You need to sign in to do that
Don't have an account?
SSO: simplesaml SP <-> salesforce Idp almost working but not quite
Morning all.
I am trying to get my php SP (based on simplesamlphp 1.8) to play nicely with my salesforce Idp, set up in my salesforce development account. I am now at the point where attempting to authenticate gets me to the salesforce login page, the login succeeds (in the login history I get for example):
jim.page@redmatter.com
25/08/2011 18:12:12 CEST | 217.128.138.53 | Application | Success | Chrome 13 | Win7 | Browser | N/A | N/A | N/A | redmatter-developer-edition.my.salesforce.com |
but I get
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
message back into my app. I have looked at many, many posts (from which it's clear that it's possible to make this work, but nothing that sheds any direct light) and hacked the simplesaml config to no avail.
Any help would be hugely appreciated.
Thanks
Jim
Sample assertion:
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_342437431d6735a16338b6196769f4a59dc863f659"
Version="2.0" IssueInstant="2011-08-25T16:13:16Z"
Destination="https://redmatter-developer-edition.my.salesforce.com/idp/endpoint/HttpRedirect"
AssertionConsumerServiceURL="https://saml.redmatter.com:8081/simplesaml/module.php/saml/sp/saml2-acs.php/natterbox-cti"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>
https://saml.redmatter.com:8081/simplesaml/module.php/saml/sp/metadata.php/natterbox-cti
</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest>
Response:
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://saml.redmatter.com:8081/simplesaml/module.php/saml/sp/saml2-acs.php/natterbox-cti"
ID="_1cc637c784edefc59018ea836b083b051314288794986"
InResponseTo="_342437431d6735a16338b6196769f4a59dc863f659"
IssueInstant="2011-08-25T16:13:14.986Z"
Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://redmatter-developer-edition.my.salesforce.com
</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
URI="#_1cc637c784edefc59018ea836b083b051314288794986">
<ds:Transforms
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml samlp"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
oW12edeSTb2dKXEiCQMOKCaTdG8=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</samlp:Status>
</samlp:Response>
I fixed it. It liked the 'Username' setting rather than 'Federation Id'. I changed that, and it magically started working.
Incidentally, my setup also required
'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
in the simplesamlphp config/authsources.php setup for the authentication source.
Thanks
Jim