I've built a saml assertion using OpenSaml, everything seems relatively sane, but I just can't get past the "Failed: Assertion Invalid" message in the Login History. Anyone have any suggestions on what I could be missing?

 

Our SSO settings are set to

SAML Enabled

SAML Version

1.1

SAML User ID Type

Username

Issuer

http://topherific.com

SAML User ID Location

Subject

Identity Provider Certificate

EMAILADDRESS=topher@topherific.com, CN=saml.test, OU=Topherific, O=Topherific Inc, L=Boulder, ST=Colorado, C=US Expiration: 11 Mar 2009 06:21:09 GMT

Recipient URL

https://login.salesforce.com

 

 The generated SAML response is

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2009-03-02T19:06:31.240Z" MajorVersion="1" MinorVersion="1" Recipient="https://login.salesforce.com" ResponseID="adkcfghpeogknfnnoggbbocbiefgpglidnanmahg">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<ds:Reference URI="#adkcfghpeogknfnnoggbbocbiefgpglidnanmahg">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+eS6/hQ3ULCqmKwBxp8ZCXRoBnA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>I/80xT1W+Yagt3S8KjjMrCJ1EAgkRP+Lqd/hwmunUkHEg3xP1h5DpA==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="samlp:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="kdmclmioaolbncmmdbhihlkihdhaimgncneomecd" IssueInstant="2009-03-02T19:06:31.240Z" Issuer="http://topherific.com" MajorVersion="1" MinorVersion="1">
<saml:AuthenticationStatement AuthenticationInstant="2009-03-02T19:06:31.240Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>topher@topherific.com</saml:NameIdentifier>
<saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
</samlp:Response>

 

Thanks in advance 

Hi,

I'm trying to implement SSO using SAML. The saml assertion which I'm posting is giving Assertion Invalid error in the login history.
Could anyone please tell me what's the error in my assertion.

I'm posting the following assertion:
<samlp:Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    MajorVersion="1" MinorVersion="1"
    ResponseID="_6ccb8357de3c905349ca14e42d9bf97d1215715364285"
    Recipient="https://login.salesforce.com"
    IssueInstant="2008-08-31T18:42:44.284Z">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod
                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod
                Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference
                URI="#_a75adf55-01d7-40cc-929f-dbd8372ebdfc">
                <ds:Transforms>
                    <ds:Transform
                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform
                        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces
                            PrefixList="#default saml ds xs xsi"
                            xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod
                    Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>
                    Kclet6XcaOgOWXM4gty6/UNdviI=
                </ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            hq4zk+ZknjggCQgZm7ea8fI7Hr7wHxvCCRwubfZ6RqVL+wNmeWI4=
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    MIICyjCCAjOgAwIBAgICAnUwDQYJKoZIhvcNAQEEBQAwgakxNVBAYTAlVT
                    MRIwEAYDVQQIEwlXaXNjb dnP6Hr7wHxvCCRwubnZAv2FU78pLX
                    8I3bsbmRAUg4UP9hH6ABVq4KQKMknxu1xQxLhpR1ylGPdioG8cCx3w/w==
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="samlp:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
        xmlns="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1"
        MinorVersion="1"
        AssertionID="_818891251f47ba13b15f600c301749df1215715364284"
        Issuer="demoIDP" IssueInstant="2008-08-31T18:42:44.284Z">
        <saml:Conditions NotBefore="2008-08-31T18:42:44.284Z"
            NotOnOrAfter="2008-08-31T18:47:44.284Z">
        </saml:Conditions>
        <saml:AuthenticationStatement
            AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:Password"
            AuthenticationInstant="2008-08-31T18:42:44.284Z">
            <saml:Subject>
                <saml:NameIdentifier>
                    news4nishant@gmail.com
                </saml:NameIdentifier>
                <saml:SubjectConfirmation>
                    <saml:ConfirmationMethod>
                        urn:oasis:names:tc:SAML:1.0:cm:bearer
                    </saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
            </saml:Subject>
        </saml:AuthenticationStatement>
    </saml:Assertion>
</samlp:Response>

