+ Start a Discussion
champvimalchampvimal 

Signature is invalid, Login fails from external system

Hi All,

 

I have my SSO setup from external website app A to have a quicklink to Salesforce.com.

 

When I launch from the quicklink, it throws me error saying : "Your Login attempt using Single Sign-On with an Identity Provider certificate has failed. Please contact your salesforce.com administrator for more information".

 

I checked the login history of the user who tried to launch and found this error : 

 

5/21/2012 4:04:16 PM EDT

141.191.20.2SAML Idp Initiated SSOFailed: Signature InvalidBrowser

test.salesforce.com

   

I did the SAML Validation and found these as my results :-

 

Last recorded SAML login failure:  2012-05-21T20:04:16.302Z
Unexpected Exceptions
  Ok
1. Validating the Status
  Ok
2. Looking for an Authentication Statement
  Ok
3. Looking for a Conditions statement
  Ok
4. Checking that the timestamps in the assertion are valid
  Timestamp of the response is outside of allowed time window
  Current time is: 2012-05-21T20:18:16.057Z
  Timestamp is: 2012-05-21T20:04:14.000Z
  Allowed skew in milliseconds is 480000
  Timestamp of the assertion is outside of allowed time window
  Current time is: 2012-05-21T20:18:16.057Z
  Timestamp is: 2012-05-21T20:04:14.000Z
  Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
  Not Provided
6. Miscellaneous format confirmations
  Ok
7. Confirming Issuer matches
  Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
  Ok
9. Checking that the Audience matches, if provided
  Ok
10. Checking the Recipient
  Organization Id that we expected: 00DZ00000000rh6
  Organization Id that we found based on your assertion: 00DZ00000000rh6
11. Validating the Signature
  Is the response signed? true
  Is the assertion signed? false
  The reference in the response signature is valid
  Signature or certificate problems
  The signature in the response is not valid
  Is the correct certificate supplied in the keyinfo? false
12. Checking that the Site URL Attribute contains a valid site url, if provided
  Not Provided
13. Looking for portal and organization id, if provided

  Ok

 

Please advise what is going wrong? 

 

 

Thanks,

 

Vimal

Best Answer chosen by Admin (Salesforce Developers) 
champvimalchampvimal

Issue resolved.

 

The Sandbox site is configured with the Production AXA signing certificate.  Therefore, when an assertion signed by the non-Prod certificate is sent to the Sandbox site SFDC cannot verify the signature. I got valid Sandbox certificate from my client and uploaded it in SSO settings.

 

SAML Assertion is validated successfully and I am now able to launch Salesforce from External Customer Application site.

 

 

Thanks,

 

Vimal

All Answers

champvimalchampvimal

Issue resolved.

 

The Sandbox site is configured with the Production AXA signing certificate.  Therefore, when an assertion signed by the non-Prod certificate is sent to the Sandbox site SFDC cannot verify the signature. I got valid Sandbox certificate from my client and uploaded it in SSO settings.

 

SAML Assertion is validated successfully and I am now able to launch Salesforce from External Customer Application site.

 

 

Thanks,

 

Vimal

This was selected as the best answer
yossianyossian

Hi champvimal

 

I have the same problem.

I keep getting the ceritificate error (no 12).

 

I've create a new certificate on my client, but seems like I'm missing here something - maybe the SAML structure, maybe one of the keys..... I really don't know.

 

can you explain exactly what you did in order to get it to work?

 

thanks!


champvimalchampvimal

Hi Yossian,

 

In my case, the issue was I was trying to sign Prod certificate for my sandbox SAML assertion.

 

I got correct certificate for my sandbox and then assertion was successful.

 

 

Thanks,

 

Vimal