Hi,
I'm trying to authenticate against the SAML endpoint but I only get
this error message.
I have:
- browsed the forum and found that I had to verify the following.
- verified the server time, it's a few milliseconds off.
- all timestamps in UTC
- several @Formats for Assertion->Subject->NameID.
- discovered that I need the mail address instead of the UID.
- passed the RelayState on a POST form urlencoded
- passed the SAMLReponse base64 encoded and URL encoded.
This is JA-SIG CAS 3.3.1 with a customized SAML (based on its Google
Apps support) implementation, yes I know this is not best pratice but
it's what we currently have.
Any thought on what I might be doing wrong
The Signed SAMLResponse:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://
www.w3.org/2001/04/xmlenc#" Destination="
https://www.google.com/a/g-
app
s-test.ic.uva.nl/acs" ID="gepphdnbdpdacpcgnnoigphgoigcpalcjheljich"
InResponseTo="jlbkillagindkldjnlbhjaacigoaepjbmkffhbei"
IssueInstant="2011-06-16T09:31:17.284Z" Version="2.0">
<Signature xmlns="
http://www.w3.org/2000/09/
xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://
www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" /
><SignatureMethod Algorithm="http:/
/
www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference
URI=""><Transforms><Transform Algorithm="
http://www.w3.org/2000/09/
xmldsig#enveloped-signature" /></Transforms><DigestMethod
Algorithm="
http://www.w3.or
g/2000/09/xmldsig#sha1" /><DigestValue>jzZWb/zv1unTHLkl61nvHgAtRAI=</
DigestValue></Reference></
SignedInfo><SignatureValue>Gwf7Kk7bSUPmPvFifjSiWEZcp2uF3n+
+0DFjm7sSreUz0idPxLO9scGr4hrw0ryhmd0usLx4TaFo
3YJx3WzxuMoh51VA2lu4Bs1qU3ypW55qRtio3lMKHN2GFeRStEI/
5Abj9ZblMSK85XKv2aypb+sQ
GeQIvhnMrgyyvDzsUEU=</
SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>2at87IOR42XpAahV7q6cWAyKUL0ZTNDzgmYP67Dln7moW
+qaUh3R0gvkAwLYbU5rv6wXv6tKe6sb
cs5BX
+Mmv6TEQE6ji4vgpYMAlI9TcYXGYQGABnpYmc8nWuKPWNMymx51eTstjdgMyoR6xNfzUhsb
AFiZkCscLTneBkCFlDk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></
KeyValue></KeyInfo></Signature><samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Success" />
</samlp:Status>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">
https://cas1dev.ic.uva.nl/cas</saml:Issuer>
<Assertion ID="bckdnjakloedeablehelfkdpblhehiflmpilnhgo"
IssueInstant="2011-06-16T09:31:17.284Z" Version="2.0">
<Issuer>
https://cas1dev.ic.uva.nl/cas</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:emailAddress">
G.Noo...@g-apps-test.ic.uva.nl</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:
2.0:cm:bearer">
<SubjectConfirmationData
InResponseTo="jlbkillagindkldjnlbhjaacigoaepjbmkffhbei"
NotOnOrAfter="2011-06-16T09:51:17.284Z" Recipient="https://
www.google.com/a/g-apps-test.ic.uva.nl/acs" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2011-06-16T09:26:17.284Z"
NotOnOrAfter="2011-06-16T09:51:17.284Z">
<AudienceRestriction>
<Audience>
google.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2011-06-16T09:31:17.284Z"
SessionIndex="0">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="urn:mace:dir:attribute-def:uid">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">gnooteb2</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:sn">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">Nootebos</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:givenName">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">Gilgamesh</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:cn">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">G. Nootebos</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:displayName">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">Gilgamesh Nootebos</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-def:mail">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">
