Salesforce Developer Community

Hardik Dhokai 8
NEWBIE
0 Points
Member since 2017

Chatter

Feed
0

Best Answers
0

Likes Received
1

Likes Given
1

Questions
1

Replies

SSO through SAML Assertion Flow implementation

Hello!
We are trying to implement SAML 2.0 assertion flow in c#.NET desktop application to allow user to login into Salesforce through his/her domain(Active Directory) credentials. To achieve this, we have done following things so far:

1. We have implemented Salesforce SSO (through ADFS 2.0 & SAML 2.0) and we are able to successfully login into salesforce from browser (Through Identity Provider(IdP) Initiated login approach). URL used in IdP initiated approach: https://adforsfsso.nifdc.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://saml.salesforce.com

2. Now we are trying to implement SAML assertion flow (Reference URL: https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_sso_flow.htm) to allow user to login into Salesforce within custom c#.NET desktop based application through Salesforce SSO implemented in above point #1 (through user's domain(Active Directory) credentials).

3. We have followed steps given in SAML Assertion flow implementation document (Reference URL: https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_sso_flow.htm).
   3.1 According to it, we need valid a Base-64 encoded, then URL encoded, SAML response that is normally used for web single sign-on. We have captured SAML response from Web SSO URL (https://adforsfsso.nifdc.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://saml.salesforce.com) through fiddler. Below is Base64 decoded version SAML response we received from Web SSO URL:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_a811a056-b137-4f3e-a2c3-621301effbb1" Version="2.0" IssueInstant="2017-07-06T09:47:21.243Z" Destination="https://login.salesforce.com?so=00D410000012bMN" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified">
            <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ADforSFSSO.nifdc.com/adfs/services/trust</Issuer>
            <samlp:Status>
                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
            </samlp:Status>
            <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d42ebb25-d1cb-4025-aad1-1fe282a9d30b" IssueInstant="2017-07-06T09:47:21.243Z" Version="2.0">
                <Issuer>http://ADforSFSSO.nifdc.com/adfs/services/trust</Issuer>
                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <ds:Reference URI="#_d42ebb25-d1cb-4025-aad1-1fe282a9d30b">
                            <ds:Transforms>
                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </ds:Transforms>
                            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <ds:DigestValue>gIcx+gPXCXxp30W9Fnc2mDvzbzo=</ds:DigestValue>
                        </ds:Reference>
                    </ds:SignedInfo>
                    <ds:SignatureValue>dKcaZRut8Ebmry3fqRPiRyFEl7hdu1ntBkKKemYIS6dfEsXpCHmvoiOQEGHO1ft/h/TlKC7kZ/8sIgS3DU/b54PU4fN2+n3l1f8US+k282LLjAdXN9KeNeUbVvSD3F290p7ThKg+l0zgActQYnt2lEPsiGHt3Gw8v0tUogXS/3bljP0jnRyzX1meQ68qjWEthGUr11QzMENQSsCr51Qpb7TzofxWYKghgd8wYd2JXAtr5QHaiVlSyZHmPJjyZ8k+30oK7SGP+/i9gytr87Gy89aO+PYoWatSd0fa7/YJZZGGN/2r7fwUH0+S/5ZSOsnBY9K1WeDx5Zt1yApYjKSD/Q==</ds:SignatureValue>
                    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Data>
                            <ds:X509Certificate>MIIC5DCCAcygAwIBAgIQYSbnq+iCZL5KzguC0ED3NDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBBRGZvclNGU1NPLm5pZmRjLmNvbTAeFw0xNzA2MTQxMzMwMzZaFw0xODA2MTQxMzMwMzZaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIEFEZm9yU0ZTU08ubmlmZGMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoX/zXfMlfetGNctUuyo+/77IHEEeg1Vdm9of2zrr+mgd4/O+4SOm1uoaAu3mlSrzgwJaRXdV3rEXi8CeChcl9a4jvddhy54NGzafSoWehp7vtURolhr83biR6XYYwXZw0dH55VV5CjyHEBsX3V7TAfRuxjzjie4xHhnpwNOioHdZ8sG/tw918rE314RfXkyJt4I5YSd9YB4d3eaKLePM7S0uSerm717PP/WcuZtv0SlZPUoRIItjx+a2+qqmmN5jU0UilSUrOd7tlGHYifG6L//b0Ffe+HnIcm5uY3tdMToLs7REkR2Rg3mC+JQ3IFJOPBYgtUCXYL1uwwJii131cQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBpMZNoppRIBi7YSc0DOEw+mLYQIK8PBnDmG3x1jVeEXYE0kxuPJ8C7QqfBgmZ2tPcfFrmtfl6CJlIhpU6U2gRXVyjc9pAkumz+XJ/v23y3TmFtlhS3ajwVSz/1Sp7nR314QEajgQvuCkusxJgM5HCVtM91Hue1q7s6qeUUQsynQ82HgiBXi9y6y5JaIzRexBjRD8iZViXgX0ezfIKdlHApPD1pepHeD4s/vtVl/9At4PXUj1rgK3IM4trP3qpIJeBgP+h5tZ4gK+JmL+n1G3fiL0IL+yjCQeuZWHHinDuI4qe8+goww3bzkOitk8KhAeprK5ziUaFGbO+UwrA/M+AQ</ds:X509Certificate>
                        </ds:X509Data>
                    </KeyInfo>
                </ds:Signature>
                <Subject>
                    <NameID>niadmin@nifdc.com</NameID>
                    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                        <SubjectConfirmationData NotOnOrAfter="2017-07-06T09:52:21.243Z" Recipient="https://login.salesforce.com?so=00D410000012bMN" />
                    </SubjectConfirmation>
                </Subject>
                <Conditions NotBefore="2017-07-06T09:47:21.243Z" NotOnOrAfter="2017-07-06T10:47:21.243Z">
                    <AudienceRestriction>
                        <Audience>https://saml.salesforce.com</Audience>
                    </AudienceRestriction>
                </Conditions>
                <AuthnStatement AuthnInstant="2017-07-06T09:13:07.861Z" SessionIndex="_d42ebb25-d1cb-4025-aad1-1fe282a9d30b">
                    <AuthnContext>
                        <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
                    </AuthnContext>
                </AuthnStatement>
            </Assertion>
        </samlp:Response>

