#197 Add a SAML viewer
Opened 8 years ago by rcritten. Modified 7 years ago

The Salesforce.com SP has a mechanism for examining SAML requests and providing feedback on things that may be missing or incorrect.

See https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_saml_validation_errors.htm&language=en_US for full details.

In summary it ensures that

  • there is an <AuthenticationStatement> statement
  • there is a <Conditions> statement with both Before and NotOnOrAfter
  • there is an Attribute statement
  • <Issuer> uses urn:oasis:names:tc:SAML:2.0:nameid-format:entity or is not included at all
  • <Issuer> matches what is expected
  • <Subject> matches what is expected
  • <Audience> matches the Entity ID
  • the response is signed
  • Recipient refers to valid organization

Fields changed

milestone: => 1.3

We may want to implement this as an error page handler on the SP, so it only pops up on failures.

It would need to be an optionally configured part, probably manually via uncommenting things in the Apache config

MellonSamlResponseDump will need to be true to set the MELLON_SAML_RESPONSE environment variable so we can parse the response to try to deduce what is wrong.

Metadata Update from @rcritten:
- Issue set to the milestone: 1.3

7 years ago

Login to comment on this ticket.