function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Sahil Bansal 7Sahil Bansal 7 

Issue in SAML Assertion Flow

Hi,

I was trying to make a POST call to token endpoint "https://login.salesforce.com/services/oauth2/token" with following parameters :
  1. grant_type=assertion
  2. assertion_type = urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprofiles%3ASSO%3Abrowser
  3. assertion= Sample base64 encoded, then URL encoded SAML as . . .
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://login.salesforce.com/services/oauth2/token?so=ORGANISATION_ID" ID="_90ae225-4df200ae" IssueInstant="2016-05-17T17:31:02.516Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">Axiom</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
            <ds:Reference URI="#_90ae225-4df200ae">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>wf8W26nPBEy+eFGG4nNvp5CTcMQ=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>ggfuIMI2g0xnnPKwfN7HDEMD27x5ffbl4EhgJ9HlEZjgpR2Pv3Ps3A==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIID0zCCA5GgAwIBAgIEF/uFITALBgcqhkjOOAQDBQAwgboxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJQXhpb20gU1NPMVEwTwYDVQQL
E0hGT1IgREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZLiBETyBOT1QgVVNFIEZPUiBQUk9EVUNU
SU9OIEVOVklST05NRU5UUy4xHzAdBgNVBAMTFkF4aW9tIERlbW8gQ2VydGlmaWNhdGUwHhcNMTQw
NjIwMDQzMDI3WhcNNDExMTA1MDQzMDI3WjCBujELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKEwlBeGlvbSBTU08xUTBPBgNVBAsTSEZPUiBE
RU1PTlNUUkFUSU9OIFBVUlBPU0VTIE9OTFkuIERPIE5PVCBVU0UgRk9SIFBST0RVQ1RJT04gRU5W
SVJPTk1FTlRTLjEfMB0GA1UEAxMWQXhpb20gRGVtbyBDZXJ0aWZpY2F0ZTCCAbgwggEsBgcqhkjO
OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1
ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMC
NVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW
mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozI
puE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtV
JWQBTDv+z0kqA4GFAAKBgQCXr1mp4UvByY6dGbDOyq3wMs6O7MCxmEkU2x32AkEp6s7Xfiy3MYwK
wZQ4sL4BmQYzZ7QOXPP8dKgrKDQKLk9tXWOgvIoOCiNAdQDYlRm2sYgrI2SUcyM1bKDqLwDD8Z5O
oLeuQAtgMfAq/f1C6nREWrQudPxOwaoNdHkYcR+066MhMB8wHQYDVR0OBBYEFE2JAc97wfHK5b42
nKbANn4SMcqcMAsGByqGSM44BAMFAAMvADAsAhR+Cjvp8UwNgKHfx2PWJoRi0/1q8AIUNhTXWlGz
J3SdBlgRsdFgKyFtcxE=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_54f387e3-57556788" IssueInstant="2016-05-17T17:31:02.516Z" Version="2.0">
        <saml2:Issuer>Axiom</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">USER_NAME</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData NotOnOrAfter="2016-05-17T17:32:02.516Z" Recipient="https://login.salesforce.com/services/oauth2/token?so=ORGANISATION_ID"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2016-05-17T17:31:02.516Z" NotOnOrAfter="2016-05-17T17:32:02.516Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>https://saml.salesforce.com</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2016-05-17T17:31:02.515Z">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">http://axiomsso.herokuapp.com/RequestSamlResponse.action</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="logoutURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
            </saml2:Attribute>
            <saml2:Attribute Name="organization_id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ORGANISATION_ID</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="portal_id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/>
            </saml2:Attribute>
            <saml2:Attribute Name="siteurl" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://login.salesforce.com/services/oauth2/token</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>


But getting an error as follows : 
  
{
  "error": "invalid_assertion_type",
  "error_description": "specifed assertion type not supported"
}
Can some one help me out to solve this error OR provide me some SAMPLE valid SAML ?

Cheers!

 
Aakanksha Sharma 14Aakanksha Sharma 14
Hi, My SAML response is also validated successfully on salesforce assertion validation but I am still getting below error while requesting for OAUTH token :
Response body: {"error":"invalid_grant","error_uri":"https://na24.salesforce.com/setup/secur/SAMLValidationPage.apexp","error_description":"invalid assertion"}

If someone has fixed this issue please help
Udaya kumarUdaya kumar
Hi, Any luck in resolving this issue after years of time ?