We Keep Coding

OpenAM SSO SAML AuthnRequestsSigned error

I am trying to set the signing and encryption option on my SP metadata to have AuthnRequestsSigned="true" but my AM server keeps throwing the below Error in the /debug/Federation log
Authentication Requests Signed option is the only one giving me issues.
Im running
ForgeRock Access Management 6.5.2
Tomcat 8.0.35
openjdk version "1.8.0_212"
AM Settings
Error Message
libSAML2:08/02/2019 03:16:50:299 PM UTC: Thread[http-nio-80-exec-8,5,main]: TransactionId[f1638b0a-6687-4953-ae04-8ce8c9299079-62363]
ERROR: UtilProxySAMLAuthenticator.authenticate: authn request destination verification failed for
IdpEntity: http://x.canadacentral.cloudapp.azure.com:80/opensso
MetaAlias: /idp Destination: http://x.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp
Location: http://x.canadacentral.cloudapp.azure.com:80/opensso/SSORedirect/metaAlias/idp
SP Meta-data
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2019-08-02T12:04:36Z"
cacheDuration="PT604800S" entityID="nestjs-sp-signed-0070">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
</md:KeyDescriptor>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://localhost:3000/auth/logout/callback"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://localhost:3000/auth/login/callback" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://localhost:3000/auth/login/callback" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://localhost:3000/auth/login/callback" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://localhost:3000/auth/login/callback" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
Location="http://localhost:3000/auth/login/callback" index="4"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Passport Settings
export const samlPassportConf = {
issuer: 'nestjs-sp-signed-0070', // match metadata entityID
identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
callbackUrl: 'http://localhost:3000/auth/login/callback',
entryPoint: 'http://x.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp',
logoutUrl: 'http://x.canadacentral.cloudapp.azure.com/opensso/IDPSloRedirect/metaAlias/idp',
privateCert: fs.readFileSync('cert/privatekey.pem', 'utf-8'),
decryptionPvk: fs.readFileSync('cert/privatekey.pem', 'utf-8'),
};

Question:
I am trying to set the signing and encryption option on my SP metadata to have AuthnRequestsSigned="true" but my AM server keeps throwing the below Error in the /debug/Federation log
(1) Authentication Requests Signed option is the only one giving me issues.
(2) I unchecked authentication requests signed and it works.
Answer:
(1) You unchecked authentication requests signed, indicating that OpenAM SAML IdP would never verify the signature of authentication request sent by your SAML SP, thus it works as you expected.
(2) Your SAML SP signs Authentication Request using a signing key.
OpenAM SAML IdP uses the corresponding public cert (which it extracts from your SAML SP metadata) to verify the signed Authentication Request sent by your SAML SP.
If the Authentication Request is signed, OpenAM SAML IdP MUST verify Destination (i.e., SAML Login URL/Entrypoint of SAML IdP) and entityID of SAML SP.
Two issues have been identified:
(I) Destination "http://x.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp"
does NOT exactly matches the location/entryPoint
"http://idp5.canadacentral.cloudapp.azure.com/opensso/SSORedirect/metaAlias/idp"
Your SAML SP sends "idp5.canadacentral", but OpenAM SAML IdP receives "x.canadacentral"
(II) issuer: 'nestjs-sp-signed-0070' in the Authentication Request sent by your SAML SP
does NOT match
entityID="nestjs-sp-signed-0090"
in your SAMP SP metadata uploaded to OpenAM SAML IdP.
Resolution:
In your Passport Settings, Replace 'nestjs-sp-signed-0070' with 'nestjs-sp-signed-0090', because OpenAM SAML IdP MUST verify that entityID of your SAML SP 'nestjs-sp-signed-0070' carried by the Authentication Request should be exactly equal to entityID of your SAML SP 'nestjs-sp-signed-0090' in your SAML SP metadata.
(III) You need to ensure that private key and public cert should be a key pair. that is,
private key "privateCert: fs.readFileSync('cert/privatekey.pem', 'utf-8')" in your Passport Settings
should be corresponding to
public cert in your SAML SP metadata
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
Potential root cause of Authentication Requests Signed is that
OpenAM SAML IdP uses the public cert of encryption (carried by your SAML SP metadata) to verify the signed Authentication Request. That is, OpenAM SAML IdP uses the wrong public cert for signature verification.
Resolution:
Use the same key pair for both signing and encryption. In your SAML SP metadata, let both signing cert and encryption cert "" be the same, that is,
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
is the same as
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
</md:KeyDescriptor>

