How to retrieve SAML Response from OpenAM for SalesForce

Question

I got SAML assertion from TrustAuthorityClient API. with below Public API code

securityToken = client.getSecurityToken("default", endpointURL, mexEndpointURL,
         (java.lang.Object)ssoToken, SecurityMechanism.STS_SECURITY_URI,
           (getServletConfig()).getServletContext());

But this is created with SunSTS. When I test this Assertion to retrieve access token from SalseForce. it gives me invalid Assertion.

Is there any way retrieve SAML response from OpenAM for SalesForce?

When I test IDP initiates SSO with SalesForce. In Debug log I can see SAML Response is created for SSO. How should I retrieve this SAML response from OpenAM?

Answer 1

You may need to grab the SAML Response via JavaScript at the front end. The full response will be in a SAMLResponse object after SSO, so your Assertion Consumer Service URL (SP SSO URL) that would receive this would need to check for that parameter, save it and somehow submit to SFDC for OAuth token exchange. Alternatively, take the Assertion from SunSTS and make your SAMLP Response wrapper yourself.

I believe this is due to SFDC implementing an earlier draft of the SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 (see: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-10).

The latest draft of that spec does not require the Response wrapper - likely just the Assertion itself from SunSTS will work, provided SFDC updates to support it.