"The required response parameter SAMLResponse was missing" in Google Apps SSO with simpleSAMLphp
2,618 views
Skip to first unread message
alexm
Oct 31, 2011, 10:56:34 AM10/31/11
to simpleSAMLphp
I have setup simpleSAMLphp 1.8 as an IdP for use with Google Apps
following this guide: http://simplesamlphp.org/docs/1.8/simplesamlphp-googleapps.
I'm still in the testing stages, aiming to roll it out for
authenticating in a Gmail Partner Edition I'm setting up. Things seem
to have been setup fine, most of the time everything works fine but:
The problem I'm facing is that, in around 10-20% of attempted logins
or logouts, I get a Google page (https://www.google.com/a/
[my_site_name]/acs) with a message saying:
"The required response parameter SAMLResponse was missing" and the
login/logout attempt stops there.
In my debug attempts I'm seeing that, when a failed logout occurs, the
following gets written in simplesamlphp.log (I have removed the '$date
$time simplesamlphp' from the start of all log lines for simplicity):
INFO [8484b3b3bc] SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP
endpoint init Single Logout
INFO [8484b3b3bc] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP
endpoint SSOService
DEBUG [8484b3b3bc] Received message:
DEBUG [8484b3b3bc] <samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="gfplnkjhifpfcphagfodnilhgdcjokmlolcnacpm" Version="2.0"
IssueInstant="2011-10-26T14:14:04Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="google.com" IsPassive="false"
AssertionConsumerServiceURL="https://www.google.com/a/8484b3b3bc/acs">
DEBUG [8484b3b3bc] <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">google.com</saml:Issuer>
DEBUG [8484b3b3bc] <samlap:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
DEBUG [8484b3b3bc] </samlp:AuthnRequest>
INFO [8484b3b3bc] SAML2.0 - IdP.SSOService: Incomming Authentication
request: 'google.com'
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Filter config for http://login.mysite.com/sso/saml2/idp/metadata.php->google.com:
array ( 0 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 30, )), 1 =>
sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute'
=> 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' =>
45, )), 2 =>
sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes'
=> array ( ), 'isDefault' => false, 'priority' =>
50, )), 3 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 99, )),)
NOTICE STAT [8484b3b3bc] saml20-idp-SSO google.com
http://login.mysite.com/sso/saml2/idp/metadata.php NA
INFO [8484b3b3bc] Sending SAML 2.0 Response to 'google.com'
DEBUG [8484b3b3bc] Sending message:
DEBUG [8484b3b3bc] <samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxdabf9f73-
e863-4a97-be95-5c2d65b1d1d6" Version="2.0"
IssueInstant="2011-10-26T14:14:05Z" Destination="https://