SAML Single logout through OKTA

I have got the following SP's Request and IDP's reponse:
<samlp:LogoutRequest xmlns="urn:oasis:names:tc:SAML:2.0:metadata" Destination="https://dev-nnn.oktapreview.com/app/somename_hped800eportal_1/exk8dlkd0tCutHWlj0h7/slo/saml" ID="_af6eaa4a-9d5b-41ce-b265-d39dfdc5248e" Version="2.0" IssueInstant="2016-10-14T12:31:59Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="http://www.w3.org/2005/Atom">https://HPED800E:444/SynPortal/login.aspx</saml:Issuer><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">CDA_Main\hjami</saml:NameID><samlp:SessionIndex>_d9f07562-3a7f-4c03-a62d-8a985f34058f</samlp:SessionIndex><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>bBbMvzSjRc0zc1jtIxmqmkO4bYo=</DigestValue></Reference></SignedInfo><SignatureValue>...5g==</SignatureValue><KeyInfo><X509Data><X509Certificate>...Cw==</X509Certificate></X509Data></KeyInfo></Signature></samlp:LogoutRequest>
<?xml version="1.0" encoding="UTF-8"?><saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://hped800e:444/SynPortal/logout.aspx" ID="id50277036872307661186452042" InResponseTo="_1eef2809-b49e-412e-a0c5-3596e3c0b158" IssueInstant="2016-10-14T00:32:05.949Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk8dlkd0tCutHWlj0h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id50277036872307661186452042"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>3k7z8GF3kBemyYm+6+mEbZMSAYw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>...MA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>...VNm</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"/></saml2p:Status></saml2p:LogoutResponse>
the request is encoded base-64 and then sent via post binding.
I am getting the AuthnFailed response.
I have set up only one sp for the IDP for simplicity.
Does anyone know what I am doing wrong here?

This information is insufficient to determine as what has gone wrong in your implementation for single logout. Can you please provide following information
1) Your single logout settings in Okta that can be found under SAML Settings -> Advanced Settings under General tab of your app?
2) Based on above settings please make sure you have uploaded certificate to Okta?
3) Which SAML toolkit are you using? Can you provide toolkit settings for your toolkit?
See the working SLO request below.
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_d2be8c5de3aeeeac27c8xxxxyyyy"
Version="2.0"
IssueInstant="2016-04-27T16:15:06Z"
Destination="https://org-name.okta.com/app/simplesamlphpexample/exk4xxyyPcvdVq70x7/slo/saml"
>
<saml:Issuer>http://localhost:8888/simplesamlphp/www/module.php/saml/sp/metadata.php/example-okta-com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_d1be8c5dc2aeeeac27c8daf04b7xxxyyy6b36287bd6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>{{some_value}}</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>{{some_value}}</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>{{some_value}}</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">{{email}}</saml:NameID>
<samlp:SessionIndex>{{some_value}}</samlp:SessionIndex>
Comparing the SLO settings for your request and mine few things stood out.
1) CanonicalizationMethod Algorithm in my case is set to http://www.w3.org/2001/10/xml-exc-c14n#. Yours is http://www.w3.org/TR/2001/REC-xml-c14n-20010315.
2) Name ID in your case is "CDA_Main\hjami". Can you please let me know which attribute in Okta is this? Also, have you overridden the userName of your app using the mappings from Okta to app (under profile editor -> your app mappings). For example, I am overriding the app userName from Okta login/email to be custom attribute.
If you are using another attribute (whose value is set to CDA_Main\hjami) from Okta as the username of the app, please make sure that you are overriding it like I am doing in the screenshot above.

I also had a hard time in making this Logout request successfully.
Here is the solution that worked for me:
You'll need the following keys:-
(a) Service provider's (your application's) private key, e.g. sp-pvt-key.pem
(b) Service provider's public key, e.g. sp-pub-key.pem
Note: You can generate these keys via openssl from your terminal.
Steps:
Provide SP's private key on SAML's configuration strategy in you application's code.
Upload SP's public key on okta's logout configuration.
Now you'll get successful logout response.

