[SalesForce] Salesforce SAML Assertion – Failed: Missing Consumer Key Parameter

We are developing native mobile app where we are using oAuth token for Salesforce API access. We want to have SSO integrated with some SSO provider like Okta which generates SAML response,where we are enabling user to log in into InAppBrowsers and then retrieving saml response from InAppBrowser. WE are using this saml response for getting oAuth token with SAML assertion. SAML response which we are receiving is 

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="id3043218551580894661426156"
   InResponseTo="_2CAAAAVSE0mcmME8wNjEwMDAwMDA0Qzk1AAAAyFSMUXxTZ-15bAOdkb3TW4s1lNtCMM8LdIHatXv06mS6eN9XIJItb2nM_lhJbV87LLxD8NinGAjhermMidYBCsuLAgA4zMHl_4YuT1npm_HiSSGnJmRdVokunp7wxK43t8Uhxmk4nztsiGx4YZPOylaio-QA_wLgoNxgbbK5RX2ldhOHllCnF7YOvuvR7Uo0igsqjbUIu6-V_G7VKARORA_KOCiefXG5m-bXDZT5t62OmskdBeZaGghVmgiTGGrTaA"
   IssueInstant="2016-04-08T06:48:10.072Z" Version="2.0"
   xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
   <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">exk63v3bp5dHOwfVv0h7</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
         <ds:Reference URI="#id3043218551580894661426156">
            <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>9ekaQLJYSZeVkbZQbwQqYvJk43D6NNGESlRl8kXSW4E=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>W8UGwBF3uyoLxHDtd/VR2iWooGJZifFYvAMstPLr2wnX8EZPEJkFipw58xzzkVZ3n9pmeEeoMgM7v2ckidxaopSQo3vYu/A5TmjtN9z16Qal5PFmLCQrIJ1dOV/TRggcpNu8g282gNRYktwoW5jZ39V15RSxG2QTnBMn1P4bUTV93r3WhRXWssiu+xbx5LMBL5QJZcyG3lNdyi9DangHZBSF0wKXFBmPiCuHQWlQezp+ewqObLgBmE2JaFiwbPDFOLWkqzqMqAzUU1sswvpqsHt1HGR0hVcvL9PZBv/U9Rj62oLReQWajxjH02OWB3B6Qdbzp09SQG86xCZMdyk1Gw==</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVPRU1UPMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG
               A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
               MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi04MzIxMjMxHDAaBgkqhkiG9w0BCQEW
               DWluZm9Ab2t0YS5jb20wHhcNMTYwNDAxMTAxNTUyWhcNMjYwNDAxMTAxNjUyWjCBkjELMAkGA1UE
               BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
               BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtODMyMTIzMRwwGgYJ
               KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
               or/bQ/K680qXKaGeWVkB88gIQPyrKBO9S5ZfjLX8/msBwi4cayqh+t/HNYKMnB9YBnZc8Zm9jGY7
               dLkrethi4+lvi7RoccCsYPM8IPXPxMt1E92jvPj+5WWOpHSPgVEr8VBWv6H+Mh7Pu6LrVuQzEvHR
               LQhraVIZhDdw5ZKzqNUPLUnoGhMfGoiXct7y5T705eTDil8leLqd0xmaqWtsK0Pn3MLn62/vDg2r
               Op6DYhxaM7Uig7cgZEWZ8X6fS9FCS/bxEN7hNtFdXnXFvFXeHcMAu12TfULyY0W/ryo+XBVU3lAt
               nldJJ4543Dgq9MYkiSDX7VDC2UfQ4TrrZcG3+wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBVq9uL
               iyub7oTxcBljJRU4gGlxtgrUDBx9vlv3edP8QeZRh3An8KunoTJrxNtcroePv4ksrZG3rThp58l8
               8aV2OzjipBARP+2AB80ZtTErEe6zCMQt/h305viSuQK+T5Ic6KHvyam27pAXxr1/KDsgOSXaRExX
               86h5XJlMpWwtskqEzyss0YVzrTI2m+hyXDSsMJLNmMK5dc73ERQE/7npvqWGbD8P2GeAkIMyjxtf
               UT2g0Kbhn4N16DMOEFQNY+pdQU4bheqEiUs1jxfqzIxrgFT4w7FEb1jccyA8WIT5z+FYJGPEf/Xa
               bHggQGzOBhhx0IRAfibxNpvzyL/U4Sjz</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
   <saml2:Assertion ID="id30432185516646061886268340" IssueInstant="2016-04-08T06:48:10.072Z"
      Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">exk63v3bp5dHOwfVv0h7</saml2:Issuer>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">kundan_kumar_co@resilinc.com</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
            InResponseTo="_2CAAAAVSE0mcmME8wNjEwMDAwMDA0Qzk1AAAAyFSMUXxTZ-15bAOdkb3TW4s1lNtCMM8LdIHatXv06mS6eN9XIJItb2nM_lhJbV87LLxD8NinGAjhermMidYBCsuLAgA4zMHl_4YuT1npm_HiSSGnJmRdVokunp7wxK43t8Uhxmk4nztsiGx4YZPOylaio-QA_wLgoNxgbbK5RX2ldhOHllCnF7YOvuvR7Uo0igsqjbUIu6-V_G7VKARORA_KOCiefXG5m-bXDZT5t62OmskdBeZaGghVmgiTGGrTaA"
            NotOnOrAfter="2016-04-08T06:53:10.073Z"
            Recipient="https://resilincssomobile-dev-ed.my.salesforce.com?so=00D61000000KDfZ"/></saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:Conditions NotBefore="2016-04-08T06:43:10.073Z" NotOnOrAfter="2016-04-08T06:53:10.073Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>https://resilincssomobile-dev-ed.my.salesforce.com</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      <saml2:AuthnStatement AuthnInstant="2016-04-08T06:48:10.072Z"
         SessionIndex="_2CAAAAVSE0mcmME8wNjEwMDAwMDA0Qzk1AAAAyFSMUXxTZ-15bAOdkb3TW4s1lNtCMM8LdIHatXv06mS6eN9XIJItb2nM_lhJbV87LLxD8NinGAjhermMidYBCsuLAgA4zMHl_4YuT1npm_HiSSGnJmRdVokunp7wxK43t8Uhxmk4nztsiGx4YZPOylaio-QA_wLgoNxgbbK5RX2ldhOHllCnF7YOvuvR7Uo0igsqjbUIu6-V_G7VKARORA_KOCiefXG5m-bXDZT5t62OmskdBeZaGghVmgiTGGrTaA">
         <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
         </saml2:AuthnContext>
      </saml2:AuthnStatement>
   </saml2:Assertion>
</saml2p:Response>