The base64 encoded value of the above assertion that I post is:
PHNhbWxwOlJlc3BvbnNlIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6cHJvdG9jb2wiDQoJeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiINCgl4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOnByb3RvY29sIg0KCXhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiDQoJTWFqb3JWZXJzaW9uPSIxIiBNaW5vclZlcnNpb249IjEiDQoJUmVzcG9uc2VJRD0iXzZjY2I4MzU3ZGUzYzkwNTM0OWNhMTRlNDJkOWJmOTdkMTIxNTcxNTM2NDI4NSINCglSZWNpcGllbnQ9Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20iDQoJSXNzdWVJbnN0YW50PSIyMDA4LTA3LTEwVDE4OjQyOjQ0LjI4NFoiPg0KCTxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KCQk8ZHM6U2lnbmVkSW5mbz4NCgkJCTxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kDQoJCQkJQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+DQoJCQk8ZHM6U2lnbmF0dXJlTWV0aG9kDQoJCQkJQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiIC8+DQoJCQk8ZHM6UmVmZXJlbmNlDQoJCQkJVVJJPSIjX2E3NWFkZjU1LTAxZDctNDBjYy05MjlmLWRiZDgzNzJlYmRmYyI+DQoJCQkJPGRzOlRyYW5zZm9ybXM+DQoJCQkJCTxkczpUcmFuc2Zvcm0NCgkJCQkJCUFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+DQoJCQkJCTxkczpUcmFuc2Zvcm0NCgkJCQkJCUFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj4NCgkJCQkJCTxJbmNsdXNpdmVOYW1lc3BhY2VzDQoJCQkJCQkJUHJlZml4TGlzdD0iI2RlZmF1bHQgc2FtbCBkcyB4cyB4c2kiDQoJCQkJCQkJeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz4NCgkJCQkJPC9kczpUcmFuc2Zvcm0+DQoJCQkJPC9kczpUcmFuc2Zvcm1zPg0KCQkJCTxkczpEaWdlc3RNZXRob2QNCgkJCQkJQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgLz4NCgkJCQk8ZHM6RGlnZXN0VmFsdWU+DQoJCQkJCUtjbGV0NlhjYU9nT1dYTTRndHk2L1VOZHZpST0NCgkJCQk8L2RzOkRpZ2VzdFZhbHVlPg0KCQkJPC9kczpSZWZlcmVuY2U+DQoJCTwvZHM6U2lnbmVkSW5mbz4NCgkJPGRzOlNpZ25hdHVyZVZhbHVlPg0KCQkJaHE0emsrWmtuamdnQ1FnWm03ZWE4Zkk3SHI3d0h4dkNDUnd1YmZaNlJxVkwrd05tZVdJND0NCgkJPC9kczpTaWduYXR1cmVWYWx1ZT4NCgkJPGRzOktleUluZm8+DQoJCQk8ZHM6WDUwOURhdGE+DQoJCQkJPGRzOlg1MDlDZXJ0aWZpY2F0ZT4NCgkJCQkJTUlJQ3lqQ0NBak9nQXdJQkFnSUNBblV3RFFZSktvWklodmNOQVFFRUJRQXdnYWt4TlZCQVlUQWxWVA0KCQkJCQlNUkl3RUFZRFZRUUlFd2xYYVhOamIgZG5QNkhyN3dIeHZDQ1J3dWJuWkF2MkZVNzhwTFgNCgkJCQkJOEkzYnNibVJBVWc0VVA5aEg2QUJWcTRLUUtNa254dTF4UXhMaHBSMXlsR1BkaW9HOGNDeDN3L3c9PQ0KCQkJCTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KCQkJPC9kczpYNTA5RGF0YT4NCgkJPC9kczpLZXlJbmZvPg0KCTwvZHM6U2lnbmF0dXJlPg0KCTxzYW1scDpTdGF0dXM+DQoJCTxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJzYW1scDpTdWNjZXNzIiAvPg0KCTwvc2FtbHA6U3RhdHVzPg0KCTxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6YXNzZXJ0aW9uIg0KCQl4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFzc2VydGlvbiIgTWFqb3JWZXJzaW9uPSIxIg0KCQlNaW5vclZlcnNpb249IjEiDQoJCUFzc2VydGlvbklEPSJfODE4ODkxMjUxZjQ3YmExM2IxNWY2MDBjMzAxNzQ5ZGYxMjE1NzE1MzY0Mjg0Ig0KCQlJc3N1ZXI9ImRlbW9JRFAiIElzc3VlSW5zdGFudD0iMjAwOC0wOC0zMVQxODo0Mjo0NC4yODRaIj4NCgkJPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMDgtMDgtMzFUMTg6NDI6NDQuMjg0WiINCgkJCU5vdE9uT3JBZnRlcj0iMjAwOC0wOC0zMVQxODo0Nzo0NC4yODRaIj4NCgkJPC9zYW1sOkNvbmRpdGlvbnM+DQoJCTxzYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50DQoJCQlBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOlBhc3N3b3JkIg0KCQkJQXV0aGVudGljYXRpb25JbnN0YW50PSIyMDA4LTA4LTMxVDE4OjQyOjQ0LjI4NFoiPg0KCQkJPHNhbWw6U3ViamVjdD4NCgkJCQk8c2FtbDpOYW1lSWRlbnRpZmllcj4NCgkJCQkJbmV3czRuaXNoYW50QGdtYWlsLmNvbQ0KCQkJCTwvc2FtbDpOYW1lSWRlbnRpZmllcj4NCgkJCQk8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KCQkJCQk8c2FtbDpDb25maXJtYXRpb25NZXRob2Q+DQoJCQkJCQl1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206YmVhcmVyDQoJCQkJCTwvc2FtbDpDb25maXJtYXRpb25NZXRob2Q+DQoJCQkJPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQoJCQk8L3NhbWw6U3ViamVjdD4NCgkJPC9zYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50Pg0KCTwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==

The signature and time limits would be invalid but instead of giving these errors I get assertion invalid error. Please help me.

Thanks
Nishant