UntrustedCertificateException: Peer SSL/TLS certificate is not trusted SAML gluu server

I am trying to configure my application (SP) to work with remote IDP. The IDP provided me with a certificate to configure with SP. For SAML request.
I get this exception :
org.springframework.security.saml.trust.UntrustedCertificateException: Peer SSL/TLS certificate XXX, issued by XXX is not trusted, add the certificate or it's CA to your trust store and optionally update tlsKey in >extended metadata with the certificate's alias.
Follow certificates (in PEM format) presented by the peer. Content between being/end certificate (including) can be stored in a file and imported using keytool, e.g. 'keytool -importcert -file cert.cer -alias certAlias -keystore keystore.jks'). Make sure the presented certificates are issued by your trusted CA before adding them to the keystore.
why i get this exception?
I am using gluu server and it's shibboleth component.in SP there is an apollo.cert and a samlkeystore.jks . apollo.crt is imported in samlkeystore.jks .
I run SP and get metadadata.xml (it contains ds:X509Certificate) and import this file into gluu server .
I am confused , where is the problem ? IDP or SP?what can i do to fix that?
I really need help.
EDIT :
#Bernahrd,#Guillermo thank you so much for your reply.
I still working but can't find out what happen here.
I add metadata xml file in idp and sp .
this is gluu idp metadata , to generate idp metadata on gluu server I use https://hostname/idp/shibboleth
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor entityID="https://ubuntu.gluu.info/idp/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<IDPSSODescriptor errorURL="https://ubuntu.gluu.info/identity/feedback.htm"
protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">ubuntu.gluu.info</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDaDCCAlACCQD165zhtG0q6DANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJ
UjELMAkGA1UECAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZ
MBcGA1UEAwwQdWJ1bnR1LmdsdXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9y
dEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTlaFw0xNzA2MTcyMDMxMTlaMHYxCzAJ
BgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVocmFuMQ0wCwYDVQQK
DARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcNAQkB
FhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAuSkeEK+lK498Yc8OspdYoqoDQLDPs8cF0qE84hLRhdEHU1y++/dzaC6271sV
KtTXt/aG1PwBS7unPIMOEKFNJXdO0FHEgt4nkuhq7KUvcR4ckNvL+5Ys5r/3Egzh
8nm96Z0jtuUlu1e8b6iAsw+9tYq1olDZO9Hv6hR9V/ZlTolmuZqnXEy3p/47W25p
ROLVuR7jIH+cKDVJe8lW1702wWEQWDhxPBJ1fJsMuBA/RiB/J6SBAgkxs/9m513Y
+lYaobhqMfocwzt/GAqsq4Fnixf1PldJpi/ZJfnyJ0JOFcLj8YHY/CFRiRm8b3UE
1VUYZRTHK9Qc3ryd+KA14QTymwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBRS5aR
CSPS+3qoWI5wj3f97QEncv0Q80sb0tzumUJIWqDoYWW0ucyRWGiUSSVIBeVJmmmG
Yus9ML6Khb1WNCsXZW3GcBfoA8FImTtTBMyXWHpDtR6Ne156kSv2ymmdyipZo6OB
iItWjEgAOmRsynxkJASEPhH5RM8iqGAJVBCgU738so0X3e7N5pQSNMKLiCkf8afK
EsL9Q61f9RiLImlehkdw3m2B0wKQJZo1Q1D/L7sZzaOXiif3YkcVNO8t0CJpZSog
YSKS+2cM7LTDdiNS3YMpcRdcvZTixDMSAfO+7PDTfubio8ADAmjr7Gj7vwzG8sFi
PmIqbqM/Ii1e0kD7
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://ubuntu.gluu.info:9443/idp/profile/SAML1/SOAP/ArtifactResolution"
index="1"/>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/ArtifactResolution"
index="2"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://ubuntu.gluu.info/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest"
Location="https://ubuntu.gluu.info/idp/profile/SAML2/Unsolicited/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://ubuntu.gluu.info/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://ubuntu.gluu.info/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://ubuntu.gluu.info/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">ubuntu.gluu.info</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDaDCCAlACCQD165zhtG0q6DANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJ
UjELMAkGA1UECAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZ
MBcGA1UEAwwQdWJ1bnR1LmdsdXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9y
dEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTlaFw0xNzA2MTcyMDMxMTlaMHYxCzAJ
BgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVocmFuMQ0wCwYDVQQK
DARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcNAQkB
FhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAuSkeEK+lK498Yc8OspdYoqoDQLDPs8cF0qE84hLRhdEHU1y++/dzaC6271sV
KtTXt/aG1PwBS7unPIMOEKFNJXdO0FHEgt4nkuhq7KUvcR4ckNvL+5Ys5r/3Egzh
8nm96Z0jtuUlu1e8b6iAsw+9tYq1olDZO9Hv6hR9V/ZlTolmuZqnXEy3p/47W25p
ROLVuR7jIH+cKDVJe8lW1702wWEQWDhxPBJ1fJsMuBA/RiB/J6SBAgkxs/9m513Y
+lYaobhqMfocwzt/GAqsq4Fnixf1PldJpi/ZJfnyJ0JOFcLj8YHY/CFRiRm8b3UE
1VUYZRTHK9Qc3ryd+KA14QTymwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBRS5aR
CSPS+3qoWI5wj3f97QEncv0Q80sb0tzumUJIWqDoYWW0ucyRWGiUSSVIBeVJmmmG
Yus9ML6Khb1WNCsXZW3GcBfoA8FImTtTBMyXWHpDtR6Ne156kSv2ymmdyipZo6OB
iItWjEgAOmRsynxkJASEPhH5RM8iqGAJVBCgU738so0X3e7N5pQSNMKLiCkf8afK
EsL9Q61f9RiLImlehkdw3m2B0wKQJZo1Q1D/L7sZzaOXiif3YkcVNO8t0CJpZSog
YSKS+2cM7LTDdiNS3YMpcRdcvZTixDMSAfO+7PDTfubio8ADAmjr7Gj7vwzG8sFi
PmIqbqM/Ii1e0kD7
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://ubuntu.gluu.info:9443/idp/profile/SAML1/SOAP/AttributeQuery"/>
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/AttributeQuery"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
</AttributeAuthorityDescriptor>
</EntityDescriptor>
Then I add it to SP in shibboleth-idb.xml
this is my SP metadata file that should be add to the gluu idp :
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor ID="http://ubuntu.gluu.info:9090/saml/metadata/alias/defaultAlias"
entityID="http://ubuntu.gluu.info:9090/saml/metadata/alias/defaultAlias"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://ubuntu.gluu.info:9090/saml/SingleLogout/alias/defaultAlias"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://ubuntu.gluu.info:9090/saml/SingleLogout/alias/defaultAlias"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="0"
isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
Location="http://ubuntu.gluu.info:9090/saml/HoKSSO/alias/defaultAlias"
hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
index="3"
xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
Location="http://ubuntu.gluu.info:9090/saml/HoKSSO/alias/defaultAlias"
hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="4"
xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
in gluu server I add new trust relationship and add SP metadata file to it.
but some thing strange happen here,In SP index page i select shibolleth idp,then login page of shibolleth idp appears,after enter username and password it redirect to my SP and then Exception happen, according to the exception,idp send me this certificate and want me to add this to my trust store :
-----BEGIN CERTIFICATE-----
MIIDaDCCAlACCQDTFXuxD0vSJTANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJJUjELMAkGA1UE
CAwCVEgxDzANBgNVBAcMBnRlaHJhbjENMAsGA1UECgwER0xVVTEZMBcGA1UEAwwQdWJ1bnR1Lmds
dXUuaW5mbzEfMB0GCSqGSIb3DQEJARYQc3VwcG9ydEBnbHV1Lm9yZzAeFw0xNjA2MTcyMDMxMTha
Fw0xNzA2MTcyMDMxMThaMHYxCzAJBgNVBAYTAklSMQswCQYDVQQIDAJUSDEPMA0GA1UEBwwGdGVo
cmFuMQ0wCwYDVQQKDARHTFVVMRkwFwYDVQQDDBB1YnVudHUuZ2x1dS5pbmZvMR8wHQYJKoZIhvcN
AQkBFhBzdXBwb3J0QGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvt/V
JO3o7LCwmgUSJg1CyTfSwUL28d2FaMsiiSUZ5Qs6kPHKwJ22IltBpIaJBgFcqyNxOgve3z7agJtJ
dBmyWJRoz7yMbtXmHJdk+XRs4LqRCl0CFprlPtfg9Avyb8tBqWa+c3VBbbhJ0dKpWpvzVLoRm33J
u9+/TnlM6a5UUHGsQIynjndFJSFnittNfDLQglooKyjUuiv0OrN5E7qG9bGe+w+EytYrzfx+AI/t
9wGIjMKyY9MWO4/ai0Ei7tX5CHS1GxFg2xp6Q6705YjFxrfFTbB+5XIbUCLi62nzas51hYeVzWHZ
B2XODA8ClE+U31EtwvVHbNJP5DOoM9441QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBBYAvHpshQ
8SH7wrPKNhFpbdxJ49PYmMDlCtKyU10umiEYmCSg9m4vado9MLrqblQ5qUMX1YYiIQbR47RXtSdG
AAr16JcBbiktrGv+KeGuLp7K0Ye3WsUS/uSrCimvW+lilNqAHj0MvqjQuSKCgOrmpxT55C8e21/h
piFjQF7ReCAeD0DV5ZGiDZQP0wdjJvHAMVQbQGeIpizZnOmmozsCiUDpSN2gZgu59TPimTD7rcfi
WZdaOr9L3pevZFLOrCXweyS6eiD2pTV1hWnfX6Ck3c0pM+yuA7Ug3BSFoOCXigKiA1EO4aqnGHLG
dswo1zee5kgF8oJbyYjVcYhZgc5w
-----END CERTIFICATE-----
Thanks.

