[SalesForce] “Unable to resolve request into a Service Provider” return by Salesforce Identity Provider for SAML 2.0 request

I have a Salesforce instance configured to act as an Identity Provider and am trying to connect a (non-Salesforce) Service Provider (client) to it. So we are making a SAML 2.0 samlp:AuthnRequest using the HTTP POST binding. Using the "Identity Provider Event Log" has been helpful for solving the initial problems.

But I am now stuck with this error:

Unable to resolve request into a Service Provider

and have not found any clear suggestions as to the cause by Googling.

("The "Service Provider" is the client and each "Service Provider" is
represented by a "Connected App" in the Salesforce Identity Provider
org.)

It would be helpful to understand how Salesforce handles the case of samlp:AuthnRequest requests being made when there are multiple "Connected App" definitions. The only element in common between those two appears to the (samlp:AuthnRequest) AssertionConsumerServiceURL and the (Connected App) ACS URL. I've tried tweaking these with no success (e.g. adding trailing slashes).

I note that the "IdP-Initiated Login URL" values include an app parameter that is different for each "Connected App".

Any explanation, insight, suggestions or solutions very welcome.

Best Answer

This usually has to do with the Entity ID field being incorrect in the Service Provider's Single Sign-On Configuration. Make sure it's the Service Provider's domain URL, not the Identity Provider's domain URL. (Which is kind of confusing because, why would you be entering the URL of the org you are already in? But that's how it is...)

This refers to step 5.7 of Implementing Single Sign-On Across Multiple Organizations.

Related Solutions

[SalesForce] Unable to configure SAML Identity Provider in Partner Developer

I raised a case in ISV Portal and I got response saying " Identity Provider cannot be enabled on partner DE Org and will be enabled on Enterprise Edition Org on request"

This is what I inferred:

In Normal DE Org IDP is enabled out of the box.
In Partner DE Org IDP cannot be enabled.
In EE Org IDP will be enabled on request.

[SalesForce] Unable to parse AuthnRequest from SAML 2.0 Service Provider

With the SAML 2.0 POST binding you have to POST the SAML request in a base64-encoded control within an HTML form - here's an example of what the service provider might send to the browser, from section 3.5.8 of the SAML 2.0 Bindings Specification:

HTTP/1.1 200 OK
Date: 21 Jan 2004 07:00:49 GMT
Content-Type: text/html; charset=iso-8859-1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<body onload="document.forms[0].submit()">

<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>

<form action="https://ServiceProvider.com/SAML/SLO/Browser"
method="post">
<div>
<input type="hidden" name="RelayState"
value="0043bfc1bc45110dae17004005b13a2b"/>
<input type="hidden" name="SAMLRequest"
value="PHNhbWxwOkxvZ291dFJlcXVlc3QgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1l
czp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0
YzpTQU1MOjIuMDphc3NlcnRpb24iDQogICAgSUQ9ImQyYjdjMzg4Y2VjMzZmYTdj
MzljMjhmZDI5ODY0NGE4IiBJc3N1ZUluc3RhbnQ9IjIwMDQtMDEtMjFUMTk6MDA6
NDlaIiBWZXJzaW9uPSIyLjAiPg0KICAgIDxJc3N1ZXI+aHR0cHM6Ly9JZGVudGl0
eVByb3ZpZGVyLmNvbS9TQU1MPC9Jc3N1ZXI+DQogICAgPE5hbWVJRCBGb3JtYXQ9
InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNp
c3RlbnQiPjAwNWEwNmUwLWFkODItMTEwZC1hNTU2LTAwNDAwNWIxM2EyYjwvTmFt
ZUlEPg0KICAgIDxzYW1scDpTZXNzaW9uSW5kZXg+MTwvc2FtbHA6U2Vzc2lvbklu
ZGV4Pg0KPC9zYW1scDpMb2dvdXRSZXF1ZXN0Pg=="/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html>

The SAML 2.0 Redirect binding uses a query parameter containing the request, compressed then base64-encoded. Here's an example from section 3.4.8 of the same document:

HTTP/1.1 302 Object Moved
Date: 21 Jan 2004 07:00:49 GMT
Location:
https://ServiceProvider.com/SAML/SLO/Browser?SAMLRequest=fVFdS8MwFH0f7D%
2BUvGdNsq62oSsIQyhMESc%2B%2BJYlmRbWpObeyvz3puv2IMjyFM7HPedyK1DdsZdb%2F%
2BEHfLFfgwVMTt3RgTwzazIEJ72CFqRTnQWJWu7uH7dSLJjsg0ev%2FZFMlttiBWADtt6R%
2BSyJr9msiRH7O70sCm31Mj%2Bo%2BC%
2B1KA5GlEWeZaogSQMw2MYBKodrIhjLKONU8FdeSsZkVr6T5M0GiHMjvWCknqZXZ2OoPxF7kG
naGOuwxZ%2Fn4L9bY8NC%
2By4du1XpRXnxPcXizSZ58KFTeHujEWkNPZylsh9bAMYYUjO2Uiy3jCpTCMo5M1StVjmN9SO1
50sl9lU6RV2Dp0vsLIy7NM7YU82r9B90PrvCf85W%2FwL8zSVQzAEAAA%3D%
3D&RelayState=0043bfc1bc45110dae17004005b13a2b&SigAlg=http%3A%2F%
2Fwww.w3.org%2F200%2F09%2Fxmldsig%23rsa-
sha1&Signature=NOTAREALSIGNATUREBUTTHEREALONEWOULDGOHERE
Content-Type: text/html; charset=iso-8859-1

Salesforce will accept either binding, using the appropriate URL from the metadata. Render the HTML form, or use the redirect binding, whichever works best for you.

Edit 1 start:

You have http://localhost:8080/test_with_OpenSAML as the Issuer. This element should actually refer to the issuer of the SAML Assertion (the IdP). Use the value from the Identity Provider config in Salesforce - it will be something like https://company-dev-ed.my.salesforce.com.

Also, you have ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" in your request, but you're sending it via redirect. It should be ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect". EDIT - this was incorrect - the ProtocolBinding identifies the protocol binding to use for the SAML response

RelayState is optional. Whatever you pass here, the IdP will pass back to you with the SAML response. RelayState is typically used to hold the URL that the user originally requested, or some handle to that URL.

Edit 1 end.

Best Answer

Related Solutions

[SalesForce] Unable to configure SAML Identity Provider in Partner Developer

[SalesForce] Unable to parse AuthnRequest from SAML 2.0 Service Provider

Related Topic