Error with adfs " hGoogle Apps - This account cannot be accessed because we could not parse the login request."

[ashok kumar]

I have configured adfs on window 2008 server.   i am facing the "  Google Apps - This account cannot be accessed because we could not parse the login request."

Please help me to resolve this issue.

[Claudio Cherubino]

Hi Ashok,

I understand you need to configure ADFS to work on Google Apps,
however there's no need to open four different threads for the same
problem.
Michael answered at https://groups.google.com/group/google-apps-saml-sso?hl=en&pli=1,
please follow up there.
Thanks

Claudio

On Mar 23, 5:02 pm, ashok kumar <ashokkumar2...@gmail.com> wrote:
> I have configured adfs on window 2008 server.   i am facing the "  *Go**ogle

> Apps - This account cannot be accessed because we could not parse the login

> request."*
> *
> *
> *Please help me to resolve this issue.*

[Claudio Cherubino]

I removed all other duplicates.

Claudio

On Mar 24, 9:09 am, Claudio Cherubino <ccherub...@google.com> wrote:
> Hi Ashok,
>
> I understand you need to configure ADFS to work on Google Apps,
> however there's no need to open four different threads for the same
> problem.

> Michael answered athttps://groups.google.com/group/google-apps-saml-sso?hl=en&pli=1,

[ashok kumar]

Hello,

 

I have done same setting which is describe by michael, but still i facing same error. pl help me.

 

please see atheced files for my setting.

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-saml...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.

[Claudio Cherubino]

Use the Firefox extension called LiveHTTPheaders to capture the HTTP traffic during the failed login process and share it with us so that we can check it.

Please feel free to remove any sensitive data from the captured traffic.

Thanks

Claudio

[ashok kumar]

Hello  Claudio,

 

Thanks for reply,

 

 

Please find the attached file for logs of liveheader.  please let me know how can we resolve this issue.

 

I will grate thankful to you.

 

Ashok

[Claudio Cherubino]

The SAML response generated by your Identity Provider (ADFS) doesn't include a NameID element, which must contain the Google Apps username of the user being authenticated. 

Google Apps requires that the NameID is included in the response, please check your ADFS configuration to return that value.

Thanks

Claudio

[ashok kumar]

Hell Claudio,

 

 

I have checked on ADFS identifier setting.  we have already add active directory attribute. 

 

If i am wrong, please let me know how can we add this.  please help me

[Claudio Cherubino]

Ashok,

I can't help you with the configuration of ADFS, please try asking in the product support forums.

I don't know how this specific IdP works, what you have to do is have the NameID element added to the SAML response.

Thanks

Claudio

[Alistair]

This seems to be what you need Ashok

http://www.google.com/support/forum/p/Google%20Apps/thread?tid=4752fe07313712ff&hl=en

[Claudio Cherubino]

Thanks Alistair!

Claudio

[ashok kumar]

Hello friends,

 

Thanks for your support.

 

I am checking settings,  i will update you after that.

[ashok kumar]

Hello Friends,

 

I have changed the settings as per define in forms,  I am sending you new log files, please see it

 

If is it possible, please give your contact number. 

 

 

Ashok Kumar

[Alistair]

Probably the best thing to do Askok is post your SAML Response to the forum. I've just worked through the same error and it was down to a few things:

NameID must be present and must be the Google Apps username of the user logging in, i.e.

    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">YOUR_USERNAME</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Address="some.ip.address" InResponseTo="cicgpdbkndjjopbdeeknjhgkmpinklimjmhkhamk" NotOnOrAfter="2011-03-22T14:15:21Z" Recipient="https://www.google.com/a/YOUR_DOMAIN/acs"/>
      </saml:SubjectConfirmation>
    </saml:Subject>

RelayState MUST be sent back as-is - don't URL decode or encode it. Just pass it back. You only seem to get the "broken robot" page if you make a mess of RelayState though, which is a different error.

Make sure there are no empty attributes in the response. There should be no attributes at all. Google Apps only needs the Subject with a valid NameID. If you include an empty attribute statement you will see that error.

What you also need to know is Google Apps SSO will try to force passive authentication at your IdP. If you don't support this you need to return the appropriate SAML Response and Google will send a new SAML Request with passive authentication turned off

Not sure if this applies to ADFS but I suspect it probably uses LDAP entities on the backend so make sure you're not passing back a DN instead of a CN in the NameID

Below is the two step SAML exchange between the Guanxi IdP and Google Apps SSO that I know works:

<samlp:Response ID="gxesh27f5ub8drsb3jlaoav0fpq6" Version="2.0" Destination="https://www.google.com/a/YOUR_DOMAIN/acs" IssueInstant="2011-03-22T13:14:48Z" InResponseTo="iaiihpcbgjhoegnfdjdlboalkcdhgkdhjmckinii" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">YOUR_ENTITY_ID</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#gxesh27f5ub8drsb3jlaoav0fpq6">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">code ds kind rw saml samlp typens #default</ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue> ... </ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue> ... </ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate> ... </ds:X509Certificate>
      </ds:X509Data>
      <ds:KeyValue>
        <ds:RSAKeyValue>
          <ds:Modulus> ... </ds:Modulus>
          <ds:Exponent> ... </ds:Exponent>
        </ds:RSAKeyValue>
      </ds:KeyValue>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/>
    </samlp:StatusCode>
  </samlp:Status>
</samlp:Response>