You SP-metadata has
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://ubuntu.gluu.info:9090/saml/SSO/alias/defaultAlias" index="0"
isDefault="true"/>
hence artifact binding will be used.
--> The SP tries to connect to the Artifact Resolution service of the IdP (Location="https://ubuntu.gluu.info:9443/idp/profile/SAML2/SOAP/ArtifactResolution").
As this has scheme 'https' a secure SOAP call has to be performed.
Either you configure a JSSE truststore for your deployment container running the app (JVM-option -Djavax.net.ssl.trustStore=PATH_TO_JKS_TRUSTORE) and add the provided cert to hat truststore or remove artifact binding from your SP's meta data and only use front-channel bindings (where all communication goes through the user-agent)

SAML Secured AuthnRequest Fails

I'm not able to make a secured ECP AuthnRequest to my Shibboleth IdP. I've got a small proof of concept SP running which is based heavily on the Spring SAML extension sample app. My SP metadata was generated using the Spring SAML extension sample app's metadata generator. The signing key being used is the apollo one included with the sample app samlKeystore.jks key store, all of which is also in my own small SP app.
In my SP metadata, I have the AuthnRequestsSigned attribute set to true like so :
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
If I set AuthnRequestsSigned to false and make the ECP SOAP POST to the IdP, it works just fine. I get the proper SOAP message back from the IdP. But if that value is true, I get a non-descriptive error message:
<env:Fault>
<faultcode>env:Client</faultcode>
<faultstring>An error occurred processing the request.</faultstring>
<detail/>
</env:Fault>
I look in the Shibboleth (IdP) logs and see:
Attempting to extract credential from an X509Data
Found 1 X509Certificates
Found 0 X509CRLs
Single certificate was present, treating as end-entity certificate
Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
A total of 1 credentials were resolved
This displays twice in the log for my transaction. My assumption is because it's finding the certificate in the request and in my SP metadata. Further down in the log during this same transaction I see this followed by a stack trace:
Attempting to validate signature using key from supplied credential
Creating XMLSignature object
Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
Signature did not validate against the credential's key
Signature validation using candidate validation credential failed
Signature did not validate against the credential's key
I compared the certificate that is in the ECP POST AuthnRequest to the one in my SP metadata used for "signing" and they are the same. So I'm not sure why I'm getting this error.
My understanding is that the IdP will take the certificate found in the <ds:X509Certificate> tag of the request (which is the public key) and make sure that's the same one defined in the SP metadata. Then use that cert to verify the signature value which is also in the request in the <ds:SignatureValue> element. If it validates then it moves forward with the AuthnRequest. Is this accurate?
What piece am I missing?
Update 1: I've added the logging lines as suggested and here's all it shows for the ECP requests:
signatureMethodURI = http://www.w3.org/2000/09/xmldsig#rsa-sha1
jceSigAlgorithm = SHA1withRSA
jceSigProvider = SunRsaSign
PublicKey = Sun RSA public key, 2048 bits
modulus: <long value here>
public exponent: 65537
Signature verification failed.
One thing of note, if I make a request to my SP via a browser and I'm not signed in, I get redirected to my IdP login page as expected. I check the IdP logs and see that that request was also signed and it validates. I looked at the form data sent to the IdP from the SP and see that AuthnRequest is also signed using the same certificate but the SignatureValue value are different of course. That non-ECP request data XML looks very similar to the ECP request SOAP XML yet the ECP one fails.
UPDATE 2: I'm using spring-security-saml-1.0.0.RELEASE, and Shibboleth IdP v2.4.0. Here's a sample message I'm sending to the IdP:
<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope
xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Header>
</soap11:Header>
<soap11:Body>
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://1XP21VRS.mydomain.com:8080/proofofconceptapp-sso/saml/SSO/alias/conceptSSO" ForceAuthn="false" ID="a3j6fd01d0ciahe25b56i326bhe212" IsPassive="false" IssueInstant="2014-10-24T19:37:43.207Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://1XP21VRS.mydomain.com:8080/proofofconceptapp-sso
</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#a3j6fd01d0ciahe25b56i326bhe212">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>mMJbjpmWr6OMP9eU70RA9TtfXGY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>I6rHpgjWgl5l5sjst+VHuSUnjUaOBnPIbUrWwcAfdTDSFY2wxUuNdHpXt/YqBfP9ZKdTWZV1IjbTR666T7sa1bZawgT3UO07FoBVAc5z+AH0nCvIz+UNSqpunPTaEdUhSaGmNHSItvFtvz2fDmvZl18GwXrTz4g6vvxKkdo/FijgvYldfYYuO+obcjof1SJmpOOr1iRNvpyGQMxcaH9e07QfJO9SDcLP2elvPvwbJsGGl/n/3sIG+kIm0MECU3hv/4pLx6+SyHDXjdhdOD2HyxGL1t7iIYG1AaDX4dkIt2wH2WOyzhfO2MyykqChhRcYWFdEdgqaQW/IBLPxsVjN9g==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE
CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM
MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy
ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx
GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E
5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13
F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K
qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON
UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg
0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL
82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A
8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu
RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW
bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:AuthnRequest>
</soap11:Body>
</soap11:Envelope>
I'm pretty much just copying the response from the initial PAOS request to the SP (Spring SAML), removing the header innards, and sending that along to the Shibboleth IdP. The headers that I send are:
Content-Type: text/xml
Authorization: Basic <base64 encoded credential string here>
Update 3: Signed non-ECP AuthnRequests validate just fine. So it's only SOAP ECP AuthnRequests to the IdP where the signature fails. Any ideas?
Update 4: Still can't get this working. Any help would be appreciated.

