Salesforce Developer Community

Chatter

Feed
0

Best Answers
0

Likes Received
0

Likes Given
0

Questions
3

Replies

Federated SSO implementation with Pingfederate and Salesforce

Hi chuckmortimore,

I am currrently working on the following setup:

1.Pingfederate-6.6.0
2.Windows-IWA-Integration-Kit-2-6
3.Salesforce-Connector-4-1
3.RHEL 5.3 x86_64

I am trying to integrate pingfedearte-6.6.0 with salesforce.

My Aim is Active Directory Users wants to enter into the Salesforce.(ie., IdP-initiated SSO).

I have created the Digital Signing certificate in Ping federate. In Salesforce i have enabled the SSO settings and filled the details of SSO settings. Imported the Digital signed certificate in SSO settings. When i access the SSO endpoint url https://idp-url:9031/idp/startSSO.ping?PartnerSpId=https://saml.salesforce.com through browser im getting the issue like,

Login Error Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information.”

I thought because of domain is not created in Salesforce facing this issue. So, I have created the Domain in Salesforce and provided the Endpoint URL as https://idp-url:9031/idp/startSSO.ping?PartnerSpId=https://https://testidam-dev-ed.my.salesforce.com. But still i am facing the issue.

When i validate the SAML assertion in the SAMl Validator i got the Following Message.

Unexpected Exceptions

1. Validating the Status

2. Looking for an Authentication Statement

3. Looking for a Conditions statement

4. Checking that the timestamps in the assertion are valid

Current time is after notOnOrAfter in Conditions

Current time is: 2012-08-09T09:35:11.301Z

Time limit in Conditions, adjusted for skew, is: 2012-08-09T09:28:41.471Z

Timestamp of the response is outside of allowed time window

Current time is: 2012-08-09T09:35:11.301Z

Timestamp is: 2012-08-09T09:20:41.437Z

Allowed skew in milliseconds is 480000

Timestamp of the assertion is outside of allowed time window

Current time is: 2012-08-09T09:35:11.301Z

Timestamp is: 2012-08-09T09:20:41.469Z

Allowed skew in milliseconds is 480000

5. Checking that the Attribute namespace matches, if provided

Not Provided

6. Miscellaneous format confirmations

7. Confirming Issuer matches

8. Confirming a Subject Confirmation was provided and contains valid timestamps

9. Checking that the Audience matches, if provided

10. Checking the Recipient

11. Validating the Signature

Is the response signed? false

Is the assertion signed? true

The reference in the assertion signature is valid

Signature or certificate problems

The signature in the assertion is not valid

Is the correct certificate supplied in the keyinfo? false

Certificate specified in settings: CN=PF-Googleapps, OU=IDMCOE, O=Hexaware, L=Chennai, ST=Tamil Nadu, C=IN Expiration: 12 Jul 2013 14:00:34 GMT

12. Checking that the Site URL Attribute contains a valid site url, if provided

Not Provided

13. Looking for portal and organization id, if provided

Subject: IDMCOE.COM
Unable to map the subject to a Salesforce.com user

AssertionId: sycHvSK8z0Yp1aLp.vDqdGmY_1T

Anyone please help me to fix this issue. It will be helpful to me.

Regards,

Karthick

newbebie
August 09, 2012
Like
0

2 replies

SSO to sites using ping federate

Hi,

We are using ping identity (SAML 2.0) for SSO into sites. Site is associated with a partner portal. If I don't give siteURL i'm able to successfully login into partner portal. However if I use SiteURL i'm getting "replay detected" error. It logs in and I guess somehow a new request is comming in. below is the error and SAML assertion.

8/19/2010 10:12:55 PM PDT

58.32.239.82

SAML Site SSO

Failed: Replay Detected

cs3.salesforce.com

8/19/2010 10:12:52 PM PDT

58.32.239.82

SAML Site SSO

Success

cs3.salesforce.com

<Response IssueInstant="2010-08-20T04:42:45.371Z" ID="jxF4EUmkBlHYokyA91_c5F7RssS" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Issuer>https://ssod1.xxxxxxxx.com/saml2</saml:Issuer>
<Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<saml:Assertion Version="2.0" IssueInstant="2010-08-20T04:42:45.373Z" ID="t74fyF1Bax6ZZ8gIFIAU.ChQsTE">
    <saml:Issuer>https://ssod1.xxxxxxxx.com/saml2</saml:Issuer>
    <ds:Signature>
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#t74fyF1Bax6ZZ8gIFIAU.ChQsTE">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>6hmEvvGmeN/Ukz1u/yeeivegMz4=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>WMLxDMqHXteSmt5Z4AL81jPYjOF5hk9oT6pA4l4a24bhhC9XYH6JbHw9Ln4CXwAwpDebUwtCWa1N
NZkwGa6U4PhlXn6Xlnazc/JuEz51hWemkINiBQOWFlqLyEUhv7yiKAKGQJE8nIR+pkOC+NU+1f/p
jUt29UdCMirSJZ/gO+0=</ds:SignatureValue>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">200709120228664</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2010-08-20T04:46:45.374Z" Recipient="https://cs3.salesforce.com/?saml=MgoTx78aEPC5RZR2VydTkscLHwiqT5gc8SMOClzEN0Sj4oKjpfyR.xxxxxxxxxxxxxxxxxx=="/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotOnOrAfter="2010-08-20T04:46:45.374Z" NotBefore="2010-08-20T04:41:45.374Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2010-08-20T04:42:45.373Z" SessionIndex="t74fyF1Bax6ZZ8gIFIAU.ChQsTE">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="siteUrl">
        <saml:AttributeValue xsi:type="xs:string">https://xxxxxxxxsupport.xxxxsfdev.cs3.force.com/ppSiteLogin</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="GUID">
        <saml:AttributeValue xsi:type="xs:string">200709120228664</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="portal_id">
        <saml:AttributeValue xsi:type="xs:string">060300000005W44</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="organization_id">
        <saml:AttributeValue xsi:type="xs:string">00DQ0000000AnvB</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="startUrl">
        <saml:AttributeValue xsi:type="xs:string">pphomepagelinks</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="userId">
        <saml:AttributeValue xsi:type="xs:string">rluke</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="SFDC_USER_ID">
        <saml:AttributeValue xsi:type="xs:string">200709120228664@xxxxxxxx.com.xxxxsfdev</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="userType">
        <saml:AttributeValue xsi:type="xs:string">external</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>
</Response>

entityId: https://saml.salesforce.com (SP)
Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
relayState: https://xxxxxxxxsupport.xxxxsfdev.cs3.force.com
Endpoint: https://cs3.salesforce.com/?saml=MgoTx78aEPC5RZR2VydTkscLHwiqT5gc8SMOClzEN0Sj4oKjpfyR.cZYMP5e5V0thmAA14D6E2YV1XZYwty==
SignaturePolicy: DO_NOT_SIGN

satyap
August 20, 2010
Like
0

9 replies

Customer Portal and Single Sign On

I have set up a customer portal and now want to have Single sign on to it from our company website .. I am really struggling with this as I can see "Is SSO enabled" in a normal users profile under General User Permissions but there does not seem to be anywhere to set it in a Portal user's profile .. I've had our web developer review all the Wiki entries and it all makes perfect sense apart from the bit about "make sure the portal user profile has "Is Single-sign-on enabled" checked and you are using the correct login URLs."

Has anyone already set this up and could give me some direction?

Jaz

jazzieb
October 29, 2008
Like
0