Hi,

I am trying to access one salesforce org's records from another one using SSO. I have already built a sF org as Identity Provider (HUB) and other as service provider(Spoke). Now it is working fine for few scenarios, like from service provider's IdP-Initiated Login URL, I can redirect to service provider without login. But I want to extract  Service Provider's records from my IdP using my apex class. For this I have followed the way it was defined in online doc, link:

http://na14.salesforce.com/help/doc/en/remoteaccess_oauth_web_sso_flow.htm

The class I have written in IdP is as follows:

global class OtherOrgController
{
    Webservice static String fetchFromOtherOrg()
    {
        String url = 'https://login.salesforce.com/services/oauth2/token';
        String body = '';
        body += 'grant_type=assertion';
        body += '&assertion_type=urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser';
        body += '&assertion=<response code>'; //here i didn't paste actual response id
        body += '&format=urlencoded';
        HttpRequest req1 = new HttpRequest();
        req1.setEndpoint(url);
        req1.setMethod('POST');
        req1.setTimeout(60*1000);
        req1.setBody(body);
        req1.setHeader('Content-Type','application/x-www-form-urlencoded');
        Http h1 = new Http();
        String resp1 = h1.send(req1).getBody();
        return resp1;
    }
}

Here in the assertion parameter, I have used the response id got from SP's SAML Assertion Validator's result. (Is this assertion right one?). Now when ever I call this method, it gives error as follows:

error=invalid_grant&error_description=invalid%20assertion&error_uri=https%3A%2F%2Fna4.salesforce.comnull%2Fsetup%2Fsecur%2FSAMLValidationPage.apexp

Here I can't even understand why 'na4' is being involved when none of SP and IdP belong to na4.

Please help me out of this problem.