This is a public Forum  publicRSS

Topic

    Mercedes Hernández
    What is the correct SAML 2.0 Assertion Structure?
    Topic posted February 13, 2017 by Mercedes HernándezNewbie 
    282 Views, 1 Comment
    Title:
    What is the correct SAML 2.0 Assertion Structure?
    Content:

    Good afternoon,

    I am generating a SAML 2.0 assertion from my Java application, using OpenSaml and it throws me the following error: 17 SSO_CONTACT_TOKEN_VALIDATE_FAILED

    Someone will have an example of an assertion where the subject is the email?

    Thank you

    Version:
    Customer Portal
    Code Block:

    Answer

     

    • Scott Harwell

      Here's an example of a working assertion with the signature and certificate values removed.  Looks like you have a couple of formatting issues in your markup.

      <?xml version="1.0"?>
      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f17c703b-569b-4ac0-9bdb-3d7009a0a5ee" Version="2.0" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" IssueInstant="2010-12-22T23:47:16.679Z" Destination="https://mysite.custhelp.com/cgi-bin/mysite.cfg/php/admin/sso_launch.php">
          <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://myadfshost.test.com/adfs/services/trust</Issuer>
          <samlp:Status>
              <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
          </samlp:Status>
          <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_17c0578e-bba1-4016-ba71-54d781d056fe" Version="2.0" IssueInstant="2010-12-22T23:47:16.679Z">
              <Issuer>http://myadfshost.test.com/adfs/services/trust</Issuer>
          
              <Subject>
                  <Email>test@test.com</Email>
                  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                      <SubjectConfirmationData Recipient="https://mysite.custhelp.com/cgi-bin/mysite.cfg/php/admin/sso_launch.php" NotOnOrAfter="2030-12-22T23:52:16.679Z"/>
                  </SubjectConfirmation>
              </Subject>
              <Conditions NotOnOrAfter="2030-12-23T00:47:16.673Z" NotBefore="2010-12-22T23:47:16.673Z">
                  <AudienceRestriction>
                      <Audience>https://mysite.custhelp.com</Audience>
                  </AudienceRestriction>
              </Conditions>
              <AuthnStatement AuthnInstant="2010-12-22T21:54:29.240Z" SessionIndex="_17c0578e-bba1-4016-ba71-54d781d056fe">
                  <AuthnContext>
                      <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
                  </AuthnContext>
              </AuthnStatement>
              <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                  <SignedInfo>
                      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                      <Reference URI="#_17c0578e-bba1-4016-ba71-54d781d056fe">
                          <Transforms>
                              <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                          </Transforms>
                          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                          <DigestValue>kazkjyYCrZ+kvI1ZwZB32nNyVGs=</DigestValue>
                      </Reference>
                  </SignedInfo>
                  <SignatureValue>The Signature</SignatureValue>
                  <KeyInfo>
                      <X509Data>
                          <X509Certificate>The Certificate</X509Certificate>
                      </X509Data>
                  </KeyInfo>
              </Signature>
          </Assertion>
      </samlp:Response>