3.2 We have checked above SAML response in "SAML Validator Tool" available in salesforce org under "Setup -> Single Sing-on settings". It is showing it as correct SAML response. Please find below screenshot of the same:
SAML Validator result of SAMLResponse received from Web SSO URL

SAML Validator result of SAMLResponse received from Web SSO URL

3.3 But when we POST Base64 encoded SAML response on OAuth 2.0 token end point (URL: https://login.salesforce.com/services/oauth2/token?so=00D410000012bMN), it is giving following error in json format:

{"error":"invalid_grant","error_uri":"https://na35.salesforce.com/setup/secur/SAMLValidationPage.apexp","error_description":"invalid assertion"}

We have used simple form for now to POST SAML Response. Below is the same:

<html>
<body>
	<form enctype="application/x-www-form-urlencoded" name="testform" action="https://login.salesforce.com/services/oauth2/token?so=00D410000012bMN" method="POST">
	<input type="hidden" name="grant_type" value="assertion" />
	<input type="hidden" name="assertion_type" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" />
	<input type="hidden" name="format" value="json" />
	<input type="hidden" name="assertion" value="<<BASE64 ENCODED SAML RESPONSE >>" />
	<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

Question / Help required:
1. Has anyone has any idea how to resolve this error? (invalid_grant)
2. If you have any valid SAML response, please share.

Hardik Dhokai 8
July 06, 2017
Like
0

1 replies

SSO, SAML2 invalid_grant error on valid Assertion

Hello all,

I try to login user using SAML but salesforce always return error:

{"error_uri":"https://na4.salesforce.comnull/setup/secur/SAMLValidationPage.apexp","error":"invalid_grant","error_description":"invalid assertion"}

I've validated my assertion by validator and it doesn't return any errors:

Unexpected Exceptions
  Ok
1. Validating the Status
  Ok
2. Looking for an Authentication Statement
  Ok
3. Looking for a Conditions statement
  Ok
4. Checking that the timestamps in the assertion are valid
  Ok
5. Checking that the Attribute namespace matches, if provided
  Not Provided
6. Miscellaneous format confirmations
  Ok
7. Confirming Issuer matches
  Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
  Ok
9. Checking that the Audience matches, if provided
  Ok
10. Checking the Recipient
  Ok
11. Validating the Signature
  Is the response signed? true
  Is the assertion signed? true
  Is the correct certificate supplied in the keyinfo? true
  Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
  Not Provided
13. Looking for portal and organization id, if provided
  Ok

