This account cannot be accessed because the login credentials could not be verified.

[Andreas Backman]

I know this topic has been up for discussion earlier, but none of the
provided solutions seems to work for me.
I've generated a response using OpenSAML and signed it with my
certificate and private key.

This is my response XML (certificate and signature omitted) :

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="ofgpdgbceijjmchebjchjjmlfkadlpfddaiciijf"
IssueInstant="2011-10-11T12:54:42.521Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/
2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"/>
<ds:Reference
URI="#ofgpdgbceijjmchebjchjjmlfkadlpfddaiciijf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/
xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/>
<ds:DigestValue>f2jy5Qk0jkxID6tSWFsdlkL6YQA=</
ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="inhpecopcenenemgfnffekhlmnmadnibcdofnhkn"
IssueInstant="2011-10-11T12:54:42.520Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://www.opensaml.org/IDP</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer"/>
</saml2:Subject>
<saml2:Conditions NotBefore="2011-10-11T12:49:42.520Z"
NotOnOrAfter="2011-10-11T13:04:42.520Z"/>
<saml2:AuthnStatement AuthnInstant="2011-10-11T12:54:42.520Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

Can anyone point me in the right direction?

[T1B0]

there are some mistake i can see in your samlResponse :

• your saml's protocol's namespace's prefix is wrong, it should be xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol", and the prefix is samlp: and not saml2p:
• Idem with the assertion namespace, it should be xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" and declared both in the response and assertion elements. and the prefix should be saml: and not saml2:
• the response doc shouldn't include the xml declaration, remove the "<?xml version="1.0" encoding="UTF-8"?>" from output
• The assertion should be signed, the response signature is not mandatory, while the assertion's signature is
• For google apps, the nameID's Format should be Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" not "undefined"

[Andreas Backman]

Thanks for your reply!

I've the changes you suggested and my response XML now looks like this
(certificate and signature omitted):

<samlp:Response ID="meeggcnahjfhfihkgdnbkibjlempcgdbeempaeoe"
IssueInstant="2011-10-31T13:19:55.373Z" Version="2.0"

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="eimafomffcknibiphjfgbgnicklhnfikijnojkdc"
IssueInstant="2011-10-31T13:19:55.366Z" Version="2.0"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

<saml:Issuer>https://www.opensaml.org/IDP</saml:Issuer>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod

Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI="#eimafomffcknibiphjfgbgnicklhnfikijnojkdc">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>e9/52wphnzTwe3BCutDEEo3hzpQ=</ds:DigestValue>

</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">ad...@cloudmenu.nu</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml:Subject>
<saml:Conditions NotBefore="2011-10-31T13:14:55.312Z"
NotOnOrAfter="2011-10-31T13:29:55.332Z"/>
<saml:AuthnStatement AuthnInstant="2011-10-31T13:19:55.338Z">
<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

I still get the "This account cannot be accessed because the login
credentials could not be verified." message thou.

2011/10/31 T1B0 <t1b...@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups
> "SAML-based Single Sign On for Google Apps" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-apps-saml-sso/-/eaDUjVVYE9UJ.
> To post to this group, send email to google-app...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-apps-saml...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-apps-saml-sso?hl=en.
>

[T1B0]

As stated here : http://code.google.com/intl/fr/googleapps/faq.html this message seems to indicate an xml signature issue, have you tried to validate your signature against the xmlsec1 tool ? you'll be good if it's gives you an "OK" (along with some bitchin about self-signed cert) with this command line :

  xmlsec1 --verify --pubkey-cert-pem yourcertificate.pem  --store-signatures --id-attr:ID Assertion yourXmlResponse.xml

Another thing, in your first post the nameID value was well-formed, but not in your last reply, you have to omit the "@yourdomain.com" part of the google login name, even if this field's format is called email (don't ask me why on this one .... )

And if you're xml signatures are good, you may be in the same case as me, where the authentication is not working *everytime*, but just *sometime* (a weird one !), so try it like 10 times a row and see if *some* requests are deemed valid ...

Good Luck !

[Andreas Backman]

After some debugging I've found that if I sign it using OpenSAMLs
built in Signer.sign() method, the signature seems to be corrupted.
If I sign using xmlsec1 however, it works! I can even use my old
prefixes and keep the xml declaration!

Executing xmlsec1 from java is not a solution for production thou...
I'm currently looking at some other way to sign the response.

2011/10/31 T1B0 <t1b...@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups
> "SAML-based Single Sign On for Google Apps" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/google-apps-saml-sso/-/X7h2dBgkGiQJ.

[Andreas Backman]

Success!
The problem was not the Signer.signObject() method. I used
XMLHelper.prettyPrintXML() to convert the element to string and that
added some whitespaces which messed things up.
Now I use XMLHelper.nodeToString() and everything is working fine!

Thanks for all the help!

2011/11/1 Andreas Backman <abac...@gmail.com>:

[T1B0]

I'm glad you made it ! and are you experiencing some bad response sometime, or does it work 100% of the time ?
If you assertion is always working, could you please dump your final output here ? maybe it could help me resolve my issue ...

[Andreas Backman]

Right now there seems to be some problem with the authentication...
However, it worked yesterday. All day.
Today I get:

"Server error
We are unable to process your request at this time, please try again later."

Anyways, here is my response:

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:Response ID="padalheejefgddnjljhebcelhigpnmanpcbkemik"
IssueInstant="2011-11-03T11:09:25.556Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:Status><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion
ID="apbmfkoehpinimeaemjmlelgaoceagfcddhoemne"
IssueInstant="2011-11-03T11:09:25.548Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://www.opensaml.org/IDP</saml2:Issuer><ds:Signature

xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod

Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ds:Reference
URI="#apbmfkoehpinimeaemjmlelgaoceagfcddhoemne"><ds:Transforms><ds:Transform

Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod

Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>qzDIZpyU8cdRLppXkaCGqjLHAQw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>????</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>????</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">ad...@cloudmenu.com</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
Recipient="https://www.google.com/a/cloudmenu.nu/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2011-11-03T11:04:25.505Z"
NotOnOrAfter="2011-11-03T11:19:25.522Z"/><saml2:AuthnStatement
AuthnInstant="2011-11-03T11:09:25.526Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>

2011/11/1 T1B0 <t1b...@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups
> "SAML-based Single Sign On for Google Apps" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/google-apps-saml-sso/-/SMlYSekUUFUJ.

[T1B0]

I get the same error message as you like 9 time on 10, and 1 time on 10 it works, so you may actually be in the same mess as I am ...
the big message I get is the "Could not parse your request" and below there is the "try again later"

If you have some time to test, try to login like 10 times in a row, maybe you'll see the same behavior as me.

I think i'm gonna open a new thread with this error, cause i've been stuck here for like 10 days with no usefull answer

[T1B0]

I forget to tell, I've succesfully installed simpleSAMLphp (which is a real pain !) on my server to do some test, and it works 100% of the time against googleapps while my code gets a lot of "Could not parse/try again later" errors, so i guess the problem is not on the googleapps ends, but actually in our codes.

I even made a template which output the exact same saml:response as simpleSAMLphp (with 2 signatures and a lot of extra xml fields/attribute) but
that doesn't change my issue at all, so I guess there is something else going on here, but i still can't find it out (I've looked into the RelayState param, the http headers sent, but with no success so far)