how to solve "This account cannot be accessed because we could not parse the login request."

3,931 views

Skip to first unread message

Gilgamesh Nootebos

unread,

Jun 16, 2011, 6:04:24 AM6/16/11

to SAML-based Single Sign On for Google Apps

Hi,

I'm trying to authenticate against the SAML endpoint but I only get
this error message.

I have:
- browsed the forum and found that I had to verify the following.
- verified the server time, it's a few milliseconds off.
- all timestamps in UTC
- several @Formats for Assertion->Subject->NameID.
- discovered that I need the mail address instead of the UID.
- passed the RelayState on a POST form urlencoded
- passed the SAMLReponse base64 encoded and URL encoded.

This is JA-SIG CAS 3.3.1 with a customized SAML (based on its Google
Apps support) implementation, yes I know this is not best pratice but
it's what we currently have.

Any thought on what I might be doing wrong

The Signed SAMLResponse:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://
www.w3.org/2001/04/xmlenc#" Destination="https://www.google.com/a/g-
app
s-test.ic.uva.nl/acs" ID="gepphdnbdpdacpcgnnoigphgoigcpalcjheljich"
InResponseTo="jlbkillagindkldjnlbhjaacigoaepjbmkffhbei"
IssueInstant="2011-06-16T09:31:17.284Z" Version="2.0">

<Signature xmlns="http://www.w3.org/2000/09/
xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://
www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" /
><SignatureMethod Algorithm="http:/
/www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference
URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature" /></Transforms><DigestMethod
Algorithm="http://www.w3.or
g/2000/09/xmldsig#sha1" /><DigestValue>jzZWb/zv1unTHLkl61nvHgAtRAI=</
DigestValue></Reference></
SignedInfo><SignatureValue>Gwf7Kk7bSUPmPvFifjSiWEZcp2uF3n+
+0DFjm7sSreUz0idPxLO9scGr4hrw0ryhmd0usLx4TaFo
3YJx3WzxuMoh51VA2lu4Bs1qU3ypW55qRtio3lMKHN2GFeRStEI/
5Abj9ZblMSK85XKv2aypb+sQ
GeQIvhnMrgyyvDzsUEU=</
SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>2at87IOR42XpAahV7q6cWAyKUL0ZTNDzgmYP67Dln7moW
+qaUh3R0gvkAwLYbU5rv6wXv6tKe6sb
cs5BX
+Mmv6TEQE6ji4vgpYMAlI9TcYXGYQGABnpYmc8nWuKPWNMymx51eTstjdgMyoR6xNfzUhsb
AFiZkCscLTneBkCFlDk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></
KeyValue></KeyInfo></Signature><samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success" />
</samlp:Status>

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">https://cas1dev.ic.uva.nl/cas</saml:Issuer>

<Assertion ID="bckdnjakloedeablehelfkdpblhehiflmpilnhgo"
IssueInstant="2011-06-16T09:31:17.284Z" Version="2.0">
<Issuer>https://cas1dev.ic.uva.nl/cas</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:emailAddress">G.Noo...@g-apps-test.ic.uva.nl</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<SubjectConfirmationData
InResponseTo="jlbkillagindkldjnlbhjaacigoaepjbmkffhbei"
NotOnOrAfter="2011-06-16T09:51:17.284Z" Recipient="https://
www.google.com/a/g-apps-test.ic.uva.nl/acs" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2011-06-16T09:26:17.284Z"
NotOnOrAfter="2011-06-16T09:51:17.284Z">
<AudienceRestriction>
<Audience>google.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2011-06-16T09:31:17.284Z"
SessionIndex="0">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="urn:mace:dir:attribute-def:uid">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">gnooteb2</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:sn">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">Nootebos</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:givenName">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">Gilgamesh</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:cn">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">G. Nootebos</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:displayName">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">Gilgamesh Nootebos</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:mail">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">G.Noo...@s-res.uva.nl</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-
def:eduPersonPrincipalName">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">gnoo...@s-res.uva.nl</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-
def:eduPersonEntitlement">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">urn:mace:dir:entitlement:common-lib-terms</
AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-
def:eduPersonAffiliation">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">member</AttributeValue>
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">employee</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:terena.org:attribute-
def:schacHomeOrganization">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">uva.nl</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</samlp:Response>

