SAML Response Error

[Ryan Panning]

Ok, so I'm getting the wounderful "This account cannot be accessed because we could not parse the login request." error. I've tried many ways to send the SAML Respons but none have worked. Attached are files with the full XML response, Base64 encoded, and URL encoded values. I'm able to decode the base 64 and URL encoded values on the SimpleSAML debug page so I know it should be ok. Does anyone see something wrong?

 

Thanks

~ Ryan

[Ryan Panning]

Does the response have to be deflated?

What is an example XML Response? (I seen the one in the 33-post thread but has it changed?)

I'm submitting the HTML form to the ACS URL, not the RelayState, is that correct?

Do I need to URL encode the RelayState before putting it in the hidden form field?

Can I get more details about what Google Apps doesn't like about the response?

 

Thanks

~ Ryan

[Claudio Cherubino]

Hi Ryan,

To help us troubleshoot the issue please provide the complete capture of the HTTP traffic, starting from when you typed the url for your mail service and ending after you get the error message.

Thanks

Claudio

 

Thanks

~ Ryan

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/Mevsv8RzuE0J.

To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-saml...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.

[Ryan Panning]

Is there a specific Firefox extension that you would use? I tried HTTP Fox but there isn't a good export option, I'd have to copy all the rows and paste into Notepad. Do you want just headers? Or Cookies, POST data, etc. too?

 

P.S. Can use Chrome too.

 

Thanks

~ Ryan

[Scott Tomilson]

Not sure if Google would want more than this, but just an FYI for all looking for SAML debugging tools - there is an experimental Firefox add-on called SAML Tracer that I've found useful:

https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

Cheers

Scott

 

Thanks

~ Ryan

--

You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/ztMk4aiXkN4J.

[Ryan Panning]

Claudio, Attached is a list of HTTP traffic from start to error. The other attachment is my Response specifically to the ACS URL. Any other requests you would like data on?

 

Scott, I'll check that extension out. Thanks for the tip!

 

Thanks,

~ Ryan

[Claudio Cherubino]

Hi Ryan,

My suggestion would to use the Firefox extension called LiveHTTPheaders.

Anyway, I checked your SAML request and response and the only unusual thing I found is that the request has ID="fgjenoobngjgmjcnpiloapdkgnjobdnljidannjd" and the response has InResponseTo="dmponmagkphbblbcgaappgcbjdgmkhjgkgcdkajb". The value of the latter should match that of the former.

Something may have happened between the two captures you attached, though, and I may have missed it.

If this doesn't help, please try capturing a new login attempt with LiveHTTPheaders, perhaps it will provide us with more details.

Thanks

Claudio

 

Thanks,

~ Ryan

--

You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/0dHpW5a6KbkJ.

[Ryan Panning]

The differences in ID's are correct as they are from two different captures. Sorry

 

Attached is a full capture from Live HTTP Headers in Firefox. I'll try to dig through them next week as my day is over. :)

 

Thanks for your help!!

~ Ryan

[Claudio Cherubino]

Thanks Ryan, I'll go through them next week as well.

Can you also tell me whether this issue only affects a single user or all users in your domain?

Claudio

~ Ryan

--

You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/D-W6g8NChp8J.

[Ryan Panning]

All users in the domain. Checked a couple others with the same result.

 

~ Ryan

[Ryan Panning]

Well, I've dug through that capture and didn't notice anything out of place. I did fix a few things like now generating a random Response ID (which I just had one typed in before). And correctly set the Signature Reference URI. Also tried deflating the response. Still not able to get Google to accept my response, error "This account cannot be accessed because we could not parse the login request." Does anything else look incorrect?

Thanks
~ Ryan

[Claudio Cherubino]

Ryan,

I'm still looking at it, I haven't found the issue yet.

Is this coming from an open-source or commercial SSO implementation like SimpleSAMLphp or is it your implementation?

Claudio

~ Ryan

--

You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/pf7HV6jB6AcJ.

