I've the changes you suggested and my response XML now looks like this
(certificate and signature omitted):
<samlp:Response ID="meeggcnahjfhfihkgdnbkibjlempcgdbeempaeoe"
IssueInstant="2011-10-31T13:19:55.373Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="eimafomffcknibiphjfgbgnicklhnfikijnojkdc"
IssueInstant="2011-10-31T13:19:55.366Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>https://www.opensaml.org/IDP</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#eimafomffcknibiphjfgbgnicklhnfikijnojkdc">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>e9/52wphnzTwe3BCutDEEo3hzpQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">ad...@cloudmenu.nu</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml:Subject>
<saml:Conditions NotBefore="2011-10-31T13:14:55.312Z"
NotOnOrAfter="2011-10-31T13:29:55.332Z"/>
<saml:AuthnStatement AuthnInstant="2011-10-31T13:19:55.338Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
I still get the "This account cannot be accessed because the login
credentials could not be verified." message thou.
2011/10/31 T1B0 <t1b...@gmail.com>:
> --
> You received this message because you are subscribed to the Google Groups
> "SAML-based Single Sign On for Google Apps" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-apps-saml-sso/-/eaDUjVVYE9UJ.
> To post to this group, send email to google-app...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-apps-saml...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-apps-saml-sso?hl=en.
>
Executing xmlsec1 from java is not a solution for production thou...
I'm currently looking at some other way to sign the response.
2011/10/31 T1B0 <t1b...@gmail.com>:
> --
> You received this message because you are subscribed to the Google Groups
> "SAML-based Single Sign On for Google Apps" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-apps-saml-sso/-/X7h2dBgkGiQJ.
Thanks for all the help!
2011/11/1 Andreas Backman <abac...@gmail.com>:
"Server error
We are unable to process your request at this time, please try again later."
Anyways, here is my response:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="padalheejefgddnjljhebcelhigpnmanpcbkemik"
IssueInstant="2011-11-03T11:09:25.556Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:Status><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion
ID="apbmfkoehpinimeaemjmlelgaoceagfcddhoemne"
IssueInstant="2011-11-03T11:09:25.548Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://www.opensaml.org/IDP</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ds:Reference
URI="#apbmfkoehpinimeaemjmlelgaoceagfcddhoemne"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>qzDIZpyU8cdRLppXkaCGqjLHAQw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>????</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>????</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">ad...@cloudmenu.com</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
Recipient="https://www.google.com/a/cloudmenu.nu/acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2011-11-03T11:04:25.505Z"
NotOnOrAfter="2011-11-03T11:19:25.522Z"/><saml2:AuthnStatement
AuthnInstant="2011-11-03T11:09:25.526Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
2011/11/1 T1B0 <t1b...@gmail.com>:
> --
> You received this message because you are subscribed to the Google Groups
> "SAML-based Single Sign On for Google Apps" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-apps-saml-sso/-/SMlYSekUUFUJ.