The post form:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://
www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
</head>
<body onload="document.forms[0].submit()">
<noscript><p>Since you browser does not support Javascript, or
support is disabled, you need to click Continue to proceed</p></
noscript>
<form method='post' action='https://www.google.com/a/g-apps-
test.ic.uva.nl/acs'/>
<input type='hidden' name='SAMLResponse'
value='PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxzYW1scDpSZXNwb25zZSB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB
4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS9hL2ctYXBwcy10ZXN0LmljLnV2YS5ubC
9hY3MiIElEPSJnZXBwaGRuYmRwZGFjcGNnbm5vaWdwaGdvaWdjcGFsY2poZWxqaWNoIiBJblJlc3BvbnNlVG89ImpsYmtpbGxhZ2luZGtsZGpubGJoamFhY2lnb2FlcGpibWtmZmhiZWkiIElzc3VlSW5zdGFudD0iMjAxMS0wNi0xNlQwOTozMToxNy4yODRaIiBWZXJza
W9uPSIyLjAiPg0KDQogICAgPFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI
+PFNpZ25lZEluZm8+PENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwt
YzE0bi0yMDAxMDMxNSNXaXRoQ29tbWVudHMiIC8+PFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIgLz48UmVmZXJlbmNlIFVSST0iIj48VHJhbnNmb3Jtcz48VHJhbnNmb3JtIEFsZ29yaXR
obT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+PC9UcmFuc2Zvcm1zPjxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgLz48RGlnZXN0VmFsdW
U+anpaV2IvenYxdW5USExrbDYxbnZIZ0F0UkFJPTwvRGlnZXN0VmFsdWU
+PC9SZWZlcmVuY2U
+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5Hd2Y3S2s3YlNVUG1QdkZpZmpTaVdFWmNwMnVGM24rKzBERmptN3NTcmVVejBpZFB4TE85c2NHcjRocncwcnlobWQwdXNMeDRUYUZvDQozWUp4M1d6eHVNb2g1MVZBMmx1NEJzMXFVM3lwVzU1cVJ0aW8zbE1LSE4yR0ZlUlN0RUkvNUFiajlaYmxNU0s4NVhLdjJheXBiK3NRDQpHZVFJdmhuTXJneXl2RHpzVUVVPTwvU2lnbmF0dXJlVmFsdWU
+PEtleUluZm8+PEtleVZhbHVlPjxSU0FLZXlWYWx1ZT48TW9kdWx1cz4yYXQ4N0lPUjQyWHBBYWhWN3E2Y1dBeUtVTDBaVE5EemdtWVA2N0Rsbjdtb1crcWFVaDNSMGd2a0F3TFliVTVydjZ3WHY2dEtlNnNiDQpjczVCWCtNbXY2VEVRRTZqaTR2Z3BZTUFsSTlUY1lYR1lRR0FCbnBZbWM4bld1S1BXTk15bXg1MWVUc3RqZGdNeW9SNnhOZnpVaHNiDQpBRmlaa0NzY0xUbmVCa0NGbERrPTwvTW9kdWx1cz48RXhwb25lbnQ
+QVFBQjwvRXhwb25lbnQ
+PC9SU0FLZXlWYWx1ZT48L0tleVZhbHVlPjwvS2V5SW5mbz48L1NpZ25hdHVyZT48c2FtbHA6U3RhdHVzPg0KICAgICAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPg0KICAgIDwvc2FtbHA6U3RhdHVzPg0KDQogICAgPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vY2FzMWRldi5pYy51dmEubmwvY2FzPC9zYW1sOklzc3Vlcj4NCg0KICAgIDxBc3NlcnRpb24gSUQ9ImJja2RuamFrbG9lZGVhYmxlaGVsZmtkcGJsaGVoaWZsbXBpbG5oZ28iIElzc3VlSW5zdGFudD0iMjAxMS0wNi0xNlQwOTozMToxNy4yODRaIiBWZXJzaW9uPSIyLjAiPg0KICAgICAgICA8SXNzdWVyPmh0dHBzOi8vY2FzMWRldi5pYy51dmEubmwvY2FzPC9Jc3N1ZXI
+DQogICAgICAgIDxTdWJqZWN0Pg0KICAgICAgICAgICAgPE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI
+Ry5Ob290ZWJvc0BnLWFwcHMtdGVzdC5pYy51dmEubmw8L05hbWVJRD4NCiAgICAgICAgICAgIDxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI
+DQogICAgICAgICAgICAgICAgPFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iamxia2lsbGFnaW5ka2xkam5sYmhqYWFjaWdvYWVwamJta2ZmaGJlaSIgTm90T25PckFmdGVyPSIyMDExLTA2LTE2VDA5OjUxOjE3LjI4NFoiIFJlY2lwaWVudD0iaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS9hL2ctYXBwcy10ZXN0LmljLnV2YS5ubC9hY3MiIC8+DQogICAgICAgICAgICA8L1N1YmplY3RDb25maXJtYXRpb24+DQogICAgICAgIDwvU3ViamVjdD4NCiAgICAgICAgPENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDExLTA2LTE2VDA5OjI2OjE3LjI4NFoiIE5vdE9uT3JBZnRlcj0iMjAxMS0wNi0xNlQwOTo1MToxNy4yODRaIj4NCiAgICAgICAgICAgIDxBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICAgICAgICAgIDxBdWRpZW5jZT5nb29nbGUuY29tPC9BdWRpZW5jZT4NCiAgICAgICAgICAgIDwvQXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPC9Db25kaXRpb25zPg0KICAgICAgICA8QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE2VDA5OjMxOjE3LjI4NFoiIFNlc3Npb25JbmRleD0iMCI
+DQogICAgICAgICAgICA8QXV0aG5Db250ZXh0Pg0KICAgICAgICAgICAgICAgIDxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY
+DQogICAgICAgICAgICA8L0F1dGhuQ29udGV4dD4NCiAgICAgICAgPC9BdXRoblN0YXRlbWVudD4NCiAgICAgICAgPEF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6dWlkIj4NCiAgICAgICAgICAgICAgICA8QXR0cmlidXRlVmFsdWUgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI
+Z25vb3RlYjI8L0F0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgICAgPC9BdHRyaWJ1dGU
+DQogICAgICAgICAgICA8QXR0cmlidXRlIE5hbWU9InVybjptYWNlOmRpcjphdHRyaWJ1dGUtZGVmOnNuIj4NCiAgICAgICAgICAgICAgICA8QXR0cmlidXRlVmFsdWUgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI
+Tm9vdGVib3M8L0F0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgICAgPC9BdHRyaWJ1dGU
+DQogICAgICAgICAgICA8QXR0cmlidXRlIE5hbWU9InVybjptYWNlOmRpcjphdHRyaWJ1dGUtZGVmOmdpdmVuTmFtZSI
+DQogICAgICAgICAgICAgICAgPEF0dHJpYnV0ZVZhbHVlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPkdpbGdhbWVzaDwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6Y24iPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5HLiBOb290ZWJvczwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6ZGlzcGxheU5hbWUiPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5HaWxnYW1lc2ggTm9vdGVib3M8L0F0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgICAgPC9BdHRyaWJ1dGU
+DQogICAgICAgICAgICA8QXR0cmlidXRlIE5hbWU9InVybjptYWNlOmRpcjphdHRyaWJ1dGUtZGVmOm1haWwiPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5HLk5vb3RlYm9zQHMtcmVzLnV2YS5ubDwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6ZWR1UGVyc29uUHJpbmNpcGFsTmFtZSI
+DQogICAgICAgICAgICAgICAgPEF0dHJpYnV0ZVZhbHVlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmdub290ZWIyQHMtcmVzLnV2YS5ubDwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6ZWR1UGVyc29uRW50aXRsZW1lbnQiPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj51cm46bWFjZTpkaXI6ZW50aXRsZW1lbnQ6Y29tbW9uLWxpYi10ZXJtczwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6ZWR1UGVyc29uQWZmaWxpYXRpb24iPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5tZW1iZXI8L0F0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5lbXBsb3llZTwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6dGVyZW5hLm9yZzphdHRyaWJ1dGUtZGVmOnNjaGFjSG9tZU9yZ2FuaXphdGlvbiI
+DQogICAgICAgICAgICAgICAgPEF0dHJpYnV0ZVZhbHVlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPnV2YS5ubDwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgPC9BdHRyaWJ1dGVTdGF0ZW1lbnQ
+DQogICAgPC9Bc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg0K'/>
<input type='hidden' name='RelayState' value='https://
www.google.com/a/g-apps-test.ic.uva.nl/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fa%2Fg-apps-test.ic.uva.nl%2F&bsv=llya694le36z&ss=1&ltmpl=default&ltmplcache=2&from=login'/>
<input type='submit' value='Continue'/>
</form>
</body>
</html>

