This account cannot be accessed because we could not parse the login request

[Ken]

I'm sorry to bring this up because I see hundreds of similar posts, but none of those resolutions have helped me.  Can someone please give me some pointers with my SAMLResponse?

 

Thanks!

 

<?xml version="1.0" encoding="UTF-8" standalone="no"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ID="902cc712-2a53-4196-894e-2d67353efddc" IssueInstant="2011-11-07T06:40:39Z" Version="2.0">
          <samlp:Status>
                  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
          </samlp:Status>
          <Assertion ID="14a1d3c3-d6a5-4301-b384-a0e2d1fcd699" IssueInstant="2011-11-07T06:40:39Z" Version="2.0">
                  <Issuer>Ken</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#14a1d3c3-d6a5-4301-b384-a0e2d1fcd699"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>/IhaZklJx+GJODMvu4zuqtHL6fo=</DigestValue></Reference></SignedInfo><SignatureValue>RkPqjjsGvTfTNbuyL9v6wAc01akfccj5tw+OqfWj/qK840nvtDqrumSclJQF4kcmZ9YmvQzoVP+b
iInGtzevvCb278iw060XcpJHxS5B86fFPRINUIHSBmDnT4r175WBOFw5qj2WatJ66PDSvDcw3i7o
vTrCqTkcVsULYzKzK4INYgrpWhWfjSewEqEXoBqkMvbtZF8IKDyPh6Y2t9g0mMVzo8gR4XX0ucgA
o8V5ifgOTuOderb42g6kpC8gV7nM2V3svpbkR8vNg4TlssDuscqP56Q3vw00ZVyNlGZKcEz4RKGr
47hVFAg8QP7RmJSOSPx24PeGKRyE3lF4ohChng==</SignatureValue></Signature>
                  <Subject>
                          <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                                  k...@here.com                          </NameID>
                          <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                  <SubjectConfirmationData InResponseTo="dajklfijoimgcdlgekkkohdpbaajpbpkmbaeaebh" NotOnOrAfter="2011-11-07T06:45:39Z" Recipient="https://www.google.com/a/mydomain.com/acs"/>
                                  </SubjectConfirmation>
                  </Subject>
                  <Conditions NotBefore="2011-11-07T06:35:39Z" NotOnOrAfter="2011-11-07T06:45:39Z">
                          <AudienceRestriction>
                                  <Audience>https://www.google.com/a/mydomain.com/acs</Audience>
                          </AudienceRestriction>
                  </Conditions>
                  <AuthnStatement AuthnInstant="2011-11-07T06:40:39Z">
                          <AuthnContext>
                                  <AuthnContextClassRef>
                                          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                                  </AuthnContextClassRef>
                          </AuthnContext>
                  </AuthnStatement>
          </Assertion>
  </samlp:Response>

 

P.S. RelayState is:

 

https://www.google.com/a/mydomain.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fa%2Fmydomain.com%2F&ltmpl=default&ltmplcache=2

[Claudio Cherubino]

Hi Ken,

If the RelayState is hardcoded in your implementation then your SAMLResponse will not be accepted.

You have to return the value of the RelayState parameter that is sent you together with the SAMLRequest, without any modifications.

Claudio

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/FgqJ9itMnN8J.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

[Ken]

Thanks for responding, Claudio. The relaystate I provided was just an example (as was the assertion). Both are dynamic when they are sent to Google (the relaystate is passed along and the assertion is generated in real-time). Other ideas?

[Ken]

One thing that I noticed is that the namespace for some of the items was not prefixed properly, so I changed those to saml: (and updated the prefix delcaration).  However, this still does not work with Google.  I can run it against an opensso SP and the assertion is accepted properly, plus the email address is extracted correctly.  Can anyone at Google help?  What does the issuer need to be (for Google Apps) - anything?  The domain name?

 

Thanks!