www.google.com/a/mysite.com/acs"
InResponseTo="gfplnkjhifpfcphagfodnilhgdcjokmlolcnacpm">
DEBUG [8484b3b3bc] <saml:Issuer>http://login.mysite.com/sso/saml2/
idp/metadata.php</saml:Issuer>
DEBUG [8484b3b3bc] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/
xmldsig#">
DEBUG [8484b3b3bc] <ds:SignedInfo>
DEBUG [8484b3b3bc] <ds:CanonicalizationMethod Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [8484b3b3bc] <ds:SignatureMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#rsa-sha1"/>
DEBUG [8484b3b3bc] <ds:Reference URI="#pfxdabf9f73-e863-4a97-
be95-5c2d65b1d1d6">
DEBUG [8484b3b3bc] <ds:Transforms>
DEBUG [8484b3b3bc] <ds:Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature"/>
DEBUG [8484b3b3bc] <ds:Transform Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [8484b3b3bc] </ds:Transforms>
DEBUG [8484b3b3bc] <ds:DigestMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#sha1"/>
DEBUG [8484b3b3bc] <ds:DigestValue>eBLxgy1o
+UIlKer8TzzEg0T7JKo=</ds:DigestValue>
DEBUG [8484b3b3bc] </ds:Reference>
DEBUG [8484b3b3bc] </ds:SignedInfo>
DEBUG [8484b3b3bc]
<ds:SignatureValue>kBzGDo99LWvyUUVRvtssqhqymbXvpTa9PztZYtlPNmnzf0rrFvqIdS2BQ1qfo4Fu//
bXXxGCtbwFzuWnv13k8SI4whkzuZQtR/X6OmnVVl3ra
+xbLpRYFkm4EMLjKuEyRaRG1V5JJRJp6sYY0PgkNk
+1a7wUjVYNGP0bvV3aEBeDu8UXP9tDL7Z7rFylkSrQyYfZMf0YppVfzEWrrsXn5tQcg7Zp1FuRdJ15dXbG7fc6R8DuQK5mw20tVcUGcHvzsVBfCgLrNvOqcd7tmcdcyEB819nXN8BxETR10YaWc78Q29A8ZsULX/
7z0ltsHfi0cqrU2O93RXuGsOKm0ZI32g==</ds:SignatureValue>
DEBUG [8484b3b3bc] <ds:KeyInfo>
DEBUG [8484b3b3bc] <ds:X509Data>
DEBUG [8484b3b3bc]
<ds:X509Certificate>MIIESDCCAzCgAwIBAgIJALJANO8UUIE5MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIEwZBdHRpY2ExDzANBgNVBAcTBkF0aGVuczEQMA4GA1UEChMHTWFpbCBncjEQMA4GA1UEAxMHbWFpbC5ncjEgMB4GCSqGSIb3DQEJARYRd2VibWFzdGVyQG1haWwuZ3IwHhcNMTEwNzE4MTY0ODQyWhcNMjEwNzE3MTY0ODQyWjB1MQswCQYDVQQGEwJHUjEPMA0GA1UECBMGQXR0aWNhMQ8wDQYDVQQHEwZBdGhlbnMxEDAOBgNVBAoTB01haWwgZ3IxEDAOBgNVBAMTB21haWwuZ3IxIDAeBgkqhkiG9w0BCQEWEXdlYm1hc3RlckBtYWlsLmdyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Ulh70rZrQVdRnRefBn
+L7aFwjKT2yO9wp3ww6lJDLftrHh9dluXuj8i9cYhvOcvV2UG3hdrTOww/X3pd/
Y3pQ65K3nEl1wxebdHG87pON/THB+3RgiwzSvrwgxH41iWK+FLKwpmJoD/
Om5MamYIdIIqaRDzCkGxhb61Get8w0joQVDGpEIL0ADwqkx3zoDqw4y09jeJe8G3pb84CyJewLpUvcJa5XHmL1aVl5f2jCVo
+4X4IDOFVo2wTjTEq+IgjfQl0653bhO906z1gJPkcuqSM9f
+TvcZG0543qSq8uESFuFmydM1hqopXzJU0aSp2Si2QaZZ5ICqEUxn6AF
+8QIDAQABo4HaMIHXMB0GA1UdDgQWBBQ7XEWL1I9Vi6fZZPq6ysRZd7I7qzCBpwYDVR0jBIGfMIGcgBQ7XEWL1I9Vi6fZZPq6ysRZd7I7q6F5pHcwdTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkF0dGljYTEPMA0GA1UEBxMGQXRoZW5zMRAwDgYDVQQKEwdNYWlsIGdyMRAwDgYDVQQDEwdtYWlsLmdyMSAwHgYJKoZIhvcNAQkBFhF3ZWJtYXN0ZXJAbWFpbC5ncoIJALJANO8UUIE5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABZixZUXTrGheP0wxsZlJe1Xo7MN8fGPtx8H6ReCQTmpBewj3M1s3a/
