SAMLResponse causing "could not parse the login request"

435 views
Skip to first unread message

Mobile Team

unread,
Oct 22, 2012, 4:06:00 PM10/22/12
to google-app...@googlegroups.com
Hello.

I have been "racking my brain" trying to figure out how to get Google Apps to work with my SAMLResponse.  My SAMLResponse works just fine with a simpleSAMLphp SP but fails every time with Google.

Here is the request they are providing:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="mpbjjibncopjikaegdheinnnhljkapegmilnmbic" Version="2.0" IssueInstant="2012-10-22T19:54:58Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="google.com"
    IsPassive="false" AssertionConsumerServiceURL="https://www.google.com/a/XXX.apps-poc.com/acs">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        >google.com/a/XXX.apps-poc.com</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true"
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>


And my response:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    Destination="https://www.google.com/a/XXX.apps-poc.com/acs"
    ID="_48b9b368bcb048c392e14568b8fb7be7" InResponseTo="mpbjjibncopjikaegdheinnnhljkapegmilnmbic"
    IssueInstant="2012-10-22T19:54:58Z" Version="2.0">
    <saml:Issuer>XXX.apps-poc.com</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ID="_7c3c9cf9b30e41eea419fd262e81ec10" IssueInstant="2012-10-22T19:54:58Z"
        Version="2.0">
        <saml:Issuer>XXX.apps-poc.com</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
                >US...@XXX.apps-poc.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData
                    InResponseTo="mpbjjibncopjikaegdheinnnhljkapegmilnmbic"
                    NotOnOrAfter="2012-10-22T19:59:58Z"
                    Recipient="https://www.google.com/a/XXX.apps-poc.com/acs"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2012-10-22T19:49:58Z" NotOnOrAfter="2012-10-22T19:59:58Z">
            <saml:AudienceRestriction>
                <saml:Audience>google.com/a/XXX.apps-poc.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2012-10-22T19:54:58Z"
            SessionIndex="_7c3c9cf9b30e41eea419fd262e81ec10">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="uid">
                <saml:AttributeValue>USER</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="givenName">
                <saml:AttributeValue>XXX</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="sn">
                <saml:AttributeValue>XXX</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="displayName">
                <saml:AttributeValue>XXX</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="employeeNumber">
                <saml:AttributeValue>XXX</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="employeeType">
                <saml:AttributeValue>XXX</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="departmentNumber">
                <saml:AttributeValue>XXX</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="mail">
                <saml:AttributeValue>US...@XXX.apps-poc.com</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod
                Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>G7NNJ82H9NCDO/xAEvjB1SXx+TQ=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>adT7ZXk0LC8MWtpSMt5WChegDK/ShHfa/H1pd/XajUn91Bwy9hl0ZwIX8OVwO/ldno2c7GFn6J3L
            1gnBtqaHBJXHaLIOKq6mGVNo41FSQabSpFuc5LVpKpbLM2XCrJ4b3z/WumiIF2FWYkiT03U3V17Z
            hSx695ckAUWoJZX/MwwfTFrCFSwbfNXAgIyldrf/XjOdNlbvguN51IgHWH/UFvWDfGRkc6c+dQL0
            oNxbg6fi6W6MhKfgCtYEPmjHmZPoSIoHGGO64YG9t1f7l9ySJgt9U96lPGTSIsWDjA7u5vbEaC0D
            rdLw0WLJNxuJUk2v/2AmMsC2RzBZ6Oiaxouz2w==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>MIIDkTCCAnmgAwIBAgIEFvzmHDANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzENMAsGA1UE
                    CBMET2hpbzERMA8GA1UEBxMIRmFpcmxhd24xHzAdBgNVBAoTFlN0ZXJsaW5nIEpld2VsZXJzIElu
                    Yy4xCzAJBgNVBAsTAklUMRowGAYDVQQDExFTdGVybGluZyBGZWRlcmF0ZTAeFw0xMjEwMjIxOTQ2
                    MDRaFw00MDAzMDgxOTQ2MDRaMHkxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRPaGlvMREwDwYDVQQH
                    EwhGYWlybGF3bjEfMB0GA1UEChMWU3RlcmxpbmcgSmV3ZWxlcnMgSW5jLjELMAkGA1UECxMCSVQx
                    GjAYBgNVBAMTEVN0ZXJsaW5nIEZlZGVyYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
                    AQEAo1F9Kslp8F1XkjaPperaZbVP3GAtSjPqlCCzL0uKPhYjeQJDi4oSWcQIurA8YczXzRpipwl0
                    2TvUewuSfmLCKnrXzTmXXIgoXczu9RdrQT7P4ftRnJflzoKllPlLbmHiqMoS6QDlYk4Eom9U0IXw
                    ZnDl7pmY1QvmilHe7cTteQWqz66S2AZb36vndz00nXspJXKi/y4WISU4xOQQF3sKl6H0865aFd4p
                    ifh0+Fu16uVzPzFzHX4QsrjwRkaIOfG9/DI4OZINr2bXKTJTs2d7RM1mB5Ph3vr79iewjd4CA7ev
                    1MjxrLw9/SZNrsJ6nI6rOIQYiAbMON6asMtgHboM/wIDAQABoyEwHzAdBgNVHQ4EFgQUOEbUyOdZ
                    nS6yX8O8tXaDl1ji3HcwDQYJKoZIhvcNAQELBQADggEBAGcYBOFMc8ZEvAaH8Me4eODvW03BrjqY
                    BxBEeMJ8pbBxfRIyRwwC+hAIHdzZYQJpeiYrefN/+S9jM9pIW06810Cz0aM5GoTZlCGtCfuywjFd
                    /WkChX6I3UlZDo6LZYZMFTKGcFvf3W/MOZ5BCylvUHmXQXyZcPE1PN5HQaiu7i0DGe9VByw0PkEP
                    6r3rSbRkSDNgaLziHLONURNAlsP1uTeLeIQCB0IPoXak23bh9Vv+8mtOakzbpKvfasRcVxHPRNjD
                    rJU6Ed0aULWrxDTrYuZl85okRWCrpxgfgYqOiwgHH7xHEmdpDXK40OMJuhNcRGNz4UtDfqcjIhb+
                    PZgN45Y=</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
</samlp:Response>


I have tried:
  • Generating new certificates
  • Using DSA instead of RSA
  • Changing validity days to 180
  • 1024 bits instead of 2048
  • Removing the response Issuer
  • Changing the Issuer
  • Changing the NameID Format and value
  • Setting Audience to the request Issuer
  • Setting Audience to the ACS URL
  • Removing SessionIndex
  • Adding SPNameQualifier
  • Removing all attributes
  • Removing Destination from the response
  • Using the request's IssueInstant for calculations
  • Setting Reference URI in Signature to the Assertion ID (starting with #) - this causes simpleSAMLphp to fail along with Google
  • Replacing the _ in my UUIDs with the letter 'a'
So far I have not gotten it to work even once and I've tried just about every combination of the above changes...  Can anyone provide some insight to why this is not working?


Thank you!

Mobile Team

unread,
Oct 23, 2012, 9:45:00 AM10/23/12
to google-app...@googlegroups.com
Found it!  Signature must be before Status...


                <saml:AttributeValue>USER@XXX.apps-poc.com</saml:AttributeValue>

Reply all
Reply to author
Forward
0 new messages