cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

JAM SAML/OAuth authentication

Go to solution
satish_kandi
Explorer

on ‎02-20-2015 8:19 PM

0 Kudos

Hi,

I’m working with Pepsi on their integration with JAM.

I’m trying to call Odata api using the Saml/OAuth authentication and I get the following error while getting the access token:

{

error: "invalid_grant"

error_description: "Invalid assertion: validation failed. Detail: SAML assertion failed validation."

}

I tested with the same certificate in a demo site(demo.sapjam.com)and it works fine but not in pepsi’s sandbox(https://jam8.sapjam.com)

Do you see any issues with the following assertion? I passed the assertion as a base64 encoded string in the post body.

I couldn't attach the fiddler trace as the attachment type is not allowed.

<?xml version="1.0" encoding="UTF-8"?>

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="30287f2e-0730-45ab-ab9b-715fa4ef86bf" IssueInstant="2015-02-20T19:50:31.844Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">

                <saml2:Issuer>idp.pepsicouniversity.dev.mypepsico.com</saml2:Issuer>

                <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

                                <ds:SignedInfo>

                                                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                                                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

                                                <ds:Reference URI="#30287f2e-0730-45ab-ab9b-715fa4ef86bf">

                                                                <ds:Transforms>

                                                                                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                                                                                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

                                                                                                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>

                                                                                </ds:Transform>

                                                                </ds:Transforms>

                                                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                                                                <ds:DigestValue>PpjngwMmFPLcK24QeYaPyOcxRUg=</ds:DigestValue>

                                                </ds:Reference>

                                </ds:SignedInfo>

                                <ds:SignatureValue>nIQBIpac2GKiBTSzI59i0XM8fWtqZHA4Yx97xB7GXPnRHmijAIsxmeo9qXQs06wjxaUaAP3Foy5maSN4kLSSmMh8K1C/56cqAexrotk2zoykIbKoFvxosLPI5Nx8BsjVjbNbZC/uQqkmp39g2mrHd9DobHUYE1Ga4fi7be0TCAZgMk5feMgKzK4sAmS40q6CLoBYrxr/rCGP900P4HCalmXWDbi6GCYU67aQuvrAEJZESlinZ57xwRzkKi/pDDVDQPH4rOimG1UUqfOmw5Y/jRBRON8Bw1YSZoPWLeT/0IvId2fQ+L3a8yZzjRbVilgRXkqaON3nH93ojSlYp/6UAw==</ds:SignatureValue>

                                <ds:KeyInfo>

                                                <ds:X509Data>

                                                                <ds:X509Certificate>MIIDmjCCAoICCQD8jMYImidFCTANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ4wDAYDVQQHDAVQbGFubzEQMA4GA1UECgwHUGVwc2lDbzEMMAoGA1UECwwDQklTMRkwFwYDVQQDDBBNeVBlcHNpQ28gUG9ydGFsMSQwIgYJKoZIhvcNAQkBFhVNeVBlcHNpQ29AcGVwc2ljby5jb20wHhcNMTUwMTEyMTg1NjI1WhcNMTgwMTExMTg1NjI1WjCBjjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ4wDAYDVQQHDAVQbGFubzEQMA4GA1UECgwHUGVwc2lDbzEMMAoGA1UECwwDQklTMRkwFwYDVQQDDBBNeVBlcHNpQ28gUG9ydGFsMSQwIgYJKoZIhvcNAQkBFhVNeVBlcHNpQ29AcGVwc2ljby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt8T0sEMpZejHIyHjiJfLptbsgiq2Q9/Rb0ktMXHzOudgG0lMlgEOBZrdK6kJAUuKqcCGpfS8sMotjrRmhIQ6A3KzMVbW3PNgQ+PixB2LW8sbqs+ONEg+mPBk2wV3BS5uxqBLbV6JsvD8V1k9MVSY7H1RovZawdykwL1XNWGzO5LfI6/UwgyXP6IrePT+TOhgFx2yiF7R+w/04d05EzTr16M3HTIU0uIG1w/VntyOSn9vdAgjIBh9lZdWBPGqVTjqC+tpZgIVvfn+gVTVdtC3oqxgeG1ETh7QmVJPetbPnLQ354L1WbDbGSAzkNPaP+xtqBSXgSzvlrazWrO40J6VBAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAK1GKICmVszFcZ1u4jGOTfan+Xulspb9vFk2GxK6mUgEnbAAQl0RJ87Q2YgP/r3XLYeDdl9QxUIhOnF8NKcF6rOiqje8qnzcc6hzUL/KnCk9Q+WVUDC8J57GMtuuCchJuToXGD0VGNMH6M/tS6xJRKD7KxECb2Vo1ngLAb9R1LBjQO7RHAX9yeGU2eLDh7OD461kNdS/l1VFLqNrVwk3ht9IHCQe7VER3LBjHXTU6dzFVaITQtRCGU3xCfetebkk40Gs7+l2HMbDPxDNv1j/k8zyz/P5z9NLlpr3k7roSoBN9yqMZjCDXMWvy2yDvHO+20HBR8SLVLToEnENiwYLs0w=</ds:X509Certificate>

                                                </ds:X509Data>

                                </ds:KeyInfo>

                </ds:Signature>

                <saml2:Subject>

                                <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.successfactors.com">PLATEAU</saml2:NameID>

                                <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                                                <saml2:SubjectConfirmationData NotOnOrAfter="2015-02-25T19:50:31.834Z"/>

                                </saml2:SubjectConfirmation>

                </saml2:Subject>

                <saml2:Conditions>

                                <saml2:AudienceRestriction>

                                                <saml2:Audience>cubetree.com</saml2:Audience>

                                </saml2:AudienceRestriction>

                </saml2:Conditions>

                <saml2:AuthnStatement AuthnInstant="2015-02-20T19:50:29.204Z">

                                <saml2:AuthnContext>

                                                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>

                                </saml2:AuthnContext>

                </saml2:AuthnStatement>

                <saml2:AttributeStatement>

                                <saml2:Attribute Name="roles">

                                                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role1</saml2:AttributeValue>

                                </saml2:Attribute>

                                <saml2:Attribute Name="client_id">

                                                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1PCuEKpWXdfprkMjPm9n</saml2:AttributeValue>

                                </saml2:Attribute>

                </saml2:AttributeStatement>

</saml2:Assertion>

Thanks,

Satish

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member52971
Explorer
‎02-23-2015 2:01 AM
0 Kudos

Hi Satish,

The error message indicates the assertion valid validation which is typically due to the private key used to sign the assertion not being compatible with the certificate used to validate the assertion.

Thanks,

Bo

Show replies
Show replies
former_member52971
Explorer
‎02-24-2015 6:13 AM
0 Kudos

After further debugging with Satish, the issue was that the SAML Assertion element is required to have a Conditions child element with a NotOnOrAfter attribute that is checked to be valid i.e. that the assertion is not in fact expired.

The demo deployment currently does not do timestamp validation, but production deployments do, so this is why this problem was only seen in production.

Satish added the attribute as described above, and everything works.

Bo

Answers (0)

Ask a Question