Google Apps problem: This account cannot be accessed because the login credentials could not be verified

[ad]

I have followed all configuration for the SAML SSO server but I keep getting this when accessing mail 

This account cannot be accessed because the login credentials could not be verified

I have checked my certifications - private and public keys and it all seems to be ok. 

Any help would be appreciated. 

[Claudio Cherubino]

Hi,

This error might mean that your SAML response likely did not contain a viable Google Accounts username (the username of the user attempting to authenticate).

Google Apps parses the SAML Response for a XML element called a "NameID" and expects that this element either contains a Google Apps username, or a full Google Apps email address. 

So, this NameID element should look something like this:

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">some_username</saml:NameID>

or:

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">some_username@customer_domain.com</saml:NameID>

This error sometimes happens when your SAML Assertion is encrypted.

If those suggestions do not solve your problem, please capture the HTTP traffic during a login session and share it with us so that we can check it.

Thanks

Claudio

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/6IWvYjkPhzMJ.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-saml...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.

[Tom Scavo]

On Wed, Jun 15, 2011 at 4:47 AM, Claudio Cherubino
<ccher...@google.com> wrote:
>
> <saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">some_username</saml:NameID>
> or:
> <saml:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">some_username@customer_domain.com</saml:NameID>

No, you made that up :-) The correct SAML V2.0 syntax is:

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">some_username</saml:NameID>

or

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">some_username@customer_domain.com</saml:NameID>

The Format URIs did not change in SAML V2.0.

Cheers,
Tom

[ad]

Hi Claudio, thanks so much for the email. My username is correct, according to the convention you mentioned. 

HTTP traffice by HTTPFox is as below:

00:00:02.361 0.081 364 371 GET 302 Redirect to: http://mail.google.com/a/mail.securekey.net http://mail.mail.securekey.net/

00:00:02.444 0.101 631 722 GET 302 Redirect to: https://www.google.com/a/mail.securekey.net/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fa%2Fmail.securekey.net%2F&bsv=llya694le36z&ltmpl=default&ltmplcache=2&from=login http://mail.google.com/a/mail.securekey.net

00:00:02.547 0.119 855 1074 GET 302 Redirect to: https://demo.securekey.net/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fVLLbsIwELxX6j9EvueFWlRZJIiCUJFoG0HooTfjLMTg2KnXgfbvawIIeijX8Xgeu9vrf1fS24FBoVVC4iAiHiiuC6HWCVnkY%2F%2BJ9NP7ux6yStZ00NhSzeCrAbSe%2B6mQtg8JaYyimqFAqlgFSC2n88HrlHaCiNZGW821JN5klJANqFqUW7kpalmuBK9qIZesLByy5lBLEEu52RQF8T7OsTqHWBPEBiYKLVPWQVEc%2B1HXjx%2FzuEs7D7QTfRIvOzk9C3VscCvW8khC%2BpLnmZ%2B9z%2FNWYCcKMG%2BOnZC11msJAdfVwT5jiGLn4BWTCMQbIIKxLuBQK2wqMHMwO8FhMZsmpLS2RhqG%2B%2F0%2BuMiELKyYkAECbwxs4SdQYEPGkaTthGlb0lyN9nYFdo5A0otJL7ySSk%2BbOxSajDItBf%2FxBlLq%2FdAAs66NNY0rM9amYvZ%2FtziIW0QU%2Fqql0kZhDVysBLhVhenR9e%2BJuMP5BQ%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fmail.securekey.net%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fmail.securekey.net%252F%26bsv%3Dllya694le36z%26ltmpl%3Ddefault%26ltmplcache%3D2%26from%3Dlogin https://www.google.com/a/mail.securekey.net/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fa%2Fmail.securekey.net%2F&bsv=llya694le36z&ltmpl=default&ltmplcache=2&from=login

00:00:02.668 0.137 1420 272 GET 302 Redirect to: https://demo.securekey.net:443/idp/AuthnEngine https://demo.securekey.net/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fVLLbsIwELxX6j9EvueFWlRZJIiCUJFoG0HooTfjLMTg2KnXgfbvawIIeijX8Xgeu9vrf1fS24FBoVVC4iAiHiiuC6HWCVnkY%2F%2BJ9NP7ux6yStZ00NhSzeCrAbSe%2B6mQtg8JaYyimqFAqlgFSC2n88HrlHaCiNZGW821JN5klJANqFqUW7kpalmuBK9qIZesLByy5lBLEEu52RQF8T7OsTqHWBPEBiYKLVPWQVEc%2B1HXjx%2FzuEs7D7QTfRIvOzk9C3VscCvW8khC%2BpLnmZ%2B9z%2FNWYCcKMG%2BOnZC11msJAdfVwT5jiGLn4BWTCMQbIIKxLuBQK2wqMHMwO8FhMZsmpLS2RhqG%2B%2F0%2BuMiELKyYkAECbwxs4SdQYEPGkaTthGlb0lyN9nYFdo5A0otJL7ySSk%2BbOxSajDItBf%2FxBlLq%2FdAAs66NNY0rM9amYvZ%2FtziIW0QU%2Fqql0kZhDVysBLhVhenR9e%2BJuMP5BQ%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fmail.securekey.net%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fmail.securekey.net%252F%26bsv%3Dllya694le36z%26ltmpl%3Ddefault%26ltmplcache%3D2%26from%3Dlogin

00:00:02.808 0.018 644 272 GET 302 Redirect to: https://demo.securekey.net:443/idp/profile/SAML2/Redirect/SSO https://demo.securekey.net/idp/AuthnEngine

00:00:02.827 0.054 659 239 GET 200 text/html https://demo.securekey.net/idp/profile/SAML2/Redirect/SSO

00:00:02.909 0.162 6963 1595 POST 200 text/html https://www.google.com/a/mail.securekey.net/acs

00:00:03.074 0.007 706 (1980) GET (Cache) text/css https://www.google.com/accounts/hosted/d2panel.css

00:00:03.076 0.007 709 (53) GET (Cache) text/css https://www.google.com/accounts/hosted/en/d2panel.css

I don't know the problem because while trying another username yesterday, it worked and then today that same username has stopped working. I 

didn't change anything. 

Thanks for your help. 

[Claudio Cherubino]

Hi,

This log is incomplete as it doesn't include a SAML Response returned by your Identity Provider.

Please capture more traffic so that we can check the SAML Response and the RelayState parameter with it. If your IdP is not returning a SAML Response then we have found the problem ;)

Claudio

--

You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/PbHVIXN_mygJ.

[ad]

It seems to me also that the IdP is not returning a SAML response. What could be the problem? Sorry I've only very recently started to work with Shibboleth. 

The way I have it now is I have a JAR file with a LoginFilter - basically using RemoteUser - the user_name@YOURDOMAIN

then in Shibboleth's war file, I'm editing the web.xml and adding this login filter. I know I have that working correctly as I've tested it with a different username - and it takes me to the google apps mail page. I've set up SAML-SSO on the domain I'm working on now - Advance Options and it's giving me this problem. I've checked all certificates - and reuploaded them again but still the same problem. 

Also is there a way to integrate shibboleth for google apps for username-password authentication. Right now it's on RemoteUser. 

Thanks so much

[Claudio Cherubino]

Sorry, I can't help you configure Shibboleth to work with Google Apps, perhaps there's relevant documentation on the web.

In case you want an alternative solution, I personally find SimpleSAMLphp to be a simpler and better documented one.

Claudio

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/eJnrfAR3UHEJ.