Apex Code Development You need to sign in to do that
Don't have an account?
yellowriver How can I see Single Sign-On Error History
I was trying to implement SAML1.1 SSO with SalesForce.
I setup SAML and send SAMLResponse to the Recipient.
I get the login fail page and I have no idea what went wrong.
I cannot see the option SetupManage UsersSingle Sign-On Error History.
What should I do to get this history?
Thanks
Message Edited by yellowriver on 10-30-2008 05:37 PM
Thank you for the information. However, as I know, Login History only keeps track of the history who had logged in. In the case of login fail, it didn't show the reason of why the SAML SSO login failed. There should be some error log that keep track of SSO login failure.
e.g. some errors are:
Issuer Mismatched
Recipient Mismatched
etc..
But from Login History, I didn't see any information about the resaon of login fail.
Is my understanding correct?
Thanks
Message Edited by yellowriver on 11-07-2008 12:19 PM
In any cases, we have logs to capture the failed SAML assertion.
Hope this helps.
thanks
Jong
Hello
I got struck while working with SAML.
I am getting login failed error while posting it to Salesforce. Can you please help. login history has no enteries. looks like its not able to get username.
<%@ page import="org.opensaml.SAMLBrowserProfile"%><%@ page import="com.sso.SAMLAssertionCreator"%>
<%@page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%
SAMLAssertionCreator samlCr = new SAMLAssertionCreator();SAMLBrowserProfile.BrowserProfileResponse objSAML = (SAMLBrowserProfile.BrowserProfileResponse) samlCr.createSAML();
session.setAttribute("SAMLOBJ", objSAML);
%>
<html><body><
form name="acsForm" action="https://cs3.salesforce.com" method="post"> <input type="hidden" name="TARGET" value="https://cs3.salesforce.com" /><input type="hidden" name="SAMLResponse" value="<%=objSAML%>" />
<input type="submit" value="Submit" /></form> </body></html>
Federated single sign-on using SAML:
Expiration: 29 Mar 2019
<Response xmlns="urn
asis:names:tc:SAML:1.0
rotocol" xmlns:saml="urn
asis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn
asis:names:tc:SAML:1.0
rotocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2009-04-30T16:19:29.738Z" MajorVersion="1" MinorVersion="1" Recipient="https://cs3.salesforce.com" ResponseID="_c5226ab7546137e707d44a9c6bd935cf"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"></ds:SignatureMethod>
<ds:Reference URI="#_c5226ab7546137e707d44a9c6bd935cf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds
igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds
igestMethod>
<ds
igestValue>g5E85emP02skn6lHjlnVafBCCFs=</ds
igestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
KL2ggRD5iTQVYA9Wdqc1iNt16Dw12fvqO+96CT8GUzObQ+fd/9ces/yT+lxS0PTZYPt9KelkO/jy
PrV9DUFZj37PxNI1vvhT6ZSA1XY1GsooN7nlUdu+tou7a3ZvdCz4CeN0mFCUL7RrH99fmHNgIT4o
s3ZCx4fbstXCFfqomcM=
</ds:SignatureValue>
</ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn
asis:names:tc:SAML:1.0:assertion" AssertionID="_0383e17ba54b53140ad122a4bb68255c" IssueInstant="2009-04-30T16:19:30.049Z" Issuer="http://www.xyz.com" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2009-04-30T16:19:30.028Z" NotOnOrAfter="2009-04-30T16:24:30.028Z"></Conditions><AuthenticationStatement AuthenticationInstant="2009-04-30T16:19:29.928Z" AuthenticationMethod="urn
asis:names:tc:SAML:1.0:am
assword"><Subject><NameIdentifier>abc@xyz.com</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn
asis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"></ds:SignatureMethod>
<ds:Reference URI="#_0383e17ba54b53140ad122a4bb68255c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds
igestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds
igestMethod>
<ds
igestValue>dYcFbFuLH3CjTTvxxqzaXTKqMSc=</ds
igestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MB665iHEbaPF23TNqUdtIUllx0BqepfrzB6pNBejWS+49S5dd1g+qcCTK7SqtF/IHQ9xm7jzyfAR
KVzV4/f1e8C5+6y9WBaeCiUCbSfymZ9PQn1/1goJCyd/+jlPvPi3SKj0J4gmnveQQLrUG4dYtkbm
peCFzICrMBisOuDKb1U=
</ds:SignatureValue>
</ds:Signature></Assertion></Response>
If login history does not have any entries, it means we can't map the SAML to a valid user. Please make sure your username is correct in the assertion. I've attached a sample assertion in base64 encoded so that you can compare:
PHNhbWxwOlJlc3BvbnNlIFJlY2lwaWVudD0iaHR0cDovL2xvY2FsaG9zdDo4MDgwL0lkcFNhbXBsZS9zcC5qc3AiIElzc3VlSW5zdGFudD0iMjAwOC0wMi0yMFQyMTo1MjoxNC40NTNaIiBNaW5vclZlcnNpb249IjEiIE1ham9yVmVyc2lvbj0iMSIgUmVzcG9uc2VJRD0icFdlaUZnMS5QUC1SV0hxcWZWUzU3dUZVeV9IIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOnByb3RvY29sIj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNwV2VpRmcxLlBQLVJXSHFxZlZTNTd1RlV5X0giPgo8ZHM6VHJhbnNmb3Jtcz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPC9kczpUcmFuc2Zvcm1zPgo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPGRzOkRpZ2VzdFZhbHVlPlFUSFpCT2EzQ2I3UFBzcUR4WFJFVjVZS2hHOD08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+CkNjZ0IrTlRlSkFpalNuZ3UvU0lYUEZjUzE1T01jRGF4NEJqM1NoUnFjTUxTRlVqazN5cUxNVWZwOFlxYjl0NmpJQndxSUZoVjEwUFcKaHFVT0FoOTA1bGQyd3YzanBaZ1NOeDhDSmVhNVdnb0xvR1lvMjR1QVBwVm1tMHI0YVdhWlVIaVAyZVBoK0Y2NEM0bHJINHp0aXkyRgp5WGJ5SWE3aWhOcW9lNGJVOURjPQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJzYW1scDpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIElzc3Vlcj0iaHR0cDovL2pvbmdsZWUtd3MyL3NhbWwxLjEiIElzc3VlSW5zdGFudD0iMjAwOC0wMi0yMFQyMTo1MjoxNC40NTNaIiBBc3NlcnRpb25JRD0idkpqQkU2SEp0eGxxWUZtRV95Zm5Kc0E3MGZXIiBNaW5vclZlcnNpb249IjEiIE1ham9yVmVyc2lvbj0iMSIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiI+PHNhbWw6Q29uZGl0aW9ucyBOb3RPbk9yQWZ0ZXI9IjIwMDgtMDItMjBUMjE6NTc6MTQuNDUyWiIgTm90QmVmb3JlPSIyMDA4LTAyLTIwVDIxOjQ3OjE0LjQ1MloiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb25Db25kaXRpb24+PHNhbWw6QXVkaWVuY2U+c2ZkY1NhbWwxLjE8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb25Db25kaXRpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aGVudGljYXRpb25TdGF0ZW1lbnQgQXV0aGVudGljYXRpb25NZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphbTp1bnNwZWNpZmllZCIgQXV0aGVudGljYXRpb25JbnN0YW50PSIyMDA4LTAyLTIwVDIxOjUyOjE0LjQ1MloiPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlkZW50aWZpZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI+Zm9vPC9zYW1sOk5hbWVJZGVudGlmaWVyPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24+PHNhbWw6Q29uZmlybWF0aW9uTWV0aG9kPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDpjbTpiZWFyZXI8L3NhbWw6Q29uZmlybWF0aW9uTWV0aG9kPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0Pjwvc2FtbDpBdXRoZW50aWNhdGlvblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
Thanks Jong. The Base64 Encoding was incorrect. It works now.
I want to customize the error page. If SAML assertion gets through we get the salesforce home page else the error page. Can we customize that?
<%@ page import="com.sso.SAMLAssertionCreator"%>
<%@page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%
SAMLAssertionCreator samlCr = new SAMLAssertionCreator();String objSAML = samlCr.createSAML();
String target = samlCr.getRecipient();
System.out.println("SAMLAssertionCreator Output");
if(objSAML!=null){System.out.println("SAML Assertion : " + objSAML);}
else{ System.out.println(
"SAML Assertion is null");}
%>
<html><body onload="javascript:document.forms.acsForm.submit();"><
form name="acsForm" action='<%= target %>' method="post"><input type="hidden" name="TARGET" value='<%= target %>' />
<input type="hidden" name="SAMLResponse" value='<%= objSAML %>' />
</form></body>
</html>
Good to know you got it working. The SAML error page is not customizable right now.
thanks
Jong