This account cannot be accessed because the login credentials could not be verified.

4193 views
Skip to first unread message

Andreas Backman

unread,
Oct 11, 2011, 9:04:52 AM10/11/11
to SAML-based Single Sign On for Google Apps
I know this topic has been up for discussion earlier, but none of the
provided solutions seems to work for me.
I've generated a response using OpenSAML and signed it with my
certificate and private key.

This is my response XML (certificate and signature omitted) :

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="ofgpdgbceijjmchebjchjjmlfkadlpfddaiciijf"
IssueInstant="2011-10-11T12:54:42.521Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/
2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"/>
<ds:Reference
URI="#ofgpdgbceijjmchebjchjjmlfkadlpfddaiciijf">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/
xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/>
<ds:DigestValue>f2jy5Qk0jkxID6tSWFsdlkL6YQA=</
ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="inhpecopcenenemgfnffekhlmnmadnibcdofnhkn"
IssueInstant="2011-10-11T12:54:42.520Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>https://www.opensaml.org/IDP</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:unspecified">admin</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer"/>
</saml2:Subject>
<saml2:Conditions NotBefore="2011-10-11T12:49:42.520Z"
NotOnOrAfter="2011-10-11T13:04:42.520Z"/>
<saml2:AuthnStatement AuthnInstant="2011-10-11T12:54:42.520Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>

Can anyone point me in the right direction?

T1B0

unread,
Oct 31, 2011, 7:08:10 AM10/31/11
to google-app...@googlegroups.com

there are some mistake i can see in your samlResponse :

  • your saml's protocol's namespace's prefix is wrong, it should be xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol", and the prefix is samlp: and not saml2p:
  • Idem with the assertion namespace, it should be xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" and declared both in the response and assertion elements. and the prefix should be saml: and not saml2:
  • the response doc shouldn't include the xml declaration, remove the "<?xml version="1.0" encoding="UTF-8"?>" from output
  • The assertion should be signed, the response signature is not mandatory, while the assertion's signature is
  • For google apps, the nameID's Format should be Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" not "undefined"

Andreas Backman

unread,
Oct 31, 2011, 9:23:44 AM10/31/11
to google-app...@googlegroups.com
Thanks for your reply!

I've the changes you suggested and my response XML now looks like this
(certificate and signature omitted):

<samlp:Response ID="meeggcnahjfhfihkgdnbkibjlempcgdbeempaeoe"
IssueInstant="2011-10-31T13:19:55.373Z" Version="2.0"


xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="eimafomffcknibiphjfgbgnicklhnfikijnojkdc"
IssueInstant="2011-10-31T13:19:55.366Z" Version="2.0"


xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

<saml:Issuer>https://www.opensaml.org/IDP</saml:Issuer>


<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod

Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>


<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

<ds:Reference URI="#eimafomffcknibiphjfgbgnicklhnfikijnojkdc">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>


</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>e9/52wphnzTwe3BCutDEEo3hzpQ=</ds:DigestValue>


</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">ad...@cloudmenu.nu</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml:Subject>
<saml:Conditions NotBefore="2011-10-31T13:14:55.312Z"
NotOnOrAfter="2011-10-31T13:29:55.332Z"/>
<saml:AuthnStatement AuthnInstant="2011-10-31T13:19:55.338Z">
<saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

I still get the "This account cannot be accessed because the login
credentials could not be verified." message thou.


2011/10/31 T1B0 <t1b...@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups
> "SAML-based Single Sign On for Google Apps" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-apps-saml-sso/-/eaDUjVVYE9UJ.
> To post to this group, send email to google-app...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-apps-saml...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-apps-saml-sso?hl=en.
>

T1B0

unread,
Oct 31, 2011, 9:41:54 AM10/31/11
to google-app...@googlegroups.com

As stated here : http://code.google.com/intl/fr/googleapps/faq.html this message seems to indicate an xml signature issue, have you tried to validate your signature against the xmlsec1 tool ? you'll be good if it's gives you an "OK" (along with some bitchin about self-signed cert) with this command line :

  xmlsec1 --verify --pubkey-cert-pem yourcertificate.pem  --store-signatures --id-attr:ID Assertion yourXmlResponse.xml

Another thing, in your first post the nameID value was well-formed, but not in your last reply, you have to omit the "@yourdomain.com" part of the google login name, even if this field's format is called email (don't ask me why on this one .... )

And if you're xml signatures are good, you may be in the same case as me, where the authentication is not working *everytime*, but just *sometime* (a weird one !), so try it like 10 times a row and see if *some* requests are deemed valid ...

