With the SAML 2.0 POST binding you have to POST the SAML request in a base64-encoded control within an HTML form - here's an example of what the service provider might send to the browser, from section 3.5.8 of the SAML 2.0 Bindings Specification:
HTTP/1.1 200 OK
Date: 21 Jan 2004 07:00:49 GMT
Content-Type: text/html; charset=iso-8859-1
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<body onload="document.forms[0].submit()">
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>
<form action="https://ServiceProvider.com/SAML/SLO/Browser"
method="post">
<div>
<input type="hidden" name="RelayState"
value="0043bfc1bc45110dae17004005b13a2b"/>
<input type="hidden" name="SAMLRequest"
value="PHNhbWxwOkxvZ291dFJlcXVlc3QgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1l
czp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0
YzpTQU1MOjIuMDphc3NlcnRpb24iDQogICAgSUQ9ImQyYjdjMzg4Y2VjMzZmYTdj
MzljMjhmZDI5ODY0NGE4IiBJc3N1ZUluc3RhbnQ9IjIwMDQtMDEtMjFUMTk6MDA6
NDlaIiBWZXJzaW9uPSIyLjAiPg0KICAgIDxJc3N1ZXI+aHR0cHM6Ly9JZGVudGl0
eVByb3ZpZGVyLmNvbS9TQU1MPC9Jc3N1ZXI+DQogICAgPE5hbWVJRCBGb3JtYXQ9
InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNp
c3RlbnQiPjAwNWEwNmUwLWFkODItMTEwZC1hNTU2LTAwNDAwNWIxM2EyYjwvTmFt
ZUlEPg0KICAgIDxzYW1scDpTZXNzaW9uSW5kZXg+MTwvc2FtbHA6U2Vzc2lvbklu
ZGV4Pg0KPC9zYW1scDpMb2dvdXRSZXF1ZXN0Pg=="/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html>
The SAML 2.0 Redirect binding uses a query parameter containing the request, compressed then base64-encoded. Here's an example from section 3.4.8 of the same document:
HTTP/1.1 302 Object Moved
Date: 21 Jan 2004 07:00:49 GMT
Location:
https://ServiceProvider.com/SAML/SLO/Browser?SAMLRequest=fVFdS8MwFH0f7D%
2BUvGdNsq62oSsIQyhMESc%2B%2BJYlmRbWpObeyvz3puv2IMjyFM7HPedyK1DdsZdb%2F%
2BEHfLFfgwVMTt3RgTwzazIEJ72CFqRTnQWJWu7uH7dSLJjsg0ev%2FZFMlttiBWADtt6R%
2BSyJr9msiRH7O70sCm31Mj%2Bo%2BC%
2B1KA5GlEWeZaogSQMw2MYBKodrIhjLKONU8FdeSsZkVr6T5M0GiHMjvWCknqZXZ2OoPxF7kG
naGOuwxZ%2Fn4L9bY8NC%
2By4du1XpRXnxPcXizSZ58KFTeHujEWkNPZylsh9bAMYYUjO2Uiy3jCpTCMo5M1StVjmN9SO1
50sl9lU6RV2Dp0vsLIy7NM7YU82r9B90PrvCf85W%2FwL8zSVQzAEAAA%3D%
3D&RelayState=0043bfc1bc45110dae17004005b13a2b&SigAlg=http%3A%2F%
2Fwww.w3.org%2F200%2F09%2Fxmldsig%23rsa-
sha1&Signature=NOTAREALSIGNATUREBUTTHEREALONEWOULDGOHERE
Content-Type: text/html; charset=iso-8859-1
Salesforce will accept either binding, using the appropriate URL from the metadata. Render the HTML form, or use the redirect binding, whichever works best for you.
Edit 1 start:
You have http://localhost:8080/test_with_OpenSAML
as the Issuer. This element should actually refer to the issuer of the SAML Assertion (the IdP). Use the value from the Identity Provider config in Salesforce - it will be something like https://company-dev-ed.my.salesforce.com
.
Also, you have ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
in your request, but you're sending it via redirect. It should be ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
. EDIT - this was incorrect - the ProtocolBinding identifies the protocol binding to use for the SAML response
RelayState
is optional. Whatever you pass here, the IdP will pass back to you with the SAML response. RelayState
is typically used to hold the URL that the user originally requested, or some handle to that URL.
Edit 1 end.
This usually has to do with the Entity ID field being incorrect in the Service Provider's Single Sign-On Configuration. Make sure it's the Service Provider's domain URL, not the Identity Provider's domain URL. (Which is kind of confusing because, why would you be entering the URL of the org you are already in? But that's how it is...)
This refers to step 5.7 of Implementing Single Sign-On Across Multiple Organizations.
Best Answer
IMO, this is super confusing. The Custom Attribute option allows you to select a field on the user object and is not related to the Connected App's Custom Attributes section.
Create a custom field on the user object that aligns with the Subject that you need and it should be selectable in the Custom Attribute picklist on the connected app.