ACS Parsing Error
darinde...@capgemini.com
I am trying to integrate with the Google ACS service using Sun Access
Manager 7 with the Sun SAML2 plugin.
I am at the point where I am able to send signed SAML Responses
(HTTP-POSTs) to Google ACS, but am receiving an error message:
ACS Error Message: This account cannot be accessed because we could
not parse the login request. We are unable to process your request at
this time, please try again later. "
Has anyone seen this problem before?
Has anyone tried to integrate ACS and Sun AM 7?
I hope you can help
Best regards
Darinder
Ryan Shelley
Amanda (Google Employee)
That error message typically means that the SAMLResponse you're sending
to Google is malformed. Double check your response against the schema
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd
(take a look at the Response, StatusResponseType)
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
(schema for the assertion element)
Like Ryan said, we can take a look at your response too.
Cheers,
Amanda
Mike Jones
darinde...@capgemini.com
Thank you for you input. I'm pretty confident that the SAML Response
(a signed HTTP Post) is fully conformant with SAML2, as I am using the
Sun SAML2 plugin to generate rather than custom code. Also in terms of
relay state I am using that too
(...&RelayState=https://www.google.com/a/psosamldemo.net/acs). Find
below a sample assertion:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s2c06b562e8de90437bbaf78d7b0748353b48a95b8" Version="2.0"
IssueInstant="2006-12-18T10:53:26Z"
Destination="https://www.google.com/a/psosamldemo.net/acs"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://solarx10.bskyb.com</saml:Issuer><samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status><saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0"
ID="s2e387b281e8e1f70fdb484fa3512a56357ecfe590"
IssueInstant="2006-12-18T10:53:26Z">
<saml:Issuer>http://solarx10.bskyb.com</saml:Issuer><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI="#s2e387b281e8e1f70fdb484fa3512a56357ecfe590">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>y2vl9dm1M4DIrNtjxmxgLcGpqrE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>SkoEIQ749Iq1YGm6P1YHu+6yns1wb7EMJwyB83xmk2RkIw+//zYxjA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIBnjCCAVwCBEWBdEgwCwYHKoZIzjgEAwUAMBkxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMB4X
DTA2MTIxNDE1NTY1NloXDTA3MTIxNDE1NTY1NlowGTEXMBUGA1UEAxMOd3d3Lmdvb2dsZS5jb20w
gfAwgagGByqGSM44BAEwgZwCQQD8poLOjhLKuibvzPcRDlJtsHiwXt7LzR60ogjzrhYXrgHzW5Gk
fm32NBPF4S7QiZvNEyrNUNmRUb3EPuc3WS4XAhUAli7dzDacuo67Jg7mtqEm2TRuOMUCQGeEcbJ6
nPRO6RpJxRR9samq8kTwWkNNZIaTHS0UJxueNQMLcf1z2heQabMuKTVjDhwgYjVNDaIKbEFuUL55
TKQDQwACQFTKFf/zoe1crQW2VckjZlWXr1dW8O75icMeYR7M3kduW36KwRQNfZ5Pt3oYOkoFI1ol
5+x7Mm3po0RbOcePlxYwCwYHKoZIzjgEAwUAAy8AMCwCFBewr972TikOACGQp/i33vwpY6/YAhRn
Z7CSwFHNwZfjaUVP1rCpNd/caw==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature><saml:Subject>
<saml:NameID NameQualifier="http://solarx10.bskyb.com"
SPNameQualifier="https://www.google.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">cn3LJCJjU/H6ElN49ZGz0Mdov+h6</saml:NameID><saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2006-12-18T11:03:26Z"
Recipient="https://www.google.com/a/psosamldemo.net/acs"
></saml:SubjectConfirmationData></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2006-12-18T10:53:26Z"
NotOnOrAfter="2006-12-18T11:03:26Z">
<saml:AudienceRestriction>
<saml:Audience>https://www.google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2006-12-18T10:53:26Z"
SessionIndex="s21aaad07400b839f351db67920ab469393591d701"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>
</samlp:Response>
Any assistance would be most appreciated
Best regards
Darinder
On Dec 20, 8:22 pm, "Mike Jones" <drak...@gmail.com> wrote:
> Also dont forget to include the RelayState parameter in your POST operation
> to the ACS. For debugging its best to prepare an html page that includes
> the full POST body (SamlResponse and RelayState parameters), and we can
> check it out.
