function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Anil_RAnil_R 

SAML and Salesforce - Anyone with an example SAML?

Hi,

 

I'm trying to generate SAML according to Salesforce's documentation. After a full day of trying different tweaks I'm still stuck. My SAML (version 1.1) looks correct to me, but when I post it to Salesforce in a "SaMLResponse" field it logs the error "Failed: Assertion Invalid" along with the login name specified in the SAML. Does anyone know how to debug this, or perhaps a comparison to a working SAML response would help...

 

I tried using the SAML validator in Salesforce. It tells me everything is "ok" (in green) execpt for two things:

"6. Checking that the Attribute namespace matches, if provided"  returns "Unknown"

"7. Miscellaneous format confirmations" returns "Unknown"

The validator did not return any red error messages, however I have no clue what the two Uknown messages mean.

 

I've tried different types of SSO configuration in Salesforce, both with a NameIdentifier and User ID is in an Attribute element, neither of the work, however Salesforce always logs the username in the logs - so that appears to be working.

 

Here's a sample SAML - if anyone has ideas on what's wrong I'd really appreciated it:

 

 

<samlp:Response IssueInstant="2009-06-07T18:26:42.8641119-07:00" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com/?saml=EK03Almz90eBaMTm4Lf8DUU3._uQLw9jeP6QZwo.ASrEk7qB4.A.CkD.ICUbSDUnEEDQrlHtPJyJcn5mZX5bFMi4aInRUbd_Flvt1yAQmd08jWN6y6pWt6E3NC" ResponseID="12346626" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
  <samlp:Status>
    <samlp:StatusCode Value="samlp:Success" />
  </samlp:Status>
  <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="TestAnil8382" Issuer="MYISSUER" IssueInstant="2009-06-07T18:26:42.8641119-07:00" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2009-06-07T18:21:42.8641119-07:00" NotOnOrAfter="2009-06-07T18:36:42.8641119-07:00">
      <saml:AudienceRestrictionCondition>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Attribute AttributeName="MyLoginAttributeName" AttributeNamespace="http://myuri.com">
        <saml:AttributeValue>sfUserLogin@gmail.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2009-06-07T18:26:42.8641119-07:00">
      <saml:Subject>
        <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfUserLogin@gmail.com</saml:NameIdentifier>
        <saml:SubjectConfirmation>
          <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
        </saml:SubjectConfirmation>
      </saml:Subject>
    </saml:AuthenticationStatement>
  </saml:Assertion>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>UIwW0FHhBNx4PiTLPi9nIRoJfI4=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>[Trimmed]</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>[Trimmed]</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
</samlp:Response> 
Best Answer chosen by Admin (Salesforce Developers) 
SAMLIssSAMLIss

Hello Jasono,

 

can you please post your code for SAML 2.0

 

Thanks.

All Answers

JasonOJasonO

I got SAML 2.0 working. I found that even with those two Unknown messages (which I could never get resolved) in the SAML Validator, my assertion was still accepted when posted to the Salesforce Login URL. Make sure you base64 encode the assertion XML that you post.

 
Anil_RAnil_R

Thanks for the info, I'm glad to hear the unknowns might be ok. Maybe I'll try switching my code to SAML 2.0.

 

Yes, I should have mentioned that I base64 encoded the message.

 

 

 

-Anil
SAMLIssSAMLIss

Hello Jasono,

 

can you please post your code for SAML 2.0

 

Thanks.

This was selected as the best answer
forumOfSailendrforumOfSailendr

can you provide java code to generate SAML 2.0 Assertions..

 

 

thanks

 
amarendraamarendra

can any one please provide the code for saml 1.1