My assertion:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2012-09-05T10:51:05.308Z" Version="2.0">
	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">klkjiwhRLVPCGDVBUJET</saml2:Issuer>
	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
			<ds:Reference URI="">
				<ds:Transforms>
					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</ds:Transforms>
				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
				<ds:DigestValue>DtaxFPhNdZICs/lMWkc4HGoX1bU=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>Up/a92xmHWZnXc59NTAB163UBSWhkGilOVuEJqrkkgJhxAaBWgx2USi4+DzByCHrFWhadqsASrY4xZGZEXQUHJ/76vP1Nnqpf4CxBVxs7vm0CqDoP62gZQOpeu0fo50N6Sw7VQlkCkwI+yl8CQ/neDY97UrrS5QWfWA9PFiRh80=</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:X509Data>
				<ds:X509Certificate>MIIBpzCCARCgAwIBAgIGATg3h50JMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDWdyZXl0b3dlci5jb20wHhcNMTIwNjI5MDkxNzEwWhcNMjIwNjI3MDkxNzEwWjAYMRYwFAYDVQQDDA1ncmV5dG93ZXIuY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDHU9jmrF3yJUxQdllhIyUVqHiC5sOh4ynrulqoRSp3CK3PcO3Eee9vO3VYORGKh5fVHtxcX/GFp1N4Y5qtu+mGJoV6J5p/6sX4RV1gdTxkgf1P2jgPerTgTjHZc77apPw6gZ90qSnb0vIscaUgHpUQ/ZciSNamYsJDZ6NOlWZ5mQIBAzANBgkqhkiG9w0BAQUFAAOBgQA9Ge/k3c7nyXq9lO4Dr7J6WTFTFxKqmkH45drXuG8ll+Yx9wXsFjHMAeHWYeriOLGmjbv0y8IrXs0ovXKNDPNtnvscm0GbaVuZdAoWJyQSYB2reHxMNlHipGe7Oqt3yY+SFNgghcfIHnrPPxuk7oRoSlSHlAPchHZ3JOKd8l4Eig==</ds:X509Certificate>
			</ds:X509Data>
		</ds:KeyInfo>
	</ds:Signature>
	<saml2p:Status>
		<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</saml2p:Status>
	<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="016580df-ea43-47e4-8137-474b7537f3bc" IssueInstant="2012-09-05T10:51:06.538Z" Version="2.0">
		<saml2:Issuer>klkjiwhRLVPCGDVBUJET</saml2:Issuer>
		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
			<ds:SignedInfo>
				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<ds:Reference URI="#016580df-ea43-47e4-8137-474b7537f3bc">
					<ds:Transforms>
						<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:Transforms>
					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					<ds:DigestValue>wmX1fXgQGgatpYRBgTwK+YmMgLg=</ds:DigestValue>
				</ds:Reference>
			</ds:SignedInfo>
			<ds:SignatureValue>IL2Ob4d2oIr2tzuM1cmsTi99zeOga698rRk6FJSo5ZHIcRnwtnLIpUOIyP+3h5eC27EB78T3DFlmZp7fdVP92pv+CDxVTETuBlNBeSTOG4FRlojdDEd+C24yeUP9h3TXMTmr//D/fX9DaHPgB/fwnG8a1OJhYYcgiaDo7IFeimQ=</ds:SignatureValue>
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIIBpzCCARCgAwIBAgIGATg3h50JMA0GCSqGSIb3DQEBBQUAMBgxFjAUBgNVBAMMDWdyZXl0b3dlci5jb20wHhcNMTIwNjI5MDkxNzEwWhcNMjIwNjI3MDkxNzEwWjAYMRYwFAYDVQQDDA1ncmV5dG93ZXIuY29tMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDHU9jmrF3yJUxQdllhIyUVqHiC5sOh4ynrulqoRSp3CK3PcO3Eee9vO3VYORGKh5fVHtxcX/GFp1N4Y5qtu+mGJoV6J5p/6sX4RV1gdTxkgf1P2jgPerTgTjHZc77apPw6gZ90qSnb0vIscaUgHpUQ/ZciSNamYsJDZ6NOlWZ5mQIBAzANBgkqhkiG9w0BAQUFAAOBgQA9Ge/k3c7nyXq9lO4Dr7J6WTFTFxKqmkH45drXuG8ll+Yx9wXsFjHMAeHWYeriOLGmjbv0y8IrXs0ovXKNDPNtnvscm0GbaVuZdAoWJyQSYB2reHxMNlHipGe7Oqt3yY+SFNgghcfIHnrPPxuk7oRoSlSHlAPchHZ3JOKd8l4Eig==</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</ds:Signature>
		<saml2:Subject>
			<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" NameQualifier="Greytower" SPNameQualifier="https://saml.salesforce.com">eugene@burtsev.net</saml2:NameID>
			<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml2:SubjectConfirmationData NotOnOrAfter="2012-09-05T11:01:06.538Z" Recipient="https://login.salesforce.com/services/oauth2/token"/>
			</saml2:SubjectConfirmation>
		</saml2:Subject>
		<saml2:Conditions NotBefore="2012-09-05T10:51:06.538Z" NotOnOrAfter="2012-09-05T11:01:06.538Z">
			<saml2:AudienceRestriction>
				<saml2:Audience>https://saml.salesforce.com</saml2:Audience>
			</saml2:AudienceRestriction>
		</saml2:Conditions>
		<saml2:AuthnStatement AuthnInstant="2012-09-05T10:51:06.540Z">
			<saml2:AuthnContext>
				<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
			</saml2:AuthnContext>
		</saml2:AuthnStatement>
	</saml2:Assertion>
</saml2p:Response>

I've used following request to https://login.salesforce.com/services/oauth2/token:

grant_type=assertion&assertion_type=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprofiles%3ASSO%3Abrowser&assertion=<Base64EncodedAssertion>

Also I tried to send data in http form.

I tried to encode assertion in base64 and base64url, but I always got this error.

Can someone help me?

eburtsev
September 05, 2012
Like
1