You need to sign in to do that
Don't have an account?
certi_vimal
SAML Validation failed
Hi,
I am trying to configure Salesforce to Salesforce SSO as a PoC to test Salesforce as IdP and as SP also (2 different salesforce orgs).
However, I am getting these SAML validation error messages :-
1. Validating the Status |
Ok |
2. Checking that the assertion contains a reference to a user |
Ok |
3. Looking for an Authentication Statement |
Ok |
4. Looking for a Conditions statement |
Ok |
5. Checking that the timestamps in the assertion are valid |
Current time is after notOnOrAfter in Conditions |
Current time is: 2011-08-30T19:45:56.145Z |
Time limit in Conditions, adjusted for skew, is: 2011-08-30T19:43:15.017Z |
Timestamp of the response is outside of allowed time window |
Current time is: 2011-08-30T19:45:56.145Z |
Timestamp is: 2011-08-30T19:35:15.016Z |
Allowed skew in milliseconds is 480000 |
6. Checking that the Attribute namespace matches, if provided |
Not Provided |
7. Miscellaneous format confirmations |
Ok |
8. Confirming Issuer matches |
Response's issuer did not match the issuer configured in the Single Sign-On Settings page |
Issuer from assertion: https://testforsso-developer-edition.my.salesforce.com |
Issuer from your settings: htps://testforsso-developer-edition.my.salesforce.com |
Assertion's issuer did not match the issuer configured in the Single Sign-On Settings page |
Issuer from assertion: https://testforsso-developer-edition.my.salesforce.com |
Issuer from your settings: htps://testforsso-developer-edition.my.salesforce.com |
9. Confirming a Subject Confirmation was provided and contains valid timestamps |
Current time is later than SubjectConfirmationData's notOnOrAfterField |
Current time is: 2011-08-30T19:45:56.145Z |
NotOnOrAfter is: 2011-08-30T19:40:15.017Z |
10. Checking that the Audience matches, if provided |
Ok |
11. Checking the Recipient |
Ok |
12. Validating the Signature |
Ok |
13. Checking that the Site URL Attribute contains a validate site url, if provided |
Not Provided |
Please advise.
Thanks,
Vimal
Looks like a typo in the issuer in your settings. You have "htps://" instead of "https://"
Thanks Chuck. Poor me :(
So, now my SAML Validation is looking good.
However, when I click Web Tab from my Service Provider, I cannot open the other Salesforce Org URL as mentioned in my "IDP Initiated Login URL" field value when Service Provider was defined.
The URL link opens but shows the failure page "Internet Explorer cannot display the webpage".
I am following the Setting up Single Sign On from Salesforce to Salesforce" mentioned in this Salesforce Help link : https://na12.salesforce.com/help/doc/user_ed.jsp?section=help&target=identity_provider_examples.htm&loc=help&hash=topic-title
However, please note that nothing was mentioned about SAML response to be filled up in the help link and hence my SAML response is blank for now.
Please advise.
Thanks,
Vimal
Are you sure you have the right URL? Does it work by just pasting the URL into a browser outside of the webtab?
Hi Chuck,
I will enlist the parameters I have passed in the fields while configuration :-
---------------------------------------------------------------------------------------------------------------------
Identity Provider :-
Issuer - https://testforsso-developer-edition.my.salesforce.com
====
Inside other org which is Service Provider for SSO settings :-
SAML User ID Type - Federation ID
SAML User ID Location - Subject
Issuer - https://testforsso-developer-edition.my.salesforce.com
Salesforce.com Login URL - https://login.salesforce.com/?saml=MgoTx78aEPrMVYGgOi4nf4QrejRkiPyknnCZ9ua5g.u23QPfypdMUossqx
Entity Id - https://saml.salesforce.com
====
Now inside Identity Provider org, created a Service Provider - Salesforce Service Provider :-
Name - Salesforce Service Provider
ACS URL - https://login.salesforce.com/?saml=MgoTx78aEPrMVYGgOi4nf4QrejRkiPyknnCZ9ua5g.u23QPfypdMUossqx (same as Salesforce.com Login URL mentioned while setting SSO in Service Provider org)
Entity Id - https://saml.salesforce.com
Subject Type - Username
Issuer - https://testforsso-developer-edition.my.salesforce.com
IdP-Initiated Login URL - /idp/login?app=0sp90000000PAt6
====
Now inside Service Provider org, created a Web Tab and :-
URL - http://idp/login?app=0sp90000000PAt6 (Same as IdP Initiated Login URL mentioned in Salesforce Service Provider)
Please advise if anything seems wrong here.
Thanks,
Vimal
The URL you put in your webtab doesn't look right.
Try pasting it into a browser and see what happens My guess is you need both a fully qualified host, as well as https
Yes, pasting it in different browser window does not work.
But that is what I got from system generated IdP login. How should I rectify it?
Thanks,
Vimal
Try this: https://testforsso-developer-edition.my.salesforce.com/idp/login?app=0sp90000000PAt6
May be we are nearing Success.
Now, it throws error saying :
Look in your service provider at the login history. If that doesn't tell you anything, check the saml assertion validator
On deep diving, found this validation error :
10. Checking that the Audience matches, if provided Audience problems The audience in the assertion did not match the allowed audiences Allowed audiences: [https://saml.salesforce.com]
Change your audience to the IDP's issuer
Could you let me know in which field I have to change? Issuer of Idp or SP org?
Change the Issuer field in the SP to match the IDP's issuer/entity-id
Identity Provider :-
Issuer - https://testforsso-developer-edition.my.salesforce.com
====
Salesforce Service Provider created under IdP :-
Entity Id - https://testforsso-developer-edition.my.salesforce.com
====
SSO settings in SP org :-
Issuer - https://testforsso-developer-edition.my.salesforce.com
Entity Id - https://saml.salesforce.com
====
This is my current status.
In SP org, in SSO settings, Entity Id automatically populates to saml.salesforce.com
Please advise.
Also, on the Service Provider I created under IdP in IdP org, besides the Entity Id field, they have mentioned in the Help Text to get this value from the Service Provider.
So if it means Service Provider org, it has Entity Id (which is system generated?) as "https://saml.salesforce.com".