Good Luck !

Andreas Backman

unread,
Nov 1, 2011, 6:42:53 AM11/1/11
to google-app...@googlegroups.com
After some debugging I've found that if I sign it using OpenSAMLs
built in Signer.sign() method, the signature seems to be corrupted.
If I sign using xmlsec1 however, it works! I can even use my old
prefixes and keep the xml declaration!

Executing xmlsec1 from java is not a solution for production thou...
I'm currently looking at some other way to sign the response.


2011/10/31 T1B0 <t1b...@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups
> "SAML-based Single Sign On for Google Apps" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/google-apps-saml-sso/-/X7h2dBgkGiQJ.

Andreas Backman

unread,
Nov 1, 2011, 6:53:46 AM11/1/11
to google-app...@googlegroups.com
Success!
The problem was not the Signer.signObject() method. I used
XMLHelper.prettyPrintXML() to convert the element to string and that
added some whitespaces which messed things up.
Now I use XMLHelper.nodeToString() and everything is working fine!

Thanks for all the help!

2011/11/1 Andreas Backman <abac...@gmail.com>:

T1B0

unread,
Nov 1, 2011, 5:44:56 PM11/1/11
to google-app...@googlegroups.com

I'm glad you made it ! and are you experiencing some bad response sometime, or does it work 100% of the time ?
If you assertion is always working, could you please dump your final output here ? maybe it could help me resolve my issue ...



Andreas Backman

unread,
Nov 3, 2011, 7:13:16 AM11/3/11
to google-app...@googlegroups.com
Right now there seems to be some problem with the authentication...
However, it worked yesterday. All day.
Today I get:

"Server error
We are unable to process your request at this time, please try again later."

Anyways, here is my response:

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:Response ID="padalheejefgddnjljhebcelhigpnmanpcbkemik"
IssueInstant="2011-11-03T11:09:25.556Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:Status><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion
ID="apbmfkoehpinimeaemjmlelgaoceagfcddhoemne"
IssueInstant="2011-11-03T11:09:25.548Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://www.opensaml.org/IDP</saml2:Issuer><ds:Signature


xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod

Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ds:Reference
URI="#apbmfkoehpinimeaemjmlelgaoceagfcddhoemne"><ds:Transforms><ds:Transform


Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod

Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>qzDIZpyU8cdRLppXkaCGqjLHAQw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>????</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>????</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">ad...@cloudmenu.com</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
Recipient="https://www.google.com/a/cloudmenu.nu/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2011-11-03T11:04:25.505Z"
NotOnOrAfter="2011-11-03T11:19:25.522Z"/><saml2:AuthnStatement
AuthnInstant="2011-11-03T11:09:25.526Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>

2011/11/1 T1B0 <t1b...@gmail.com>:

> --
> You received this message because you are subscribed to the Google Groups
> "SAML-based Single Sign On for Google Apps" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/google-apps-saml-sso/-/SMlYSekUUFUJ.

T1B0

unread,
Nov 3, 2011, 10:31:09 AM11/3/11
to google-app...@googlegroups.com

I get the same error message as you like 9 time on 10, and 1 time on 10 it works, so you may actually be in the same mess as I am ...
the big message I get is the "Could not parse your request" and below there is the "try again later"

If you have some time to test, try to login like 10 times in a row, maybe you'll see the same behavior as me.

I think i'm gonna open a new thread with this error, cause i've been stuck here for like 10 days with no usefull answer


T1B0

unread,
Nov 3, 2011, 10:51:56 AM11/3/11
to google-app...@googlegroups.com

I forget to tell, I've succesfully installed simpleSAMLphp (which is a real pain !) on my server to do some test, and it works 100% of the time against googleapps while my code gets a lot of "Could not parse/try again later" errors, so i guess the problem is not on the googleapps ends, but actually in our codes.

I even made a template which output the exact same saml:response as simpleSAMLphp (with 2 signatures and a lot of extra xml fields/attribute) but
that doesn't change my issue at all, so I guess there is something else going on here, but i still can't find it out (I've looked into the RelayState param, the http headers sent, but with no success so far)


Reply all
Reply to author
Forward
Message has been deleted
0 new messages