SAML bearer flow for retrieving an OAuth token gives an assertion error
i'm posting the following request; trying to get an OAuth token:
POST /services/oauth2/token?grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4NCiAgPHNhbWw6SXNzdWVyPjNNVkc5OXF1c1ZaSndoc2xxMWRNS3cweVFoSm5pTDlTNVBCSVVOa2Q2OFB2bVlzTEpPRi4xRzQxNmx1eXM3SlJ0QTUuWUtqeTc2QVQ3d2U4NExfU2k8L3NhbWw6SXNzdWVyPg0KICA8c2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5uYXNlZW1AdmF0aXQuY29tLmRldg0KICAgIDwvc2FtbDpOYW1lSUQ+DQogIDwvc2FtbDpTdWJqZWN0Pg0KPC9zYW1sOkFzc2VydGlvbj4NCg== HTTP/1.1
Host: login.salesforce.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Connection: Keep-Alive
The unencoded SAML looks like this:
<?xml version="1.0" encoding="utf-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="C625490D-C2B9-15BE-6DFA-7286288D9655" IssueInstant="2013-09-11T12:03:14Z" Version="2.0">
<saml:Issuer>3MVGsVZJwhslq1dMKw0yQhJniL9S5PBIUNkJOF.1G4167JRtA5.YKjy76e84L_Si</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#C625490D-C2B9-15BE-6DFA-7286288D9655">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>f187DeCiwFhhH2etlU+5byskey4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myuser@mycompany.com.dev</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://login.salesforce.com/services/oauth2/token" NotOnOrAfter="2013-09-11T13:03:14Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2013-09-11T12:03:14Z" NotOnOrAfter="2013-09-11T13:03:14Z">
<saml:AudienceRestriction>
<saml:Audience><![CDATA[https://login.salesforce.com]]></saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-09-11T06:54:14Z" SessionIndex="ED868FE5-841D-5192-766C-941A60D6602F">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
..and i'm getting this (500) error back: Unable to Access Page The value of the "assertion" parameter contains a character that is not allowed or the value exceeds the maximum allowed length. Remove the character from the parameter value or reduce the value length and resubmit. If the error still persists, report it to our Customer Support team. Provide the URL of the page you were requesting as well as any other related information.
So, I narrow it down to this:
<?xml version="1.0" encoding="utf-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>3MqushJniL9S5PBIUNkd68PvmYsLF.1G417JRtA5.YKjy_Si</saml:Issuer>
<saml:Subject>
</saml:Subject>
</saml:Assertion>
which fails with a (400) invalid assertion error. So my assumption is that the above parses correctly, but is missing info. Adding the NameID attribute (even empty):
<?xml version="1.0" encoding="utf-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>3MqushJniL9S5PBIUNkd68PvmYsLF.1G417JRtA5.YKjy_Si</saml:Issuer>
<saml:Subject>
<saml:NameID/>
</saml:Subject>
</saml:Assertion>
causes it to revert back to the 500 error. Unfortunately the error message does not tell me what exactly is the problem area, and as far as i can tell, my XML is to spec. How do I get a lead on what's happening?
~gilbert
POST /services/oauth2/token?grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4NCiAgPHNhbWw6SXNzdWVyPjNNVkc5OXF1c1ZaSndoc2xxMWRNS3cweVFoSm5pTDlTNVBCSVVOa2Q2OFB2bVlzTEpPRi4xRzQxNmx1eXM3SlJ0QTUuWUtqeTc2QVQ3d2U4NExfU2k8L3NhbWw6SXNzdWVyPg0KICA8c2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5uYXNlZW1AdmF0aXQuY29tLmRldg0KICAgIDwvc2FtbDpOYW1lSUQ+DQogIDwvc2FtbDpTdWJqZWN0Pg0KPC9zYW1sOkFzc2VydGlvbj4NCg== HTTP/1.1
Host: login.salesforce.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Connection: Keep-Alive
The unencoded SAML looks like this:
<?xml version="1.0" encoding="utf-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="C625490D-C2B9-15BE-6DFA-7286288D9655" IssueInstant="2013-09-11T12:03:14Z" Version="2.0">
<saml:Issuer>3MVGsVZJwhslq1dMKw0yQhJniL9S5PBIUNkJOF.1G4167JRtA5.YKjy76e84L_Si</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#C625490D-C2B9-15BE-6DFA-7286288D9655">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>f187DeCiwFhhH2etlU+5byskey4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myuser@mycompany.com.dev</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://login.salesforce.com/services/oauth2/token" NotOnOrAfter="2013-09-11T13:03:14Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2013-09-11T12:03:14Z" NotOnOrAfter="2013-09-11T13:03:14Z">
<saml:AudienceRestriction>
<saml:Audience><![CDATA[https://login.salesforce.com]]></saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-09-11T06:54:14Z" SessionIndex="ED868FE5-841D-5192-766C-941A60D6602F">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
..and i'm getting this (500) error back: Unable to Access Page The value of the "assertion" parameter contains a character that is not allowed or the value exceeds the maximum allowed length. Remove the character from the parameter value or reduce the value length and resubmit. If the error still persists, report it to our Customer Support team. Provide the URL of the page you were requesting as well as any other related information.
So, I narrow it down to this:
<?xml version="1.0" encoding="utf-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>3MqushJniL9S5PBIUNkd68PvmYsLF.1G417JRtA5.YKjy_Si</saml:Issuer>
<saml:Subject>
</saml:Subject>
</saml:Assertion>
which fails with a (400) invalid assertion error. So my assumption is that the above parses correctly, but is missing info. Adding the NameID attribute (even empty):
<?xml version="1.0" encoding="utf-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>3MqushJniL9S5PBIUNkd68PvmYsLF.1G417JRtA5.YKjy_Si</saml:Issuer>
<saml:Subject>
<saml:NameID/>
</saml:Subject>
</saml:Assertion>
causes it to revert back to the 500 error. Unfortunately the error message does not tell me what exactly is the problem area, and as far as i can tell, my XML is to spec. How do I get a lead on what's happening?
~gilbert
Комментарии
Отправить комментарий