Validate Saml Response in Saml Validator
|Knowledge Article Number||000233338|
If the SSO login to Salesforce is successful, when validating Saml Response Text in the Saml Validator, you may see the following error in the Saml validator.
|Resolution||This error shows up depending on how the saml response is decoded. If the Saml Response is formatted and has whitespaces and new lines added to the actual Saml response, the signature is not valid and hence the error. The Saml validator tool can validate Base64 encoded Saml Response as well as the plain text Saml response. The tool however defaults the Signature Validation to be invalid when the Saml response is formatted. To avoid seeing this error, you should use the Base64 encoded Saml response from the wire or use the plain text Saml response. This can be captured using Fiddler or Saml Tracer.
Following are the steps to capture the Base64 encoded Saml response in Saml Tracer.
1. Open the Saml Tracer tool in Firefox
2. Initiate the SSO login to Salesforce in Firefox
3. Select the POST request (tagged SAML in Orange) has the Saml Response
4. Copy the Base64 encoded Saml Response from under the Parameters Tab
5. Validate that in the Saml Validator
Following are steps to capture plain text Saml response in Axiom if your IDP is Axiom
1. Go to http://axiomsso.herokuapp.com/RequestSamlResponse.action
2. Fill in the details from the Salesforce single sign on settings page (Set up -> Security Controls -> Single Sign-On settings )
3. Request Saml Response
4. Validate the text in "Plain Text SAML Response"
4. Validate the text in "Base 64 Encoded SAML Response"
Following are the steps to capture Saml Response in Fiddler
1. Start capturing traces in Fiddler
2. Initiate the SSO login to Salesforce
3. Save the Capture as saz file
4. Look for the HTTP Post request with Saml Response in the trace.
It'll most likely be the HTTPS protocol, with <MyDomain>.my.salesforce.com or login.salesforcce.com as the Host and URL as /?so=<OrgId> . Example : /?so=00D00000000xxxx
Under Inspectors Tab you'll see various tabs like Headers, TextView, WebForms ..
5. Go to WebForms tab. Body of the WebForms tab shows the encoded Saml Response
6. Right click the value to "Send to TextWizard"
7. Select option to Transform from Base64
8. Validate the Plain text Saml response or theBase64 encoded Saml Response that you sent to the TextWizard
You will not see this error now.