Eqq0EgfHWhMY6WNyx/JJxjbSzmCZHM8ONyOkLoXogMtzsahRL16l0liHbcGz4iZlUrkQw
+soZ5hT3BfNdoq3+flMQlKq6Lk+YB4Iyel3G9g/
p4smyAiwrDZ68V7V77+66zL3VnEi3Ac92dQWBDs5ihWSUVuLOllqoGFThqB41k5/
NjmuFvMGCXn7FgZpoxeUyPad4phwLKbWGf55SKgjRHOKclSETHt/
4uqhPY6DNwyvX8Q0w7BD9riy0gnKgE1JzBS6Cdn+osV4KoMaSnMxfbXxTI2r6md8=</
ds:X509Certificate>
DEBUG [8484b3b3bc] </ds:X509Data>
DEBUG [8484b3b3bc] </ds:KeyInfo>
DEBUG [8484b3b3bc] </ds:Signature>
DEBUG [8484b3b3bc] <samlp:Status>
DEBUG [8484b3b3bc] <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
DEBUG [8484b3b3bc] </samlp:Status>
DEBUG [8484b3b3bc] <saml:Assertion xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="pfxd9fd9ade-9144-9dd4-b1e5-54376e54ff43" Version="2.0"
IssueInstant="2011-10-26T14:14:05Z">
DEBUG [8484b3b3bc] <saml:Issuer>http://login.mysite.com/sso/saml2/
idp/metadata.php</saml:Issuer>
DEBUG [8484b3b3bc] <ds:Signature xmlns:ds="http://www.w3.org/
2000/09/xmldsig#">
DEBUG [8484b3b3bc] <ds:SignedInfo>
DEBUG [8484b3b3bc] <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [8484b3b3bc] <ds:SignatureMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#rsa-sha1"/>
DEBUG [8484b3b3bc] <ds:Reference URI="#pfxd9fd9ade-9144-9dd4-
b1e5-54376e54ff43">
DEBUG [8484b3b3bc] <ds:Transforms>
DEBUG [8484b3b3bc] <ds:Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature"/>
DEBUG [8484b3b3bc] <ds:Transform Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [8484b3b3bc] </ds:Transforms>
DEBUG [8484b3b3bc] <ds:DigestMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#sha1"/>
DEBUG [8484b3b3bc] <ds:DigestValue>tfzAFYaeQKqgnulpdN3cgY
+c1G4=</ds:DigestValue>
DEBUG [8484b3b3bc] </ds:Reference>
DEBUG [8484b3b3bc] </ds:SignedInfo>
DEBUG [8484b3b3bc]
<ds:SignatureValue>zccX3DPx7GOAYu6cLGIhtbPPFJhMgqjH0sGsQHjrEJgjuwCnEb2v6AiUzTO6WrH0R6McOfuMP89i2w68CCcQtethHyePeaKv
+cQLkY/iek+QQ+9LezW5VCUnZw9GlBO7KcD6RMkscEYT+fNEB5sjkD/
cBfqDQsQ4JqXfAY4Rv/4YCmJNXkLrco9dNbfXjI
+pc9zGo4vGawN5xAVuQ0IA2u30Wb1qJBFY0Pwo/
Rom0/8s9K4FNEFDrH2bAiy1LJOiFujUASGv4YzXLUErrGJlpgehUhFZbLlDyRo0FaZ78pKN4zKOhd3HNjtpQcaoITGdnIguyd97N11qYOHJjz87Cw==</
ds:SignatureValue>
DEBUG [8484b3b3bc] <ds:KeyInfo>
DEBUG [8484b3b3bc] <ds:X509Data>
DEBUG [8484b3b3bc]
<ds:X509Certificate>MIIESDCCAzCgAwIBAgIJALJANO8UUIE5MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIEwZBdHRpY2ExDzANBgNVBAcTBkF0aGVuczEQMA4GA1UEChMHTWFpbCBncjEQMA4GA1UEAxMHbWFpbC5ncjEgMB4GCSqGSIb3DQEJARYRd2VibWFzdGVyQG1haWwuZ3IwHhcNMTEwNzE4MTY0ODQyWhcNMjEwNzE3MTY0ODQyWjB1MQswCQYDVQQGEwJHUjEPMA0GA1UECBMGQXR0aWNhMQ8wDQYDVQQHEwZBdGhlbnMxEDAOBgNVBAoTB01haWwgZ3IxEDAOBgNVBAMTB21haWwuZ3IxIDAeBgkqhkiG9w0BCQEWEXdlYm1hc3RlckBtYWlsLmdyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Ulh70rZrQVdRnRefBn
+L7aFwjKT2yO9wp3ww6lJDLftrHh9dluXuj8i9cYhvOcvV2UG3hdrTOww/X3pd/
