Skip to main content

Fwd: Salesforce SAML 1.1 Single Sign On using OpenSSO

  • From: Harish N <harishnprasad@...>
  • To: users@...
  • Subject: Fwd: Salesforce SAML 1.1 Single Sign On using OpenSSO
  • Date: Tue, 30 Jun 2009 16:40:35 +0530
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=olXtwcnsV8s9fsm6AIGyo/Sl9WAsWpJwunz+UUKDNZAcQdB7OGsquj8LcC0E3YAQ/a b136i/Y71ECe/xXx/GL+CiYtNBTo/FStUwEtQBai+25qVpPz+6lOIEhtXIv3uFF86wji 0KWf50pt07t3l5j7rEkW1AvGI1vHLTOBkFB6I=
  • Mailing-list: contact users-help@...; run by ezmlm

Hi,

 

I am trying to achieve SSO with Salesforce.com by Federated Authentication with SAML v 1.1 using OpenSSO framework as provided in “http://developers.sun.com/identity/reference/techart/salesforce.html”. OpenSSO generates SAML response which is as given below:-

 

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ResponseID="s6102d73c38586489af2149b735e538d7566575d3" MajorVersion="1" MinorVersion="1" IssueInstant="2009-06-24T08:26:35Z" Recipient="https://cs2.salesforce.com/?saml=EK03Almz90UoH_fA7esgYUZzFY0SXjIYISt745KbGpTUtXGN7D6v1tSAM2">

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<Reference URI="#s6102d73c38586489af2149b735e538d7566575d3">

<Transforms>

<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</Transforms>

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<DigestValue>PK1H+C+2J1U+DZ51wlL7keAv3/g=</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue>

SdvaFJPnwMo5yQvJWXDXuPHm7ZkSZqwM6Qni+hNfscY00Tr614cm0YwNgHIdzamJkXu47E/rdaI6

jIlzd9/tSPeE/AAq/tZGsIdi8fZ5hCPLY+2KCYg0DnbUbV5uXvY33ycKKxAxf+duN4f+7taJ8s6j

sE8pem60S36dQXvxuMM=

</SignatureValue>

<KeyInfo>

<X509Data>

<X509Certificate>

MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh

bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w

ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw

CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK

BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B

AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+

RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY

Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U

QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA

cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC

/FfwWigmrW0Y0Q==

</X509Certificate>

</X509Data>

</KeyInfo>

</Signature><samlp:Status>

<samlp:StatusCode Value="samlp:Success">

</samlp:StatusCode>

</samlp:Status>

<saml:Assertion  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="s1a81c79861074b2b79ae3ef2cb0c99058663783a01" Issuer="localhost:8080" IssueInstant="2009-06-24T08:26:35Z" > 

<saml:Conditions  NotBefore="2009-06-24T08:23:35Z" NotOnOrAfter="2009-06-24T08:33:35Z" >         

</saml:Conditions>

<saml:AuthenticationStatement AuthenticationMethod="urn:com:sun:identity:JDBC" AuthenticationInstant="2009-06-24T08:26:35Z">

<saml:Subject>

<saml:NameIdentifier NameQualifier="dc=opensso,dc=java,dc=net">id=harish.prasad@...,ou=user,dc=opensso,dc=java,dc=net</saml:NameIdentifier>

<saml:SubjectConfirmation>

<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>

</saml:SubjectConfirmation>

</saml:Subject>

</saml:AuthenticationStatement>

</saml:Assertion>

</samlp:Response>

 

SFDC returns me an error message telling “Login Error. Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your Salesforce administrator for more information.”

 

When I paste the above SAML in SFDC SAML validator, it gives a message “Audience not found”. When I make the changes in the above mentioned SAML with audience tag as given below in <saml:Conditions> and run it,

 

<saml:AudienceRestrictionCondition>

      <saml:Audience>https://saml.salesforce.com</saml:Audience>

</saml:AudienceRestrictionCondition>

 

SFDC returns an ok message.

 

Hence could you pls let me know where to provide this audience information in OpenSSO so that I can send a valid SAML response to SFDC?

 

Thanks in advance.




Fwd: Salesforce SAML 1.1 Single Sign On using OpenSSO

Harish N 06/30/2009

Re: Fwd: Salesforce SAML 1.1 Single Sign On using OpenSSO

Emily Xu 06/30/2009
 
 
Close
loading
Please Confirm
Close