[SalesForce] Unable to parse AuthnRequest from SAML 2.0 Service Provider

My aim is service provider-initiated Web SSO profile. I am implementing the service provider (SP), using Salesforce as the identity provider (IDP) for testing my SP. Can I use Salesforce IDP?

I have configured Salesforce as my test identity provider for my service provider [I am implementing the SP using the OpenSAML library].

"Edit 1 start"

First of all , can we use salesforce IdP for the sp(locally hosted) intiated sso web profile? I wanted to send my request message to salesForce IdP from my program *

[adding my request messages]

<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080/test_with_OpenSAML/AssertionConsumerService.jsp" ID="7ickdmjo241394083307023" IssueInstant="2014-03-06T05:21:47.115Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="ls" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/test_with_OpenSAML</saml:Issuer></samlp:AuthnRequest>

: In the case of HTTP Redirect , deflating , base64 and url encoding should be done.

after deflating(with zero compression ):SAME REQUEST MESSAGE AS ABOVE
[what level of deflating level should I use?]

after base64 encoding :

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cDovL2xvY2FsaG9zdDo4MDgwL3Rlc3Rfd2l0aF9PcGVuU0FNTC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2UuanNwIiBJRD0iN2lja2Rtam8yNDEzOTQwODMzMDcwMjMiIElzc3VlSW5zdGFudD0iMjAxNC0wMy0wNlQwNToyMTo0Ny4xMTVaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFByb3ZpZGVyTmFtZT0iY3YiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly8xNzIuMTYuNjUuMTA6ODA4MC90ZXN0X3dpdGhfT3BlblNBTUw8L3NhbWw6SXNzdWVyPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg==

after URLencoded :[ONLY THE SAMLRequest message should be url encoded]

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cDovL2xvY2FsaG9zdDo4MDgwL3Rlc3Rfd2l0aF9PcGVuU0FNTC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2UuanNwIiBJRD0iN2lja2Rtam8yNDEzOTQwODMzMDcwMjMiIElzc3VlSW5zdGFudD0iMjAxNC0wMy0wNlQwNToyMTo0Ny4xMTVaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFByb3ZpZGVyTmFtZT0iY3YiIFZlcnNpb249IjIuMCI%2BPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly8xNzIuMTYuNjUuMTA6ODA4MC90ZXN0X3dpdGhfT3BlblNBTUw8L3NhbWw6SXNzdWVyPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg%3D%3D

http:xxx.salesforce.com/idp/endpoint/HttpRedirect?SAMLRequest=ABOVE_MESSAGE

Is it mandatory to add RelayState?what it should contain?

Edit 1 ends

Once configured I have built the AuthnRequest and by using HTTP POST binding just appended the SAMLREQUEST="URLencodedAuthnRequest" to the POST binding URL of IDP [provided from IDP metadata]

When I send the request message, I see the unable to parse AuthnRequest from service provider error in the Identity Provider Event Log:

Service provider is also unknown.why is that so? I have registered my SP as well

Where am I going wrong? I have referred to all the discussions in the Salesforce forums, but I cant find the solution.

Best Answer

With the SAML 2.0 POST binding you have to POST the SAML request in a base64-encoded control within an HTML form - here's an example of what the service provider might send to the browser, from section 3.5.8 of the SAML 2.0 Bindings Specification:

HTTP/1.1 200 OK
Date: 21 Jan 2004 07:00:49 GMT
Content-Type: text/html; charset=iso-8859-1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<body onload="document.forms[0].submit()">

<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>

<form action="https://ServiceProvider.com/SAML/SLO/Browser"
method="post">
<div>
<input type="hidden" name="RelayState"
value="0043bfc1bc45110dae17004005b13a2b"/>
<input type="hidden" name="SAMLRequest"
value="PHNhbWxwOkxvZ291dFJlcXVlc3QgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1l
czp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0
YzpTQU1MOjIuMDphc3NlcnRpb24iDQogICAgSUQ9ImQyYjdjMzg4Y2VjMzZmYTdj
MzljMjhmZDI5ODY0NGE4IiBJc3N1ZUluc3RhbnQ9IjIwMDQtMDEtMjFUMTk6MDA6
NDlaIiBWZXJzaW9uPSIyLjAiPg0KICAgIDxJc3N1ZXI+aHR0cHM6Ly9JZGVudGl0
eVByb3ZpZGVyLmNvbS9TQU1MPC9Jc3N1ZXI+DQogICAgPE5hbWVJRCBGb3JtYXQ9
InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNp
c3RlbnQiPjAwNWEwNmUwLWFkODItMTEwZC1hNTU2LTAwNDAwNWIxM2EyYjwvTmFt
ZUlEPg0KICAgIDxzYW1scDpTZXNzaW9uSW5kZXg+MTwvc2FtbHA6U2Vzc2lvbklu
ZGV4Pg0KPC9zYW1scDpMb2dvdXRSZXF1ZXN0Pg=="/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html>

The SAML 2.0 Redirect binding uses a query parameter containing the request, compressed then base64-encoded. Here's an example from section 3.4.8 of the same document:

HTTP/1.1 302 Object Moved
Date: 21 Jan 2004 07:00:49 GMT
Location:
https://ServiceProvider.com/SAML/SLO/Browser?SAMLRequest=fVFdS8MwFH0f7D%
2BUvGdNsq62oSsIQyhMESc%2B%2BJYlmRbWpObeyvz3puv2IMjyFM7HPedyK1DdsZdb%2F%
2BEHfLFfgwVMTt3RgTwzazIEJ72CFqRTnQWJWu7uH7dSLJjsg0ev%2FZFMlttiBWADtt6R%
2BSyJr9msiRH7O70sCm31Mj%2Bo%2BC%
2B1KA5GlEWeZaogSQMw2MYBKodrIhjLKONU8FdeSsZkVr6T5M0GiHMjvWCknqZXZ2OoPxF7kG
naGOuwxZ%2Fn4L9bY8NC%
2By4du1XpRXnxPcXizSZ58KFTeHujEWkNPZylsh9bAMYYUjO2Uiy3jCpTCMo5M1StVjmN9SO1
50sl9lU6RV2Dp0vsLIy7NM7YU82r9B90PrvCf85W%2FwL8zSVQzAEAAA%3D%
3D&RelayState=0043bfc1bc45110dae17004005b13a2b&SigAlg=http%3A%2F%
2Fwww.w3.org%2F200%2F09%2Fxmldsig%23rsa-
sha1&Signature=NOTAREALSIGNATUREBUTTHEREALONEWOULDGOHERE
Content-Type: text/html; charset=iso-8859-1

Salesforce will accept either binding, using the appropriate URL from the metadata. Render the HTML form, or use the redirect binding, whichever works best for you.

Edit 1 start:

You have http://localhost:8080/test_with_OpenSAML as the Issuer. This element should actually refer to the issuer of the SAML Assertion (the IdP). Use the value from the Identity Provider config in Salesforce - it will be something like https://company-dev-ed.my.salesforce.com.

Also, you have ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" in your request, but you're sending it via redirect. It should be ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect". EDIT - this was incorrect - the ProtocolBinding identifies the protocol binding to use for the SAML response

RelayState is optional. Whatever you pass here, the IdP will pass back to you with the SAML response. RelayState is typically used to hold the URL that the user originally requested, or some handle to that URL.

Edit 1 end.

Best Answer

Related Solutions

[SalesForce] SSO: IdP initiated works but SP-initiated does not redirect to IDP ADFS – suggestions

[SalesForce] “Unable to resolve request into a Service Provider” return by Salesforce Identity Provider for SAML 2.0 request

Related Topic