Y3pQ65K3nEl1wxebdHG87pON/THB+3RgiwzSvrwgxH41iWK+FLKwpmJoD/
Om5MamYIdIIqaRDzCkGxhb61Get8w0joQVDGpEIL0ADwqkx3zoDqw4y09jeJe8G3pb84CyJewLpUvcJa5XHmL1aVl5f2jCVo
+4X4IDOFVo2wTjTEq+IgjfQl0653bhO906z1gJPkcuqSM9f
+TvcZG0543qSq8uESFuFmydM1hqopXzJU0aSp2Si2QaZZ5ICqEUxn6AF
+8QIDAQABo4HaMIHXMB0GA1UdDgQWBBQ7XEWL1I9Vi6fZZPq6ysRZd7I7qzCBpwYDVR0jBIGfMIGcgBQ7XEWL1I9Vi6fZZPq6ysRZd7I7q6F5pHcwdTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkF0dGljYTEPMA0GA1UEBxMGQXRoZW5zMRAwDgYDVQQKEwdNYWlsIGdyMRAwDgYDVQQDEwdtYWlsLmdyMSAwHgYJKoZIhvcNAQkBFhF3ZWJtYXN0ZXJAbWFpbC5ncoIJALJANO8UUIE5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABZixZUXTrGheP0wxsZlJe1Xo7MN8fGPtx8H6ReCQTmpBewj3M1s3a/
Eqq0EgfHWhMY6WNyx/JJxjbSzmCZHM8ONyOkLoXogMtzsahRL16l0liHbcGz4iZlUrkQw
+soZ5hT3BfNdoq3+flMQlKq6Lk+YB4Iyel3G9g/
p4smyAiwrDZ68V7V77+66zL3VnEi3Ac92dQWBDs5ihWSUVuLOllqoGFThqB41k5/
NjmuFvMGCXn7FgZpoxeUyPad4phwLKbWGf55SKgjRHOKclSETHt/
4uqhPY6DNwyvX8Q0w7BD9riy0gnKgE1JzBS6Cdn+osV4KoMaSnMxfbXxTI2r6md8=</
ds:X509Certificate>
DEBUG [8484b3b3bc] </ds:X509Data>
DEBUG [8484b3b3bc] </ds:KeyInfo>
DEBUG [8484b3b3bc] </ds:Signature>
DEBUG [8484b3b3bc] <saml:Subject>
DEBUG [8484b3b3bc] <saml:NameID SPNameQualifier="google.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">bizeli</
saml:NameID>
DEBUG [8484b3b3bc] <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
DEBUG [8484b3b3bc] <saml:SubjectConfirmationData
NotOnOrAfter="2011-10-26T14:19:05Z" Recipient="https://www.google.com/
a/mysite.com/acs"
InResponseTo="gfplnkjhifpfcphagfodnilhgdcjokmlolcnacpm"/>
DEBUG [8484b3b3bc] </saml:SubjectConfirmation>
DEBUG [8484b3b3bc] </saml:Subject>
DEBUG [8484b3b3bc] <saml:Conditions
NotBefore="2011-10-26T14:13:35Z" NotOnOrAfter="2011-10-26T14:19:05Z">
DEBUG [8484b3b3bc] <saml:AudienceRestriction>
DEBUG [8484b3b3bc] <saml:Audience>google.com</saml:Audience>
DEBUG [8484b3b3bc] </saml:AudienceRestriction>
DEBUG [8484b3b3bc] </saml:Conditions>
DEBUG [8484b3b3bc] <saml:AuthnStatement
AuthnInstant="2011-10-26T14:12:04Z"
SessionNotOnOrAfter="2011-10-26T22:14:05Z"
SessionIndex="_a8f236e9acc634c9ff704dbc5f6980ce075781c008">
DEBUG [8484b3b3bc] <saml:AuthnContext>
DEBUG [8484b3b3bc]
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</saml:AuthnContextClassRef>
DEBUG [8484b3b3bc] </saml:AuthnContext>
DEBUG [8484b3b3bc] </saml:AuthnStatement>
DEBUG [8484b3b3bc] </saml:Assertion>
DEBUG [8484b3b3bc] </samlp:Response>
When I do a successful logout the following gets written:
INFO [8484b3b3bc] SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP
endpoint init Single Logout
INFO [8484b3b3bc] SAML2.0 - IdP.SingleLogoutService: Accessing SAML
2.0 IdP endpoint SingleLogoutService
DEBUG [8484b3b3bc] Saved state:
'_bb6b705caa17f9e8132602cd13979e7ff43119357c'
