Apex Code Development You need to sign in to do that
Don't have an account?
champvimal Signature is invalid, Login fails from external system
Hi All,
I have my SSO setup from external website app A to have a quicklink to Salesforce.com.
When I launch from the quicklink, it throws me error saying : "Your Login attempt using Single Sign-On with an Identity Provider certificate has failed. Please contact your salesforce.com administrator for more information".
I checked the login history of the user who tried to launch and found this error :
5/21/2012 4:04:16 PM EDT
| 141.191.20.2 | SAML Idp Initiated SSO | Failed: Signature Invalid | Browser | test.salesforce.com |
I did the SAML Validation and found these as my results :-
| Last recorded SAML login failure: 2012-05-21T20:04:16.302Z |
| Unexpected Exceptions |
| Ok |
| 1. Validating the Status |
| Ok |
| 2. Looking for an Authentication Statement |
| Ok |
| 3. Looking for a Conditions statement |
| Ok |
| 4. Checking that the timestamps in the assertion are valid |
| Timestamp of the response is outside of allowed time window |
| Current time is: 2012-05-21T20:18:16.057Z |
| Timestamp is: 2012-05-21T20:04:14.000Z |
| Allowed skew in milliseconds is 480000 |
| Timestamp of the assertion is outside of allowed time window |
| Current time is: 2012-05-21T20:18:16.057Z |
| Timestamp is: 2012-05-21T20:04:14.000Z |
| Allowed skew in milliseconds is 480000 |
| 5. Checking that the Attribute namespace matches, if provided |
| Not Provided |
| 6. Miscellaneous format confirmations |
| Ok |
| 7. Confirming Issuer matches |
| Ok |
| 8. Confirming a Subject Confirmation was provided and contains valid timestamps |
| Ok |
| 9. Checking that the Audience matches, if provided |
| Ok |
| 10. Checking the Recipient |
| Organization Id that we expected: 00DZ00000000rh6 |
| Organization Id that we found based on your assertion: 00DZ00000000rh6 |
| 11. Validating the Signature |
| Is the response signed? true |
| Is the assertion signed? false |
| The reference in the response signature is valid |
| Signature or certificate problems |
| The signature in the response is not valid |
| Is the correct certificate supplied in the keyinfo? false |
| 12. Checking that the Site URL Attribute contains a valid site url, if provided |
| Not Provided |
| 13. Looking for portal and organization id, if provided |
Ok |
Please advise what is going wrong?
Thanks,
Vimal
Issue resolved.
The Sandbox site is configured with the Production AXA signing certificate. Therefore, when an assertion signed by the non-Prod certificate is sent to the Sandbox site SFDC cannot verify the signature. I got valid Sandbox certificate from my client and uploaded it in SSO settings.
SAML Assertion is validated successfully and I am now able to launch Salesforce from External Customer Application site.
Thanks,
Vimal
All Answers
Issue resolved.
The Sandbox site is configured with the Production AXA signing certificate. Therefore, when an assertion signed by the non-Prod certificate is sent to the Sandbox site SFDC cannot verify the signature. I got valid Sandbox certificate from my client and uploaded it in SSO settings.
SAML Assertion is validated successfully and I am now able to launch Salesforce from External Customer Application site.
Thanks,
Vimal
Hi champvimal
I have the same problem.
I keep getting the ceritificate error (no 12).
I've create a new certificate on my client, but seems like I'm missing here something - maybe the SAML structure, maybe one of the keys..... I really don't know.
can you explain exactly what you did in order to get it to work?
thanks!
Hi Yossian,
In my case, the issue was I was trying to sign Prod certificate for my sandbox SAML assertion.
I got correct certificate for my sandbox and then assertion was successful.
Thanks,
Vimal