[Ryan Panning]

This is my own implementation in ColdFusion. The SAML Response part is largely based off of these directions:

 

http://dragonsaber.blogspot.com/2009/09/coldfusion-saml-part-1.html

http://dragonsaber.blogspot.com/2010/01/coldfusion-saml-part-2.html

http://dragonsaber.blogspot.com/2010/04/coldfusion-saml-part-3.html

 

~ Ryan

[Claudio Cherubino]

Ryan,

I don't know what's wrong with this code but I know that other solutions like SimpleSAMLphp or Shibboleth work with Google Apps.

Since they are both open-source solutions, you may probably want to give a look at their implementation and compare it with yours.

You may also want to install one of them and compare its SAML Response with yours.

Another thing I'd recommend you to check is that the certificate you are using is valid and is the same you uploaded to Google Apps.

Claudio

 

~ Ryan

--

You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/8urIPoD_MS8J.

[Ryan Panning]

(sigh) Still haven't figured it out. Unfortunutally I don't have access to setup another externally accessible server with Java (Tomcat) or PHP.

 

So you don't see anything wrong with the SAML Response? Can you post an example, correct SAML Response XML? I'm sure it's something small that I'm missing. I did make a couple changes that others have made, attached is a new capture. I even re-generated the RSA keystore and certificate using Keytool on a Mac. Is there a way to verify that it's working? If I go through the E-mail Support in my dashboard will they be able to lookup more log details?

 

Thanks again.

~ Ryan

[Claudio Cherubino]

Hi Ryan,

Try comparing your SAML Response with the one attached.

It was generated by a SimpleSAMLphp installation located at http://simplesamlphp.i for the domain mydomain.com and for the user whose username is "student".

Claudio

~ Ryan

--

You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/cBX7WuY_TGcJ.

[Ryan Panning]

Alright, I changed my response to match that of the generated SimpleSAMLphp example. Still didn't work. Taking a look at it, the opening tags don't specify saml2 like other examples do. However, the namespaces specify version 2 so it must be a hybrid of the two.?. Also, it looks like the whole SAML:Response is signed, is this required? If so, is it signed before or after the Assersion is signed?

 

~ Ryan

[Claudio Cherubino]

Please sign the whole SAMLResponse and not the Assertion. If that still doesn't work, please share a new HTTP capture.

Please also check the documentation for SAML v2:

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Claudio

On Thu, Jul 28, 2011 at 2:00 PM, Ryan Panning <pan...@traileyes.com> wrote:

Alright, I changed my response to match that of the generated SimpleSAMLphp example. Still didn't work. Taking a look at it, the opening tags don't specify saml2 like other examples do. However, the namespaces specify version 2 so it must be a hybrid of the two.?. Also, it looks like the whole SAML:Response is signed, is this required? If so, is it signed before or after the Assersion is signed?

 

~ Ryan

--

You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/yuh0tABc4lwJ.

[Ryan Panning]

Alright, I finally had a chance to get back to this project. After reviewing everything again I get the feeling it has something to do with the signing. Since I am able to decode it with the SimpleSAMLphp debugger and view the XML response then the Base 64 encoding is ok. And the actual XML response matches what you produced with SimpleSAMLphp and what the SAML documentation states. Therefor it must be the signature.

I'll try signing the whole Response as well. Do I include the Assertion when signing? How about the Assertion signature too?

Is there a good utility to verify the public key in Google Apps is able to verify the signature? The only thing I can think of is to set a SP using the same cert/keystore.

Thanks again, hope we're able to get this one last piece working, it's all that's left not working.

~ Ryan

[Claudio Cherubino]

I agree the problem is likely to be in the signature.

As we don't recommend writing your own SAML implementation, I'm not sure I remember the nitty-gritty details of the signing algorithm and I don't want to give you the wrong advice.

My suggestion would be to check what SimpleSAMLphp does and try to do the same.

Claudio

~ Ryan

--

You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/deRlrDJjjPsJ.

[Ryan Panning]

Well, after today's battle I'm no closer. I tried signing in these ways:

1. Signed just the Assertion (what I have been doing)
2. Signed the Assertion, then signed the Response WITH the Assertion Signature
3. Signed Response WITHOUT the Assertion Signature, then signed the Assertion
4. Signed the Response and Assertion SEPARATELY, then injected the signatures after

Attached is the latest LiveHTTPHeaders and the decoded SAMLResponse.

(Sigh) That's all for me today. Thanks

~ Ryan