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Session: doLogout('example-sql')
DEBUG [8484b3b3bc] Loading state:
'_bb6b705caa17f9e8132602cd13979e7ff43119357c'
DEBUG [8484b3b3bc] Saved state:
'_bb6b705caa17f9e8132602cd13979e7ff43119357c'
INFO [8484b3b3bc] Logging out of 'saml:google.com'.
INFO [8484b3b3bc] Sending SAML 2.0 LogoutRequest to: 'google.com'
WARNING [8484b3b3bc] Unable to initialize logout to 'saml:google.com'.
DEBUG [8484b3b3bc] Template: Reading [/var/simplesamlphp/dictionaries/
logout]
----
I can of course also provide the respective logs for failed and
successful logins.
I'm trying to understand what might be causing this failed logout/
login behavior in this 10-20% of attempts but have not managed to
discover anything yet. Perhaps you could deduce something from the
logs or the error description above?
Thank you very much for your time and your effort in providing all
this to the community.
Alex
following this guide: http://simplesamlphp.org/docs/1.8/simplesamlphp-googleapps.
I'm still in the testing stages, aiming to roll it out for
authenticating in a Gmail Partner Edition I'm setting up. Things seem
to have been setup fine, most of the time everything works fine but:
The problem I'm facing is that, in around 10-20% of attempted logins
or logouts, I get a Google page (https://www.google.com/a/
[my_site_name]/acs) with a message saying:
"The required response parameter SAMLResponse was missing" and the
login/logout attempt stops there.
In my debug attempts I'm seeing that, when a failed logout occurs, the
following gets written in simplesamlphp.log (I have removed the '$date
$time simplesamlphp' from the start of all log lines for simplicity):
INFO [8484b3b3bc] SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP
endpoint init Single Logout
INFO [8484b3b3bc] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP
endpoint SSOService
DEBUG [8484b3b3bc] Received message:
DEBUG [8484b3b3bc] <samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="gfplnkjhifpfcphagfodnilhgdcjokmlolcnacpm" Version="2.0"
IssueInstant="2011-10-26T14:14:04Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="google.com" IsPassive="false"
AssertionConsumerServiceURL="https://www.google.com/a/8484b3b3bc/acs">
DEBUG [8484b3b3bc] <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">google.com</saml:Issuer>
DEBUG [8484b3b3bc] <samlap:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
DEBUG [8484b3b3bc] </samlp:AuthnRequest>
INFO [8484b3b3bc] SAML2.0 - IdP.SSOService: Incomming Authentication
request: 'google.com'
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Filter config for http://login.mysite.com/sso/saml2/idp/metadata.php->google.com:
array ( 0 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 30, )), 1 =>
sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute'
