Error while testing IDP Initiated SSO with Salesforce

This topic has 5 replies, 2 voices, and was last updated 3 years, 7 months ago by Scott Heger.

  • Author
    Posts
  • #21071
     rasarkar
    Participant

    I am trying to configure IDP initiated SSO with Salesforce. I have created a separate salesforce domain and exchanged the metadata. My openam URL is https://openam.example.com:8443/openam and salesforce URL is https://forgerockpreview-dev-ed.my.salesforce.com. I am trying to accomplish IDP initiated SSO using the following URL https://openam.example.com:8443/openam/saml2/jsp/idpSSOInit.jsp?spEntityID=https%3A%2F%2Fforgerockpreview-dev-ed.my.salesforce.com&binding=HTTP-POST&metaAlias=/idp

    The circle of trust and the corresponding entities are in top level realm. When I hit the URL I am seeing a HTTP 400 error on the screen that says “Error processing AuthnRequest. The receiving entity ID is not valid or not trusted.”. The corresponding exception in the log is-

    libSAML2:02/28/2018 10:50:47:832 PM IST: Thread[https-jsse-nio-8443-exec-1,5,main]: TransactionId[87fb73b4-0234-4bd8-85d1-3254dd35f280-1122]
    ERROR: Error processing request
    com.sun.identity.saml2.common.SAML2Exception: The receiving entity ID is not valid or not trusted.
    at com.sun.identity.saml2.profile.IDPSSOUtil.doSSOFederate(IDPSSOUtil.java:303)
    at com.sun.identity.saml2.profile.IDPSSOUtil.doSSOFederate(IDPSSOUtil.java:199)
    at org.apache.jsp.saml2.jsp.idpSSOInit_jsp._jspService(idpSSOInit_jsp.java:192)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:443)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
    libSAML:02/28/2018 10:50:47:835 PM IST: Thread[https-jsse-nio-8443-exec-1,5,main]: TransactionId[87fb73b4-0234-4bd8-85d1-3254dd35f280-1122]
    SAMLUtils.sendError: error page/saml2/jsp/saml2error.jsp

    Can somebody help me and point out where exactly I am going wrong?

    #21073
     Scott Heger
    Participant

    Did you name your remote SP entity for Salesforce “https://forgerockpreview-dev-ed.my.salesforce.com”? Also, have you verified that it is actually in the CoT?

    #21074
     rasarkar
    Participant

    Yes I did.

    #21075
     Scott Heger
    Participant

    It is “exactly” that? Meaning you don’t have a trailing “/” or a port number in the entity name? For example:

    https://forgerockpreview-dev-ed.my.salesforce.com/

    or

    https://forgerockpreview-dev-ed.my.salesforce.com:443

    or

    https://forgerockpreview-dev-ed.my.salesforce.com:443/

    #21076
     rasarkar
    Participant

    Hey Scott,
    Thanks for your response. I found what the issue was. The Remote SP was not part of the COT, which it should have been when I imported the metadata. When I tried to add it, I got an error. I had to remove all and add it back to remove the error. Thanks for your help

    Regards
    Ranajoy

    #21077
     Scott Heger
    Participant

    Great that you got it figured out. Did you include extended metadata with your import? That is where the CoT definition would be included.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?