Print this page

OAuth 2.0 SAML Bearer assertion flow receives {"error_description":"invalid assertion","error":"invalid_grant"}

Knowledge Article Number 000199444
Customer is developing their own client and wants to get authenticated using OAuth 2.0 SAML Bearer flow. They followed our online document but keeps receiving "invalid assertion" error.
For SAML Bearer assertion flow to work, customer needs to follow the document.

One of the possible causes of the error is the wrong encoding. When there is an encoding issue, Salesforce will not be able to understand the assertion and will respond with {"error_description":"invalid assertion","error":"invalid_grant"}.
In this case, 
1) Verify that XML document has <?xml version="1.0" encoding="UTF-8"?> : Saslesforce support only UTF-8 encoding. UTF-16 will cause a problem.
2) Make sure that when POSTed to the token endpoint, the assertion must be encoded using base64url encoding as defined here:
"base64url" encoding is different from "base64 encoding" + "url encoding".
i.e. base64url encoding replaces + with - (minus) instead of %2B 

Note:  For SAML Assertion flow please ensure that you use the base64 encoding and then URL encode it.  This is not the same as base64url encoding.
You can try this online tool for the example of correct encoding :

promote demote