cancel
Showing results for 
Search instead for 
Did you mean: 

Error while calling SF OAuth Token url : Unable to verify the signature of the SAML assertion

sinhasouvik
Participant
0 Kudos

Hello Experts,

We need to establish the connectivity between 3rd Party API Management system and SuccessFactors for accessing SF API's. We are following OAuth SAML Bearer assertion approach where SAML Assertion is getting generated by 3rd party tool.

They are able to create an assertion provided with the values from the SAP help doc (https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae2748ab9f23228dd6a31b06.html), but while we are trying to hit the token url of SF with assertion created we see below error.

Error details:

{"errorHttpCode":"401","errorMessage":"Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID. For more information, see https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...

From SuccessFactors end we have registered the certificate provided by 3rd Party API Management system in OAuth Client Registration transaction. After that relevant API Key has been shared with them to use in assertion and SF token end point call.

We have checked the SAP KBA "3336571 - "Unable to verify the signature of the SAML assertion" - SuccessFactors " . But unfortunately, issue is not getting resolve.

Also we don't see any signature attribute provided in help doc(https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae2748ab9f23228dd6a31b06.html) as a reference for creating SAML assertion.

Do we really need to pass any signature/certificate as part of SAML assertion to SuccessFactors ?

Need your advise if someone has faced simliar issue.

Regards,

Souvik

Ankita161
Newcomer
0 Kudos

Hi Souvik,

We are also facing the same issue.

Were you able to resolve your issue? If yes then please let us know how?

Regards,

Ankita

Accepted Solutions (0)

Answers (2)

Answers (2)

NilotpalM
Explorer

The SAP KBA is missing a few key steps !. Firstly the X509 certificate Public key from Azure (from the SuccessFactors enterprise app's SAML settings) needs simply to be copied into my SuccessFactors OAuth2 Client Application page - and secondly the user that is bound on that page needs an email address matching the Azure test-user I'd set up. It all seems quite obvious now.

dyaryura
Active Participant

Thanks Nilotpal !

Just to add a note on the user mapping issue in case someone is facing it. The error when the e-mail is not properly mapped in Azure (now EntraID) is the following:

{
"errorHttpCode": "401",
"errorMessage": "Unable to map \"sfapi\" to a valid BizX User ID"
}

daviddasilva
Active Contributor
0 Kudos

Hi Souvik,

It sounds like the OAuth Client created in SF may not be set up correctly or the 3rd party tool may not be using the correct private key when communicating to SF.

The error also suggests there is an issue with the client ID so maybe the 3rd party is not using the correct client ID and secret.

I hope one of these suggestions helps!

Kind regards,

David

sinhasouvik
Participant
0 Kudos

daviddasilva Thanks for your response.

I am revalidating with 3rd Party system about the shared Public key which I registered is correct or not.

I had follow up queries, as we don't see any signature attribute provided in help doc(https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...) as a reference for creating SAML assertion.
Do we really need to pass any signature/certificate attribute and values as part of SAML assertion to SuccessFactors ?

Like below tags in SAML Assertion:
<saml:X509Certificate> or <saml:SignatureValue> or <saml:Signature>

<saml:SignedInfo> etc...

We don't see these attributes mentioned in our help doc. (https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...)

Also we tried to hit SF OAuth Token endpoint url without these above attributes then we are getting different error. Like: Invalid Assertion for a correct Assertion format.


Please suggest further.

former_member183909
Active Participant
0 Kudos

I just saw this - I'm having the same problem. Did you even resolve it ? If so could you share the solution if you have it.

Would be grateful.

cheers.