 

Here is the latest example (which works successfully with OpenSSO):

 

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ID="cfd2e57a-4aa6-4e99-b373-ccb196c96861" IssueInstant="2011-11-08T15:55:46Z" Version="2.0">
          <saml:Issuer>Does this matter as long as it's consistent?</saml:Issuer>

          <samlp:Status>
                  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
          </samlp:Status>

          <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="24d61f6f-361e-4ee9-a3f9-c69f5dca4209" IssueInstant="2011-11-08T15:55:46Z" Version="2.0">
                  <saml:Issuer>Does this matter as long as it's consistent?</saml:Issuer>

                  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

                       <SignedInfo>

                          <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>

                          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

                          <Reference URI="#24d61f6f-361e-4ee9-a3f9-c69f5dca4209">

                             <Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms>

                             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

                             <DigestValue>BofV+xJ/B7rVIla0hk3l2NLR5v4=</DigestValue>

                          </Reference>

                       </SignedInfo>

                   <SignatureValue>PZv+rVLy7Gh2HSKQVtuddzZBYmgIHAjHQJR+v/cV27h2bJcL853xfYoXrumyJr3KRxU+ABrr1mtV
C9qdIckbQZ8JSmCV/DnE8WuldxyqetZ7EG3UwMJp5VaqE0V5RSxBzLr8lxlbNNPzgQGQy4PJbJ2t
ZtsCR5/Cpo/s79K2kJxlJbOTvpHFiLWbDQf+EJ0uSUoo67ErkElhApyiuMJU4mHvdcUgqu7LwOhS
Fuc+zWYigYs18RVZUalR3DKSzsE3qAWB9D18GBt0xxIyEvPHd3BEdQTb9oTpr6X2nTJsaVwmVvSn
oTEyGC2QiRnYsbhXnT1N4CTtbmaz5EZi//OjiQ==</SignatureValue>

                  </Signature>
                  <saml:Subject>
                          <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
                                  m...@mydomain.com
                          </saml:NameID>
                          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                  <saml:SubjectConfirmationData InResponseTo="pekgifbbgabindmplnnkmiklaellcdppmmgingfn" NotOnOrAfter="2011-11-08T16:00:46Z" Recipient="https://www.google.com/a/mydomain.com/acs"/>
                          </saml:SubjectConfirmation>
                  </saml:Subject>
                  <saml:Conditions NotBefore="2011-11-08T15:50:46Z" NotOnOrAfter="2011-11-08T16:00:46Z">
                          <saml:AudienceRestriction>
                                  <saml:Audience>https://www.google.com/a/mydomain.com/acs</saml:Audience>
                          </saml:AudienceRestriction>
                  </saml:Conditions>
                  <saml:AuthnStatement AuthnInstant="2011-11-08T15:55:46Z">
                          <saml:AuthnContext>
                                  <saml:AuthnContextClassRef>

                                          urn:oasis:names:tc:SAML:2.0:ac:classes:Password

                                  </saml:AuthnContextClassRef>
                          </saml:AuthnContext>
                  </saml:AuthnStatement>
          </saml:Assertion>
  </samlp:Response>

[Ken]

Also, what should the NameID be - the email address (e.g. m...@mydomain.com) or just the username (e.g. "me")?

[Jay Lee]

I see a few potential issues here:

• You don't have a RSAKeyValue listed. See my attachmentexample for what that should look like
• Issuer should be your Google Apps domain
• Your XML doesn't seem to be fully canonized. If you're signing a non-canonized version of the XML, the signature won't match what Google thinks it should be. See http://www.w3.org/TR/xml-c14n for details on canonical XML. I found it easiest to just make sure my templates were canonical instead of trying to convert in and out of canonical format.
• The NameID can be just the username if you're not using multiple domains in Google Apps. If you are using multiple domains or think you ever might, use the email address.

attached is a samlresponse I generated with my working SAML implementation for Google Apps. I made no modifications to the format but did make changes to the modulus, signature and anywhere the domain was listed for privacy/security reasons. It should still give you plenty to go on though.

You might also be interested in my open source implementation of Google Apps SAML, Google Apps Improved Login (GAIL). I don't really support GAIL much anymore but the SAML portion of the code (take a look at the templates in particular) should be of some use to you.

Jay

[Ken]

Jay - thank you for your help.  I used your template, and although I don't send the RSAKeyValue, it now works!

 

I think you hit on 2 critical areas: 1) Issuer should be the domain name hosted by GApps, and 2) XML needs to be fully canonized.