This assertion is then posted to login.salesforce.com with code

final HttpClient httpclient = new DefaultHttpClient(); final HttpPost post = new HttpPost("https://login.salesforce.com/services/oauth2/token");

    post.setHeader("Content-Type", "application/x-www-form-urlencoded");

    String samlResponse = "PHNhbWwyOkFzc2VydGlvbiBJRD0iaWQyOTg1MDA1ODk4MDAyNDA3MTY2MDA1NzUxIiBJc3N1ZUluc3RhbnQ9IjIwMTYtMDQtMDdUMTM6MTA6MDEuMjMzWiIKICAgICAgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI-CiAgICAgIDxzYW1sMjpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPjNNVkc5WTZkX0J0cDR4cDVtZ3k3aEJmaENiTEp2a2xHSXlXZDhIVHVnWnhkYXBjM1h3Rl81S2pmVlZsbVJIcmp1ZHNraUc2eW5rajl1NFF5aGE3b1E8L3NhbWwyOklzc3Vlcj4JICAKICAgICAgPHNhbWwyOlN1YmplY3Q-CiAgICAgICAgIDxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI-a3VuZGFuX2t1bWFyX2NvQHJlc2lsaW5jLmNvbTwvc2FtbDI6TmFtZUlEPgogICAgICAgICA8c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YQogICAgICAgICAgICBJblJlc3BvbnNlVG89Il8yQ0FBQUFWU0JDWlF3TUU4d05qRXdNREF3TURBMFF6azFBQUFBeUhSa0FoNU9LWnBCSDdMUUQ2X2FYX2RlV2t1bDZtZVQzNkxONjFDaHVrdm10TThKNkttVjBfRWd4bmkyRTgyY0o1NHByX3RvYUVWSEZZRlRrRHZqTzVQYUxGX01iN3dMeHdZeW43M2FLME9pMUVIaXdhSGJpb3dmYzBUUjl4aVh2RE8tRS12RHV0Qm13RTNfRkZNMkNWX3p6d1NpeThfWWJsNlIwR2FVSzd1Q3RKR2l4YjM0by1MYXY5WlVsMnl5TWVJcXA3MU92NEZaVlI0NS1YbVE1WDdMVzdXeWdnM2lIcmFITVRkaUg5c0k0MzctaDZfRzZENVU3TU9vQmd2TndnIgogICAgICAgICAgICBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDQtMDdUMTM6MTU6MDEuMjMzWiIKICAgICAgICAgICAgUmVjaXBpZW50PSJodHRwczovL2xvZ2luLnNhbGVzZm9yY2UuY29tL3NlcnZpY2VzL29hdXRoMi90b2tlbiIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj4KICAgICAgPC9zYW1sMjpTdWJqZWN0PgogICAgICA8c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTYtMDQtMDdUMTM6MDU6MDEuMjMzWiIgTm90T25PckFmdGVyPSIyMDE2LTA0LTA3VDEzOjE1OjAxLjIzM1oiPgogICAgICAgICA8c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj4KICAgICAgICAgICAgPHNhbWwyOkF1ZGllbmNlPmh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb208L3NhbWwyOkF1ZGllbmNlPgogICAgICAgICA8L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24-CiAgICAgIDwvc2FtbDI6Q29uZGl0aW9ucz4KICAgICAgPHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNi0wNC0wN1QxMzoxMDowMS4yMzNaIgogICAgICAgICBTZXNzaW9uSW5kZXg9Il8yQ0FBQUFWU0JDWlF3TUU4d05qRXdNREF3TURBMFF6azFBQUFBeUhSa0FoNU9LWnBCSDdMUUQ2X2FYX2RlV2t1bDZtZVQzNkxONjFDaHVrdm10TThKNkttVjBfRWd4bmkyRTgyY0o1NHByX3RvYUVWSEZZRlRrRHZqTzVQYUxGX01iN3dMeHdZeW43M2FLME9pMUVIaXdhSGJpb3dmYzBUUjl4aVh2RE8tRS12RHV0Qm13RTNfRkZNMkNWX3p6d1NpeThfWWJsNlIwR2FVSzd1Q3RKR2l4YjM0by1MYXY5WlVsMnl5TWVJcXA3MU92NEZaVlI0NS1YbVE1WDdMVzdXeWdnM2lIcmFITVRkaUg5c0k0MzctaDZfRzZENVU3TU9vQmd2TndnIj4KICAgICAgICAgPHNhbWwyOkF1dGhuQ29udGV4dD4KICAgICAgICAgICAgPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj4KICAgICAgICAgPC9zYW1sMjpBdXRobkNvbnRleHQ-CiAgICAgIDwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ-CiAgIDwvc2FtbDI6QXNzZXJ0aW9uPg+M01WRzlZNmRfQnRwNHhwNW1neTdoQmZoQ2JMSnZrbEdJeVdkOEhUdWdaeGRhcGMzWHdGXzVLamZWVmxtUkhyanVkc2