My aim is service provider-initiated Web SSO profile. I am implementing the service provider (SP), using Salesforce as the identity provider (IDP) for testing my SP. Can I use Salesforce IDP?
I have configured Salesforce as my test identity provider for my service provider [I am implementing the SP using the OpenSAML library].
"Edit 1 start"
First of all , can we use salesforce IdP for the sp(locally hosted) intiated sso web profile? I wanted to send my request message to salesForce IdP from my program *
[adding my request messages]
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080/test_with_OpenSAML/AssertionConsumerService.jsp" ID="7ickdmjo241394083307023" IssueInstant="2014-03-06T05:21:47.115Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="ls" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/test_with_OpenSAML</saml:Issuer></samlp:AuthnRequest>
: In the case of HTTP Redirect , deflating , base64 and url encoding should be done.
after deflating(with zero compression ):SAME REQUEST MESSAGE AS ABOVE
[what level of deflating level should I use?]
after base64 encoding :
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cDovL2xvY2FsaG9zdDo4MDgwL3Rlc3Rfd2l0aF9PcGVuU0FNTC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2UuanNwIiBJRD0iN2lja2Rtam8yNDEzOTQwODMzMDcwMjMiIElzc3VlSW5zdGFudD0iMjAxNC0wMy0wNlQwNToyMTo0Ny4xMTVaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFByb3ZpZGVyTmFtZT0iY3YiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly8xNzIuMTYuNjUuMTA6ODA4MC90ZXN0X3dpdGhfT3BlblNBTUw8L3NhbWw6SXNzdWVyPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg==
after URLencoded :[ONLY THE SAMLRequest message should be url encoded]
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cDovL2xvY2FsaG9zdDo4MDgwL3Rlc3Rfd2l0aF9PcGVuU0FNTC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2UuanNwIiBJRD0iN2lja2Rtam8yNDEzOTQwODMzMDcwMjMiIElzc3VlSW5zdGFudD0iMjAxNC0wMy0wNlQwNToyMTo0Ny4xMTVaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFByb3ZpZGVyTmFtZT0iY3YiIFZlcnNpb249IjIuMCI%2BPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly8xNzIuMTYuNjUuMTA6ODA4MC90ZXN0X3dpdGhfT3BlblNBTUw8L3NhbWw6SXNzdWVyPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg%3D%3D
http:xxx.salesforce.com/idp/endpoint/HttpRedirect?SAMLRequest=ABOVE_MESSAGE
Is it mandatory to add RelayState?what it should contain?
Edit 1 ends
Once configured I have built the AuthnRequest and by using HTTP POST binding just appended the SAMLREQUEST="URLencodedAuthnRequest" to the POST binding URL of IDP [provided from IDP metadata]
When I send the request message, I see the unable to parse AuthnRequest from service provider error in the Identity Provider Event Log:
Where am I going wrong? I have referred to all the discussions in the Salesforce forums, but I cant find the solution.
Best Answer
With the SAML 2.0 POST binding you have to POST the SAML request in a base64-encoded control within an HTML form - here's an example of what the service provider might send to the browser, from section 3.5.8 of the SAML 2.0 Bindings Specification:
The SAML 2.0 Redirect binding uses a query parameter containing the request, compressed then base64-encoded. Here's an example from section 3.4.8 of the same document:
Salesforce will accept either binding, using the appropriate URL from the metadata. Render the HTML form, or use the redirect binding, whichever works best for you.
Edit 1 start:
You have
http://localhost:8080/test_with_OpenSAML
as the Issuer. This element should actually refer to the issuer of the SAML Assertion (the IdP). Use the value from the Identity Provider config in Salesforce - it will be something likehttps://company-dev-ed.my.salesforce.com
.Also, you haveEDIT - this was incorrect - the ProtocolBinding identifies the protocol binding to use for the SAML responseProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
in your request, but you're sending it via redirect. It should beProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
.RelayState
is optional. Whatever you pass here, the IdP will pass back to you with the SAML response.RelayState
is typically used to hold the URL that the user originally requested, or some handle to that URL.Edit 1 end.