authenticate using OAuth + SAML bearer flow (invalid assertion)

I am trying to authenticate using OAuth + SAML bearer flow (http://help.salesforce.com/help/doc/en/remoteaccess_oauth_SAML_bearer_flow.htm)
But i am stuck at the point where i am getting invalid assertion error:
{"error":"invalid_grant","error_description":"invalid assertion"}
Here's my assertion:
<?xml version="1.0"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="C625490D-C2B9-15BE-6DFA-7286288D9655" IssueInstant="2012-04-04T06:54:14Z" Version="2.0">
<saml:Issuer>3MVG9Y6d_Btp4.....d0jnN</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#C625490D-C2B9-15BE-6DFA-7286288D9655">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>f187DeCiwFhhH2etlU+5byskey4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MIID6zCCAtOgAwI...........4qbvd3sxAQmkhR98FSsQixMI+bTHq9zRgeFu6W5GWsun3tmqNE=
</ds:SignatureValue>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">org2#dot.com
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://login.salesforce.com/services/oauth2/token" NotOnOrAfter="2012-11-20T06:35:42Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2012-11-19T06:34:42Z" NotOnOrAfter="2012-11-20T06:35:42Z">
<saml:AudienceRestriction>
<saml:Audience>https://login.salesforce.com/services/oauth2/token</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2012-11-20T06:35:42Z" SessionIndex="ED868FE5-841D-5192-766C-941A60D6602F">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
And here's how i am making the request:
curl https://login.salesforce.com/services/oauth2/token -H "Content-Type='application/x-www-form-urlencoded'" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer" -d "assertion=`cat saml-assertion.base64`"
I have properly encoded the assertion to base64url (previously i was getting error regarding invalid chars in assertion, which i fixed)
Please advice me what/where I can check further on this to know why my assertion is invalid!
PS: Everything is copied from above url's sample assertion, and username,issuer and certificate are changed by me. Also I am setting the NotBefore as the exact login time of the user.

Grant type value needs to be encoded as well, when you are sending that.
urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer
Saml assertion needs to be single assertion. It needs to be Base64 encoded as you did and then remove padding or urlencode again.
The value of the "assertion" parameter MUST contain a single SAML 2.0
Assertion. The SAML Assertion XML data MUST be encoded using
base64url, where the encoding adheres to the definition in Section 5
of RFC 4648 [RFC4648] and where the padding bits are set to zero. To
avoid the need for subsequent encoding steps (by "application/
x-www-form-urlencoded" [W3C.REC-html401-19991224], for example), the
base64url encoded data SHOULD NOT be line wrapped and pad characters
("=") SHOULD NOT be included.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17#section-2.1
Send with post encoded values:
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&
assertion=PHNhbWxwOl...[omitted]...ZT4