>
> On 12/20/06, Amanda (Google Employee) <a...@google.com> wrote:
>
>
>
>
>
> > Hi Darinder,
>
> > That error message typically means that the SAMLResponse you're sending
> > to Google is malformed. Double check your response against the schema
> >http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2....
> > (take a look at the Response, StatusResponseType)
>
> >http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2...
> > (schema for the assertion element)
>
> > Like Ryan said, we can take a look at your response too.
>
> > Cheers,
>
> > Amanda- Hide quoted text -- Show quoted text -
Amanda (Google Employee)
The RelayState parameter needs to be a service url such as
"http://mail.google.com/a/psosamldemo.net"
Also, the reference URI needs to be <Reference URI="">
You should use your own test domain since the psosamldemo.net's
credentials will be different and you will not be able to log in.
Hope that helps,
Amanda
darinde...@capgemini.com
I've tried changing the RelayState to
http://mail.google.com/a/psosamldemo.net, but the browser just
re-directed to https://www.google.com/a/psosamldemo.net/acs and the
original ACS Error Message: This account cannot be accessed because we
could
not parse the login request. We are unable to process your request at
this time, please try again later" is returned.
Could someone please go through the SAML Response I posted in my last
message to see what exactly is breaking the parser? Or if somebody has
any other suggestions please let me know.
Best regards
Darinder
Amanda (Google Employee)
Your SAMLResponse needs to be successfully verified by Google's ACS
before you can be redirected to the URL in the RelayState. The steps
are detailed at
http://code.google.com/apis/apps-for-your-domain/sso/saml_reference_implementation.html
Btw, did you change the Reference URI in your SAMLResponse to
<Reference URI="">? You should be able to pass the parser once you've
done this. However, you'll probably get a different error due to your
invalid signature. If you want to sign in to psosamldemo.net (a demo
domain), you have to sign the xml using keys provided in the reference
implementation.
Hope that helps,
Amanda
Shokar, Darinder
Hi Amanda,
I have changed our code to set the Reference URI to <Reference URI=""> and
we still get the same parsing error.
In order to progress:
1. Does Google have an endpoint which has more debugging available as
compared to ACS?
2. If not is Google able to extract the exact parsing error from the ACS
logs?
3. I have also noticed that the SAML Response the Sun implementation
generates uses namespaces and the Google sample implementation does not. Can
you confirm if ACS is able to parse namespaces, and if not if it is possible
to amend ACS to accept namespaces?
Regards
Darinder
___________________________________________
Darinder Singh Shokar | Capgemini Sale
Security Consultant | Access and Identity
Tel +44 (0) 870 906 7088
E-mail darinde...@capgemini.com
Website: www.capgemini.com
Join the Collaborative Business Experience!
___________________________________________
Hi Darinder,
Hope that helps,
Amanda
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Amanda (Google Employee)
Let me try to address your questions:
1. No, we do not have another endpoint apart from the ACS.
2. When I try the SAML response you posted after setting the <Reference
URI="">, I was able to get through the parser. However, I get "This
account cannot be accessed because the login credentials could not be
verified." As I explained earlier, this error is thrown because the
signature is wrong for psosamldemo.net. Could you double check that
you've modified the reference to <Reference URI="">?
3. Yes, the ACS is able to parse namespaces.
-Amanda
darinde...@capgemini.com
Yes, I have definitely made a code change to set <Reference URI="">. I
agree the issue seems to be around the digital signature. By default
Sun's product sets use DSA x.509 digital certificates rather than DSA
keys. Hence, we have written code to transform the DSA Keys from the
Google SAML2 sample into X.509 compliant certificates. So we are using
Google's keys (in x.509) format, but still get the original error.
Is there something we are missing; does our specific domain need to be
registered, do Google need to do some kind of key/digital cert import
into ACS? Can ACS even handle X.509 certs?
I look forward to hearing from you
Darinder
Marius Scurtescu
> Is there something we are missing; does our specific domain need to be
> registered, do Google need to do some kind of key/digital cert import
> into ACS? Can ACS even handle X.509 certs?