tpRzZ5bmtqOXU0UXloYTdvUTwvc2FtbDI6SXNzdWVyPg0KICAgICAgPHNhbWwyOlN1YmplY3Q+DQogICAgICAgICA8c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPmt1bmRhbl9rdW1hcl9jb0ByZXNpbGluYy5jb208L3NhbWwyOk5hbWVJRD4NCiAgICAgICAgIDxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgICAgICA8c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE2LTA0LTA3VDA1OjEzOjMxLjg4N1oiIFJlY2lwaWVudD0iaHR0cHM6Ly9yZXNpbGluY3Nzb21vYmlsZS1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb20/c289MDBENjEwMDAwMDBLRGZaIiAvPg0KICAgICAgICAgPC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgICAgPC9zYW1sMjpTdWJqZWN0Pg0KICAgICAgPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE2LTA0LTA3VDA1OjAzOjMxLjg4N1oiIE5vdE9uT3JBZnRlcj0iMjAxNi0wNC0wN1QwNToxMzozMS44ODdaIj4NCiAgICAgICAgIDxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICAgICAgPHNhbWwyOkF1ZGllbmNlPmh0dHBzOi8vcmVzaWxpbmNzc29tb2JpbGUtZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tPC9zYW1sMjpBdWRpZW5jZT4NCiAgICAgICAgIDwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgIDwvc2FtbDI6Q29uZGl0aW9ucz4NCiAgICAgIDxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDQtMDdUMDU6MDg6MzEuODg3WiIgU2Vzc2lvbkluZGV4PSJpZDE0NjAwMDU3MTE4ODcuMTU1Njk4NDA0NSI+DQogICAgICAgICA8c2FtbDI6QXV0aG5Db250ZXh0Pg0KICAgICAgICAgICAgPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgICAgIDwvc2FtbDI6QXV0aG5Db250ZXh0Pg0KICAgICAgPC9zYW1sMjpBdXRoblN0YXRlbWVudD4NCiAgIDwvc2FtbDI6QXNzZXJ0aW9uPg==";

    samlResponse = base64URLencode(samlResponse);

            //samlResponse = new String(Base64.decode(samlResponse));
    //samlResponse= URLEncoder.encode(samlResponse);
    String grant_type = URLEncoder.encode("urn:ietf:params:oauth:grant-type:saml2-bearer");
    String assertion_type= URLEncoder.encode("urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser") ;
    String RequestBody
            = "grant_type="+grant_type+"&"                
            + "&assertion=" + samlResponse
            + "&format=json&client_id=3MVG9Y6d_Btp4xp5mgy7hBfhCbLJvklGIyWd8HTugZxdapc3XwF_5KjfVVlmRHrjudskiG6ynkj9u4Qyha7oQ"
            +"client_secret=7454037811976746840";

    post.setEntity(new StringEntity(RequestBody));
    HttpResponse response = httpclient.execute(post);

    System.out.println("  execute of API " + EntityUtils.toString(response.getEntity()));

When we pass this SAML asserrtion in code below we are getting error "invalid client credentials" ans Salesforce login history is showing error " Failed: Missing Consumer Key Parameter"

Best Answer

You have an error in Your requestBody (lack of & in front of client_secret):

String RequestBody
        = "grant_type="+grant_type+"&"                
        + "&assertion=" + samlResponse
        + "&format=json&client_id=3MVG9Y6d_Btp4xp5mgy7hBfhCbLJvklGIyWd8HTugZxdapc3XwF_5KjfVVlmRHrjudskiG6ynkj9u4Qyha7oQ"
        +"&client_secret=7454037811976746840";

That's why client_secret wasn't treated as parameter but as client_id part.

Related Topic