<samlp:Response ID="gxn7kg3j35r0of19371um4gkho5u" Version="2.0" Destination="https://www.google.com/a/YOUR_DOMAIN/acs" IssueInstant="2011-03-22T13:15:21Z" InResponseTo="cicgpdbkndjjopbdeeknjhgkmpinklimjmhkhamk" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">YOUR_ENTITY_ID</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#gxn7kg3j35r0of19371um4gkho5u">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">code ds kind rw saml samlp typens #default</ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue> ... </ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue> ... </ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate> ... </ds:X509Certificate>
      </ds:X509Data>
      <ds:KeyValue>
        <ds:RSAKeyValue>
          <ds:Modulus> ... </ds:Modulus>
          <ds:Exponent> ... </ds:Exponent>
        </ds:RSAKeyValue>
      </ds:KeyValue>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion ID="gxmmgedtb0v8ghmhnio5j2n4mmle" IssueInstant="2011-03-22T13:15:21Z" Version="2.0">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">YOUR_ENTITY_ID</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">YOUR_GOOGLE_USERNAME</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Address="ip.address.of.login" InResponseTo="cicgpdbkndjjopbdeeknjhgkmpinklimjmhkhamk" NotOnOrAfter="2011-03-22T14:15:21Z" Recipient="https://www.google.com/a/YOUR_DOMAIN/acs"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2011-03-22T13:15:21Z" NotOnOrAfter="2011-03-22T14:15:21Z">
      <saml:AudienceRestriction>
        <saml:Audience>google.com/a/YOUR_DOMAIN</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2011-03-22T13:15:21.865Z" SessionIndex="860e1c78883a682e07697c494b0ff1641847b128ec28cc8b597fb">
      <saml:SubjectLocality Address="ip.address.of.login"/>
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
  </saml:Assertion>
</samlp:Response>

[ashok kumar]

Hello Friends,

 

I have attached my saml response, please help me on this issue for resolve this issue.

[ashok kumar]

Hello friends,

 

I have attached my saml response,  please help me on this issue.

[Claudio Cherubino]

Ashok,

There's still no NameID element in your SAML response.

We can't help you if you don't fix your response.

Thanks

Claudio

On Thu, Mar 24, 2011 at 12:43 PM, ashok kumar <ashokku...@gmail.com> wrote:

Hello Friends,

 

I have attached my saml response, please help me on this issue for resolve this issue.

--

[Alistair]

you need to post your SAML Response Ashok, not your base64 encoded HTTP log

[ashok kumar]

Hello Friend,

 

I got your point,  but i have no idea how to get saml response in window adfs.

 

I have got this logs from liveheader http on firefox. 

 

please try to access this url if you want to see the error.

 

mail.solution4net.com

 

user = lalit.mohan

pass = India@123

 

 

Please help me i heartly requrest.

On Thu, Mar 24, 2011 at 6:19 PM, Alistair <alis...@codebrane.com> wrote:

you need to post your SAML Response Ashok, not your base64 encoded HTTP log

[Claudio Cherubino]

I use SimpleSAMLphp SAML 2.0 Debugger to decode the base64-encoded SAML response from your logs:

https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php

As I said many times, the problem with your SSO implementation is that your SAML response doesn't include the NameID element.

If you want to get further help, please fix your SAML response.

Thanks

Claudio

[ashok kumar]

Hello Claudio

 

 

I am sorry for it.  Let me past my logs in it and see.

 

I will consult with you again.

 

I am realy sorry for this but i did not find any solution for ADFS sso. 

 

Thanks a lot

[Alistair]

thanks for the info Claudio! Handy tool to have.

Ashok, I think this might help you get a NameID from your ADFS:

http://blogs.msdn.com/b/card/archive/2010/02/17/name-identifiers-in-saml-assertions.aspx

[ashok kumar]

Thanks a lot for you promot support.

 

 

If is it possible, please access my ADFS server. 

 

 

 

[ashok kumar]

If is it possible, please share your contact number

 

 

Ashok

484-527-4000  -103

[ashok kumar]

Hello,

 

 

Today, i have checked every thing. I found this error

 

Google Apps - This account cannot be accessed because the login credentials could not be verified.

[Claudio Cherubino]

Ashok,

You posted the same message in three different threads and I've already warned you against this behavior.

Please don't do that again or we'll be forced to ban you from the group and block your messages.

Thanks

Claudio

[ashok kumar]

ok Sorry, 

[ashok kumar]

Thanks Claudio/Alistair,

Thanks a lot for your good support.

I have configured sso with ADFS on window 2008 server R2.  Its working fine with AD.

I have here one query:-

I want to block sso page from out side except one public ip.  

Please let me know we do blocked it or not.

Ashok

[Atul Sachan]

Hi All,

You can resolve this error by editing your AD's attribute to Pass Name ID. Go to your Active Directory and edit your AD's user attribute by using attribute editor, go to mail attribute and add Google Apps's user e-mail id here and come out by click Apply and OK.

Restart your all related services- ADFS2.0, IIS and default web service.

I am sure that you will not receive any error message.

Feel free to reach me in case of any other issue.

Thanks,
Atul Sachan
Google Apps Certified Deployment Specialist (Enterprise)
Mail- atul...@gmail.com

[Dinesh Madan]

Hi Ashok,

Could you tell me what changes did you make to fix this issue.

Regards,

Dinesh

Ashok

ok Sorry, 

Claudio

To unsubscribe from this group, send email to google-apps-saml-sso+unsub...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.
To post to this group, send email to google-app...@googlegroups.com.

To unsubscribe from this group, send email to google-apps-saml-sso+unsub...@googlegroups.com.