You do need to send your public key to Google (they will import it for
your domain) and they cannot handle X509 certs, you have to send a raw
key. Let me know if you need a Java code snippet that will do the
extraction for you.
Marius
Shokar, Darinder
Hi Marius,
If we need to register our domain, why does the sample provided by Google
work? i.e. we are using the Google sample DSA keys but have not informed
Google of our domains and the Google sample still works?
Also is it possible to raise a request for improvement to allow ACS to
process X.509 certs? - many COTS products use certificates rather than keys.
And yes if you could provide code to convert certs to DSA keys that would be
great.
Best regards
Darinder
___________________________________________
Darinder Singh Shokar | Capgemini Sale
Security Consultant | Access and Identity
Tel +44 (0) 870 906 7088
E-mail darinde...@capgemini.com
Website: www.capgemini.com
Join the Collaborative Business Experience!
___________________________________________
-----Original Message-----
From: apps-for-you...@googlegroups.com
[mailto:apps-for-you...@googlegroups.com] On Behalf Of Marius
Scurtescu
Sent: 15 January 2007 17:27
To: apps-for-you...@googlegroups.com
Subject: [google-apps-apis] Re: ACS Parsing Error
Marius
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Marius Scurtescu
>
>
> Hi Marius,
>
> If we need to register our domain, why does the sample provided by Google
> work? i.e. we are using the Google sample DSA keys but have not informed
> Google of our domains and the Google sample still works?
Not sure, maybe someone from Google can clarify.
>
> Also is it possible to raise a request for improvement to allow ACS to
> process X.509 certs? - many COTS products use certificates rather than keys.
You can certainly ask them. I did ask them a couple of times.
Requesting a raw public key does not make much sense to me either.
>
> And yes if you could provide code to convert certs to DSA keys that would be
> great.
I attached a simple Java class that will do that. Just compile it (no
dependencies):
$ javac ExportPublicKey.java
and then run it to covert your cert to a raw key (it reads from
standard in and writes to standard out):
$ java ExportPublicKey < public.crt > public.key
Marius
Amanda (Google)
>> work? i.e. we are using the Google sample DSA keys but have not informed
>> Google of our domains and the Google sample still works?
The sample works because the sample domain (psosamldemo.net) already
has its public key registered at Google. As long as the ACS can verify
the signature of the SAML response against the stored public key, it
would work.
So if you want to enable SSO for your domain (for example
capgemini.com), then you would need to generate a pair of keys (RSA or
DSA) and register the public key at Google.
>> Also is it possible to raise a request for improvement to allow ACS to
>> process X.509 certs? - many COTS products use certificates rather than keys.
> You can certainly ask them. I did ask them a couple of times.
> Requesting a raw public key does not make much sense to me either.
You can choose to provide Google with a cert, and we can extract the
public key out of the cert and register it.
As long as the signature can be verified against the stored public key,
the content of the KeyInfo, whether it's DSA, RSA or X509 cert is
acceptable.
Hope that helps,
Amanda
Shokar, Darinder
Many thanks for the assistance thus far. A couple of questions:
1. Who can I contact to raise a request for improvement to allow ACS to
process DSA X.509 certs
2. Who do I contact to register my domain and send my public DSA key
Best regards
Darinder
-----Original Message-----
From: apps-for-you...@googlegroups.com
[mailto:apps-for-you...@googlegroups.com] On Behalf Of Amanda
(Google)
Sent: 18 January 2007 01:46
To: Google Apps for Your Domain APIs
Subject: [google-apps-apis] Re: ACS Parsing Error
Hope that helps,
Amanda
antonio
Amanda,
The comunication between our SSO and google, use https protocol,
that use a RSA cert. This cert have any relation with the public key for the
APIS for XML signature register in google?
Best Regards.
Antonio Irarrázaval
Informática
Universidad de los Andes
56-2-4129419
-----Mensaje original-----
De: apps-for-you...@googlegroups.com
[mailto:apps-for-you...@googlegroups.com] En nombre de Amanda
(Google)
Enviado el: miércoles, 17 de enero de 2007 22:46
Para: Google Apps for Your Domain APIs
Asunto: [google-apps-apis] Re: ACS Parsing Error
Amanda (Google)
Please contact your Google rep or email apps-api-support@google.
Cheers,
Amanda