function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
JimPJimP 

SSO: simplesaml SP <-> salesforce Idp almost working but not quite

Morning all.

 

I am trying to get my php SP (based on simplesamlphp 1.8) to play nicely with my salesforce Idp, set up in my salesforce development account. I am now at the point where attempting to authenticate gets me to the salesforce login page, the login succeeds (in the login history I get for example):

 

jim.page@redmatter.com

25/08/2011 18:12:12 CEST217.128.138.53ApplicationSuccessChrome 13Win7BrowserN/AN/AN/Aredmatter-developer-edition.my.salesforce.com



but I get

 

 <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>

 

message back into my app. I have looked at many, many posts (from which it's clear that it's possible to make this work, but nothing that sheds any direct light) and hacked the simplesaml config to no avail.

 

Any help would be hugely appreciated.

 

Thanks

Jim

 

Sample assertion:

 

<samlp:AuthnRequest 

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 

ID="_342437431d6735a16338b6196769f4a59dc863f659" 

Version="2.0" IssueInstant="2011-08-25T16:13:16Z" 

Destination="https://redmatter-developer-edition.my.salesforce.com/idp/endpoint/HttpRedirect

AssertionConsumerServiceURL="https://saml.redmatter.com:8081/simplesaml/module.php/saml/sp/saml2-acs.php/natterbox-cti

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> 

<saml:Issuer>

https://saml.redmatter.com:8081/simplesaml/module.php/saml/sp/metadata.php/natterbox-cti

</saml:Issuer>

<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest>

 

Response:


<samlp:Response 

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 

Destination="https://saml.redmatter.com:8081/simplesaml/module.php/saml/sp/saml2-acs.php/natterbox-cti

ID="_1cc637c784edefc59018ea836b083b051314288794986"

InResponseTo="_342437431d6735a16338b6196769f4a59dc863f659" 

IssueInstant="2011-08-25T16:13:14.986Z" 

Version="2.0"> 

<saml:Issuer  

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"  

Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> 

https://redmatter-developer-edition.my.salesforce.com 

</saml:Issuer> 

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">     

<ds:CanonicalizationMethod  

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"      

Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>     

<ds:SignatureMethod

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"      

Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>     

<ds:Reference

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"      

URI="#_1cc637c784edefc59018ea836b083b051314288794986">       

<ds:Transforms

xmlns:ds="http://www.w3.org/2000/09/xmldsig#">         

<ds:Transform

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"          

Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>         

<ds:Transform

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"          

Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">           

<ec:InclusiveNamespaces

xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"            

PrefixList="ds saml samlp"/>

</ds:Transform>       

</ds:Transforms>       

<ds:DigestMethod

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"        

Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>       

<ds:DigestValue

xmlns:ds="http://www.w3.org/2000/09/xmldsig#">       

oW12edeSTb2dKXEiCQMOKCaTdG8=       

</ds:DigestValue>     

</ds:Reference>   

</ds:SignedInfo>   

<ds:SignatureValue

xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:SignatureValue>   

<ds:KeyInfo> 

<ds:X509Data>

<ds:X509Certificate>...</ds:X509Certificate>     

</ds:X509Data>

</ds:KeyInfo>

</ds:Signature>

<samlp:Status>

<samlp:StatusCode

Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/> 

</samlp:Status>

</samlp:Response>

 

Best Answer chosen by Admin (Salesforce Developers) 
JimPJimP

I fixed it. It liked the 'Username' setting rather than 'Federation Id'. I changed that, and it magically started working.

 

Incidentally, my setup also required

 

'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'

 

in the simplesamlphp config/authsources.php setup for the authentication source.

 

Thanks

Jim