G.Noo...@s-res.uva.nl</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-
def:eduPersonPrincipalName">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">
gnoo...@s-res.uva.nl</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-
def:eduPersonEntitlement">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">urn:mace:dir:entitlement:common-lib-terms</
AttributeValue>
</Attribute>
<Attribute Name="urn:mace:dir:attribute-
def:eduPersonAffiliation">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">member</AttributeValue>
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">employee</AttributeValue>
</Attribute>
<Attribute Name="urn:mace:terena.org:attribute-
def:schacHomeOrganization">
<AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">
uva.nl</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</samlp:Response>
The post form:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://
www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
</head>
<body onload="document.forms[0].submit()">
<noscript><p>Since you browser does not support Javascript, or
support is disabled, you need to click Continue to proceed</p></
noscript>
<form method='post' action='
https://www.google.com/a/g-apps-
test.ic.uva.nl/acs'/>
<input type='hidden' name='SAMLResponse'
value='PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxzYW1scDpSZXNwb25zZSB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB
4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS9hL2ctYXBwcy10ZXN0LmljLnV2YS5ubC
9hY3MiIElEPSJnZXBwaGRuYmRwZGFjcGNnbm5vaWdwaGdvaWdjcGFsY2poZWxqaWNoIiBJblJlc3BvbnNlVG89ImpsYmtpbGxhZ2luZGtsZGpubGJoamFhY2lnb2FlcGpibWtmZmhiZWkiIElzc3VlSW5zdGFudD0iMjAxMS0wNi0xNlQwOTozMToxNy4yODRaIiBWZXJza
W9uPSIyLjAiPg0KDQogICAgPFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI
+PFNpZ25lZEluZm8+PENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwt
YzE0bi0yMDAxMDMxNSNXaXRoQ29tbWVudHMiIC8+PFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIgLz48UmVmZXJlbmNlIFVSST0iIj48VHJhbnNmb3Jtcz48VHJhbnNmb3JtIEFsZ29yaXR
obT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+PC9UcmFuc2Zvcm1zPjxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgLz48RGlnZXN0VmFsdW
U+anpaV2IvenYxdW5USExrbDYxbnZIZ0F0UkFJPTwvRGlnZXN0VmFsdWU
+PC9SZWZlcmVuY2U
+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5Hd2Y3S2s3YlNVUG1QdkZpZmpTaVdFWmNwMnVGM24rKzBERmptN3NTcmVVejBpZFB4TE85c2NHcjRocncwcnlobWQwdXNMeDRUYUZvDQozWUp4M1d6eHVNb2g1MVZBMmx1NEJzMXFVM3lwVzU1cVJ0aW8zbE1LSE4yR0ZlUlN0RUkvNUFiajlaYmxNU0s4NVhLdjJheXBiK3NRDQpHZVFJdmhuTXJneXl2RHpzVUVVPTwvU2lnbmF0dXJlVmFsdWU
+PEtleUluZm8+PEtleVZhbHVlPjxSU0FLZXlWYWx1ZT48TW9kdWx1cz4yYXQ4N0lPUjQyWHBBYWhWN3E2Y1dBeUtVTDBaVE5EemdtWVA2N0Rsbjdtb1crcWFVaDNSMGd2a0F3TFliVTVydjZ3WHY2dEtlNnNiDQpjczVCWCtNbXY2VEVRRTZqaTR2Z3BZTUFsSTlUY1lYR1lRR0FCbnBZbWM4bld1S1BXTk15bXg1MWVUc3RqZGdNeW9SNnhOZnpVaHNiDQpBRmlaa0NzY0xUbmVCa0NGbERrPTwvTW9kdWx1cz48RXhwb25lbnQ
+QVFBQjwvRXhwb25lbnQ
+PC9SU0FLZXlWYWx1ZT48L0tleVZhbHVlPjwvS2V5SW5mbz48L1NpZ25hdHVyZT48c2FtbHA6U3RhdHVzPg0KICAgICAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIiAvPg0KICAgIDwvc2FtbHA6U3RhdHVzPg0KDQogICAgPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vY2FzMWRldi5pYy51dmEubmwvY2FzPC9zYW1sOklzc3Vlcj4NCg0KICAgIDxBc3NlcnRpb24gSUQ9ImJja2RuamFrbG9lZGVhYmxlaGVsZmtkcGJsaGVoaWZsbXBpbG5oZ28iIElzc3VlSW5zdGFudD0iMjAxMS0wNi0xNlQwOTozMToxNy4yODRaIiBWZXJzaW9uPSIyLjAiPg0KICAgICAgICA8SXNzdWVyPmh0dHBzOi8vY2FzMWRldi5pYy51dmEubmwvY2FzPC9Jc3N1ZXI
+DQogICAgICAgIDxTdWJqZWN0Pg0KICAgICAgICAgICAgPE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI
+Ry5Ob290ZWJvc0BnLWFwcHMtdGVzdC5pYy51dmEubmw8L05hbWVJRD4NCiAgICAgICAgICAgIDxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI
+DQogICAgICAgICAgICAgICAgPFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iamxia2lsbGFnaW5ka2xkam5sYmhqYWFjaWdvYWVwamJta2ZmaGJlaSIgTm90T25PckFmdGVyPSIyMDExLTA2LTE2VDA5OjUxOjE3LjI4NFoiIFJlY2lwaWVudD0iaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS9hL2ctYXBwcy10ZXN0LmljLnV2YS5ubC9hY3MiIC8+DQogICAgICAgICAgICA8L1N1YmplY3RDb25maXJtYXRpb24+DQogICAgICAgIDwvU3ViamVjdD4NCiAgICAgICAgPENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDExLTA2LTE2VDA5OjI2OjE3LjI4NFoiIE5vdE9uT3JBZnRlcj0iMjAxMS0wNi0xNlQwOTo1MToxNy4yODRaIj4NCiAgICAgICAgICAgIDxBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICAgICAgICAgIDxBdWRpZW5jZT5nb29nbGUuY29tPC9BdWRpZW5jZT4NCiAgICAgICAgICAgIDwvQXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPC9Db25kaXRpb25zPg0KICAgICAgICA8QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE2VDA5OjMxOjE3LjI4NFoiIFNlc3Npb25JbmRleD0iMCI
+DQogICAgICAgICAgICA8QXV0aG5Db250ZXh0Pg0KICAgICAgICAgICAgICAgIDxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY
+DQogICAgICAgICAgICA8L0F1dGhuQ29udGV4dD4NCiAgICAgICAgPC9BdXRoblN0YXRlbWVudD4NCiAgICAgICAgPEF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6dWlkIj4NCiAgICAgICAgICAgICAgICA8QXR0cmlidXRlVmFsdWUgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI
+Z25vb3RlYjI8L0F0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgICAgPC9BdHRyaWJ1dGU
+DQogICAgICAgICAgICA8QXR0cmlidXRlIE5hbWU9InVybjptYWNlOmRpcjphdHRyaWJ1dGUtZGVmOnNuIj4NCiAgICAgICAgICAgICAgICA8QXR0cmlidXRlVmFsdWUgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI
+Tm9vdGVib3M8L0F0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgICAgPC9BdHRyaWJ1dGU
+DQogICAgICAgICAgICA8QXR0cmlidXRlIE5hbWU9InVybjptYWNlOmRpcjphdHRyaWJ1dGUtZGVmOmdpdmVuTmFtZSI
+DQogICAgICAgICAgICAgICAgPEF0dHJpYnV0ZVZhbHVlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPkdpbGdhbWVzaDwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6Y24iPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5HLiBOb290ZWJvczwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6ZGlzcGxheU5hbWUiPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5HaWxnYW1lc2ggTm9vdGVib3M8L0F0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgICAgPC9BdHRyaWJ1dGU
+DQogICAgICAgICAgICA8QXR0cmlidXRlIE5hbWU9InVybjptYWNlOmRpcjphdHRyaWJ1dGUtZGVmOm1haWwiPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5HLk5vb3RlYm9zQHMtcmVzLnV2YS5ubDwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6ZWR1UGVyc29uUHJpbmNpcGFsTmFtZSI
+DQogICAgICAgICAgICAgICAgPEF0dHJpYnV0ZVZhbHVlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmdub290ZWIyQHMtcmVzLnV2YS5ubDwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6ZWR1UGVyc29uRW50aXRsZW1lbnQiPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj51cm46bWFjZTpkaXI6ZW50aXRsZW1lbnQ6Y29tbW9uLWxpYi10ZXJtczwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6ZGlyOmF0dHJpYnV0ZS1kZWY6ZWR1UGVyc29uQWZmaWxpYXRpb24iPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5tZW1iZXI8L0F0dHJpYnV0ZVZhbHVlPg0KICAgICAgICAgICAgICAgIDxBdHRyaWJ1dGVWYWx1ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5lbXBsb3llZTwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgICAgIDxBdHRyaWJ1dGUgTmFtZT0idXJuOm1hY2U6dGVyZW5hLm9yZzphdHRyaWJ1dGUtZGVmOnNjaGFjSG9tZU9yZ2FuaXphdGlvbiI
+DQogICAgICAgICAgICAgICAgPEF0dHJpYnV0ZVZhbHVlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPnV2YS5ubDwvQXR0cmlidXRlVmFsdWU
+DQogICAgICAgICAgICA8L0F0dHJpYnV0ZT4NCiAgICAgICAgPC9BdHRyaWJ1dGVTdGF0ZW1lbnQ
+DQogICAgPC9Bc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg0K'/>
<input type='hidden' name='RelayState' value='https://
www.google.com/a/g-apps-test.ic.uva.nl/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fa%2Fg-apps-test.ic.uva.nl%2F&bsv=llya694le36z&ss=1<mpl=default<mplcache=2&from=login'/>
<input type='submit' value='Continue'/>
</form>
</body>
</html>