Claudio Cherubino

unread,

Jun 16, 2011, 9:07:31 AM6/16/11

to google-app...@googlegroups.com

Hi Gilgamesh,

Is the value of the RelayState parameter sent together with the SAMLResponse hard-coded?

Please note that it is a dynamic value and it must match exactly what has been passed together with the SAMLRequest.

According to your control panel, the user you are trying to login with has a Google Apps temporary password set.

Can you please assign the user a new password (not temporary) and try again?

Thanks

Claudio

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-saml...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.

Gilgamesh Nootebos

unread,

Jun 16, 2011, 3:09:58 PM6/16/11

to google-app...@googlegroups.com

Hi Claudio,

I set the password to some pseudo-random string and retried, both with url encoding on and of on the samlresponse.

The RelayState is copied from the original http request. I'm not quite sure if it has to be reencoded or not?

Unfortunately it didn't work

Thanks

here is the http post with url encoding on:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<head>

</head>

Claudio Cherubino

unread,

Jun 16, 2011, 3:37:29 PM6/16/11

to google-app...@googlegroups.com

Hi Gilgamesh,

Google Apps requires the SAMLResponse to contain a valid X.509 certificate and I don't see the X509Data element inside KeyInfo in your decoded response.

Please update your SSO implementation accordingly and retry.

Thanks

Claudio

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/ZKxTxrZoYG8J.

Reply all

Reply to author

Forward

0 new messages