWp3YWxlQDM2ZGVtby5jb208L3NhbWwyOk5hbWVJRD48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDYtMTFUMTM6MjE6MjUuOTY1WiIgUmVjaXBpZW50PSJodHRwczovL2F0dWwtc2FpbC1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb20/c289MDBEaTAwMDAwMDBiVGVDIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjAtMDYtMTFUMTM6MjA6MjUuOTY1WiIgTm90T25PckFmdGVyPSIyMDIwLTA2LTExVDEzOjIxOjI1Ljk2NVoiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT5odHRwczovL3NhbWwuc2FsZXNmb3JjZS5jb208L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM+PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMC0wNi0xMVQxMzoyMDoyNS45NjVaIj48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3Nlczp1bnNwZWNpZmllZDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sMjpBdXRobkNvbnRleHQ+PC9zYW1sMjpBdXRoblN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ic3NvU3RhcnRQYWdlIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVuc3BlY2lmaWVkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+aHR0cDovL3Nmc2FtbGFwcGdyYW50Lmhlcm9rdWFwcC5jb20vUmVxdWVzdFNhbWxSZXNwb25zZS5hY3Rpb248L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibG9nb3V0VVJMIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVuc3BlY2lmaWVkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+aHR0cHM6Ly9hdHVsLXNhaWwtZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tL3NlcnZpY2VzL2F1dGgvc3Avc2FtbDIvbG9nb3V0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=

 

Can someone please help me on this? how can I get the assertion working.

AbhishekAbhishek (Salesforce Developers) 
Hi Bhushan,

The below answers your query,

https://salesforce.stackexchange.com/questions/198011/possible-causes-of-invalid-assertion-error-in-saml-assertion-oauth-flow

I hope you find the above information is helpful. If it does, please mark as Best Answer to help others too.

Thanks.
Bhushan burujwaleBhushan burujwale

Hi Abhishek

 

I went through the link you have provided, I have already done the steps provided there. Even tried the saleforce SAML Assertion validator for the generated assertion,and as per that Everything was valid. You can find snapshot of the same in my question.

Any more suggestions?

Thanks.