function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
TopherTopher 

Saml trouble - Failed: Assertion Invalid

I've built a saml assertion using OpenSaml, everything seems relatively sane, but I just can't get past the "Failed: Assertion Invalid" message in the Login History. Anyone have any suggestions on what I could be missing?

 

Our SSO settings are set to

SAML EnabledCheckedSAML Version1.1

SAML User ID TypeUsernameIssuerhttp://topherific.com

SAML User ID LocationSubjectIdentity Provider CertificateEMAILADDRESS=topher@topherific.com, CN=saml.test, OU=Topherific, O=Topherific Inc, L=Boulder, ST=Colorado, C=US
Expiration: 11 Mar 2009 06:21:09 GMT

Recipient URLhttps://login.salesforce.com

 

 The generated SAML response is

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2009-03-02T19:06:31.240Z" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com" ResponseID="adkcfghpeogknfnnoggbbocbiefgpglidnanmahg">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
    <ds:Reference URI="#adkcfghpeogknfnnoggbbocbiefgpglidnanmahg">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"/></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>+eS6/hQ3ULCqmKwBxp8ZCXRoBnA=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>I/80xT1W+Yagt3S8KjjMrCJ1EAgkRP+Lqd/hwmunUkHEg3xP1h5DpA==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
    <samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="kdmclmioaolbncmmdbhihlkihdhaimgncneomecd" IssueInstant="2009-03-02T19:06:31.240Z" Issuer="http://topherific.com" MajorVersion="1" MinorVersion="1">
    <saml:AuthenticationStatement AuthenticationInstant="2009-03-02T19:06:31.240Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
        <saml:Subject>
            <saml:NameIdentifier>topher@topherific.com</saml:NameIdentifier>
            <saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
</saml:Assertion>
</samlp:Response>
 
 
Thanks in advance 
Message Edited by Topher on  03-02-2009 01:07 PM
Message Edited by Topher on  03-02-2009 01:08 PM


SAMLIssSAMLIss
Hey
 
I am having similar issue. Were you able to solve it. The response program generated.
 
Thanks.
 
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2009-05-04T13:57:55.917Z" MajorVersion="1" MinorVersion="1" Recipient="https://cs3.salesforce.com" ResponseID="_a28c1865868a377f2adb33ce857db8cc"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"></ds:SignatureMethod>
<ds:Reference URI="#_a28c1865868a377f2adb33ce857db8cc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>PFwO3zCuH4wwanDswJRZNe9U+X0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
f+vFYjeS0luHSMlTu7jaAvxqDz8QvU4d1gG5YXZvuV4czYwx1GxNX/+UUe826p95+fguM2BBAmVd
NdWbsvGTtE3Jb2FGF8dewBWrE/ny43gzXCm/cY/UGcf9KElSqYXOhC5ga+X5UZGNcbUsoxWvfepn
kYr6unCMje+P3s6rmRk=
</ds:SignatureValue>
</ds:Signature><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_cc4b77b22972e0265dd9b66d0d4ef2d8" IssueInstant="2009-05-04T13:57:57.709Z" Issuer="http://www.xyz.com" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2009-05-04T13:57:56.417Z" NotOnOrAfter="2009-05-04T14:02:56.417Z"></Conditions><AuthenticationStatement AuthenticationInstant="2009-05-04T13:57:56.197Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier>abc@xyz.com</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"></ds:SignatureMethod>
<ds:Reference URI="#_cc4b77b22972e0265dd9b66d0d4ef2d8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="code ds kind rw saml samlp typens #default xsd xsi"></ec:InclusiveNamespaces></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>+ioQLxX8DPOF2nlntqmuq9az2ew=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
aOQ5WpNsDPGvnCZQJUap4LdEPMRpePgkkQs0xLPOmGPWC1bc+kJPXVuCnhN4FIGoHz4tpHEfzNhW
WMiWVpKdXu7MkYXcFvgM1j8KJB7WXeglZ4fHFqakcxKnZoMoCbMpbpRt3ltY54nHDHQSOh6vHiWU
NE/b4hPIavlBXNTnfzY=
</ds:SignatureValue>
</ds:Signature></Assertion></Response>
 
Message Edited by SAMLIss on  05-04-2009 07:33 AM