function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
certi_vimalcerti_vimal 

SAML Validation failed

Hi,

 

I am trying to configure Salesforce to Salesforce SSO as a PoC to test Salesforce as IdP and as SP also (2 different salesforce orgs).

 

However, I am getting these SAML validation error messages :-

 



1. Validating the Status
  Ok
2. Checking that the assertion contains a reference to a user
  Ok
3. Looking for an Authentication Statement
  Ok
4. Looking for a Conditions statement
  Ok
5. Checking that the timestamps in the assertion are valid
  Current time is after notOnOrAfter in Conditions
  Current time is: 2011-08-30T19:45:56.145Z
  Time limit in Conditions, adjusted for skew, is: 2011-08-30T19:43:15.017Z
  Timestamp of the response is outside of allowed time window
  Current time is: 2011-08-30T19:45:56.145Z
  Timestamp is: 2011-08-30T19:35:15.016Z
  Allowed skew in milliseconds is 480000
6. Checking that the Attribute namespace matches, if provided
  Not Provided
7. Miscellaneous format confirmations
  Ok
8. Confirming Issuer matches
  Response's issuer did not match the issuer configured in the Single Sign-On Settings page
  Issuer from assertion: https://testforsso-developer-edition.my.salesforce.com
  Issuer from your settings: htps://testforsso-developer-edition.my.salesforce.com
  Assertion's issuer did not match the issuer configured in the Single Sign-On Settings page
  Issuer from assertion: https://testforsso-developer-edition.my.salesforce.com
  Issuer from your settings: htps://testforsso-developer-edition.my.salesforce.com
9. Confirming a Subject Confirmation was provided and contains valid timestamps
  Current time is later than SubjectConfirmationData's notOnOrAfterField
  Current time is: 2011-08-30T19:45:56.145Z
  NotOnOrAfter is: 2011-08-30T19:40:15.017Z
10. Checking that the Audience matches, if provided
  Ok
11. Checking the Recipient
  Ok
12. Validating the Signature
  Ok
13. Checking that the Site URL Attribute contains a validate site url, if provided
  Not Provided

 

Please advise.

 

 

Thanks,

 

Vimal

chuckmortimorechuckmortimore

Looks like a typo in the issuer in your settings.   You have "htps://" instead of "https://"

certi_vimalcerti_vimal

Thanks Chuck. Poor me  :(

 

So, now my SAML Validation is looking good. 

 

However, when I click Web Tab from my Service Provider, I cannot open the other Salesforce Org URL as mentioned in my "IDP Initiated Login URL" field value when Service Provider was defined.

 

The URL link opens but shows the failure page "Internet Explorer cannot display the webpage".

 

I am following the Setting up Single Sign On from Salesforce to Salesforce" mentioned in this Salesforce Help link : https://na12.salesforce.com/help/doc/user_ed.jsp?section=help&target=identity_provider_examples.htm&loc=help&hash=topic-title

 

However, please note that nothing was mentioned about SAML response to be filled up in the help link and hence my SAML response is blank for now.

 

Please advise.

 

 

Thanks,

 

Vimal

chuckmortimorechuckmortimore

Are you sure you have the right URL?   Does it work by just pasting the URL into a browser outside of the webtab?

certi_vimalcerti_vimal

Hi Chuck,

 

I will enlist the parameters I have passed in the fields while configuration :-

 

---------------------------------------------------------------------------------------------------------------------

 

Identity Provider :-


Issuer - https://testforsso-developer-edition.my.salesforce.com

====


Inside other org which is Service Provider for SSO settings :-


SAML User ID Type - Federation ID 

SAML User ID Location - Subject 

Issuer - https://testforsso-developer-edition.my.salesforce.com 

Salesforce.com Login URL - https://login.salesforce.com/?saml=MgoTx78aEPrMVYGgOi4nf4QrejRkiPyknnCZ9ua5g.u23QPfypdMUossqx 

Entity Id - https://saml.salesforce.com 
====

Now inside Identity Provider org, created a Service Provider - Salesforce Service Provider :-


Name - Salesforce Service Provider

ACS URL - https://login.salesforce.com/?saml=MgoTx78aEPrMVYGgOi4nf4QrejRkiPyknnCZ9ua5g.u23QPfypdMUossqx (same as Salesforce.com Login URL mentioned while setting SSO in Service Provider org)

Entity Id - https://saml.salesforce.com

Subject Type - Username

Issuer - https://testforsso-developer-edition.my.salesforce.com

IdP-Initiated Login URL - /idp/login?app=0sp90000000PAt6
====

Now inside Service Provider org, created a Web Tab and :-

URL - http://idp/login?app=0sp90000000PAt6 (Same as IdP Initiated Login URL mentioned in Salesforce Service Provider)

 

Please advise if anything seems wrong here.

 

 

Thanks,

 

Vimal




 

 

chuckmortimorechuckmortimore

The URL you put in your webtab doesn't look right.  

 

Try pasting it into a browser and see what happens   My guess is you need both a fully qualified host, as well as https

certi_vimalcerti_vimal

Yes, pasting it in different browser window does not work.

 

But that is what I got from system generated IdP login. How should I rectify it?

 

 

Thanks,

 

Vimal

certi_vimalcerti_vimal

May be we are nearing Success.

 

Now, it throws error saying : 

 

Login Error
Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information.
<script type="text/javascript"></script>
chuckmortimorechuckmortimore

Look in your service provider at the login history.   If that doesn't tell you anything, check the saml assertion validator 

certi_vimalcerti_vimal

On deep diving, found this validation error : 

 

10. Checking that the Audience matches, if provided   Audience problems   The audience in the assertion did not match the allowed audiences   Allowed audiences: [https://saml.salesforce.com]

chuckmortimorechuckmortimore

Change your audience to the IDP's issuer

certi_vimalcerti_vimal

Could you let me know in which field I have to change? Issuer of Idp or SP org?

chuckmortimorechuckmortimore

Change the Issuer field in the SP to match the IDP's issuer/entity-id

certi_vimalcerti_vimal

Identity Provider :-

 

Issuer - https://testforsso-developer-edition.my.salesforce.com

 

====

 

Salesforce Service Provider created under IdP :-

 

Entity Id - https://testforsso-developer-edition.my.salesforce.com

 

====

 

SSO settings in SP org :-

 

Issuer - https://testforsso-developer-edition.my.salesforce.com

Entity Id -  https://saml.salesforce.com

 

====

 

This is my current status.

 

In SP org, in SSO settings, Entity Id automatically populates to saml.salesforce.com

 

Please advise.

 

certi_vimalcerti_vimal

Also, on the Service Provider I created under IdP in IdP org, besides the Entity Id field, they have mentioned in the Help Text to get this value from the Service Provider.

 

So if it means Service Provider org, it has Entity Id (which is system generated?) as "https://saml.salesforce.com".