=> 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' =>
45, )), 2 =>
sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes'
=> array ( ), 'isDefault' => false, 'priority' =>
50, )), 3 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 99, )),)
NOTICE STAT [8484b3b3bc] saml20-idp-SSO google.com
http://login.mysite.com/sso/saml2/idp/metadata.php NA
INFO [8484b3b3bc] Sending SAML 2.0 Response to 'google.com'
DEBUG [8484b3b3bc] Sending message:
DEBUG [8484b3b3bc] <samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxdabf9f73-
e863-4a97-be95-5c2d65b1d1d6" Version="2.0"
IssueInstant="2011-10-26T14:14:05Z" Destination="https://
www.google.com/a/mysite.com/acs"
InResponseTo="gfplnkjhifpfcphagfodnilhgdcjokmlolcnacpm">
DEBUG [8484b3b3bc] <saml:Issuer>http://login.mysite.com/sso/saml2/
idp/metadata.php</saml:Issuer>
DEBUG [8484b3b3bc] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/
xmldsig#">
DEBUG [8484b3b3bc] <ds:SignedInfo>
DEBUG [8484b3b3bc] <ds:CanonicalizationMethod Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [8484b3b3bc] <ds:SignatureMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#rsa-sha1"/>
DEBUG [8484b3b3bc] <ds:Reference URI="#pfxdabf9f73-e863-4a97-
be95-5c2d65b1d1d6">
DEBUG [8484b3b3bc] <ds:Transforms>
DEBUG [8484b3b3bc] <ds:Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature"/>
DEBUG [8484b3b3bc] <ds:Transform Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [8484b3b3bc] </ds:Transforms>
DEBUG [8484b3b3bc] <ds:DigestMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#sha1"/>
DEBUG [8484b3b3bc] <ds:DigestValue>eBLxgy1o
+UIlKer8TzzEg0T7JKo=</ds:DigestValue>
DEBUG [8484b3b3bc] </ds:Reference>
DEBUG [8484b3b3bc] </ds:SignedInfo>
DEBUG [8484b3b3bc]
<ds:SignatureValue>kBzGDo99LWvyUUVRvtssqhqymbXvpTa9PztZYtlPNmnzf0rrFvqIdS2BQ1qfo4Fu//
bXXxGCtbwFzuWnv13k8SI4whkzuZQtR/X6OmnVVl3ra
+xbLpRYFkm4EMLjKuEyRaRG1V5JJRJp6sYY0PgkNk
+1a7wUjVYNGP0bvV3aEBeDu8UXP9tDL7Z7rFylkSrQyYfZMf0YppVfzEWrrsXn5tQcg7Zp1FuRdJ15dXbG7fc6R8DuQK5mw20tVcUGcHvzsVBfCgLrNvOqcd7tmcdcyEB819nXN8BxETR10YaWc78Q29A8ZsULX/
7z0ltsHfi0cqrU2O93RXuGsOKm0ZI32g==</ds:SignatureValue>
DEBUG [8484b3b3bc] <ds:KeyInfo>
DEBUG [8484b3b3bc] <ds:X509Data>
DEBUG [8484b3b3bc]
<ds:X509Certificate>MIIESDCCAzCgAwIBAgIJALJANO8UUIE5MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIEwZBdHRpY2ExDzANBgNVBAcTBkF0aGVuczEQMA4GA1UEChMHTWFpbCBncjEQMA4GA1UEAxMHbWFpbC5ncjEgMB4GCSqGSIb3DQEJARYRd2VibWFzdGVyQG1haWwuZ3IwHhcNMTEwNzE4MTY0ODQyWhcNMjEwNzE3MTY0ODQyWjB1MQswCQYDVQQGEwJHUjEPMA0GA1UECBMGQXR0aWNhMQ8wDQYDVQQHEwZBdGhlbnMxEDAOBgNVBAoTB01haWwgZ3IxEDAOBgNVBAMTB21haWwuZ3IxIDAeBgkqhkiG9w0BCQEWEXdlYm1hc3RlckBtYWlsLmdyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Ulh70rZrQVdRnRefBn
+L7aFwjKT2yO9wp3ww6lJDLftrHh9dluXuj8i9cYhvOcvV2UG3hdrTOww/X3pd/
Y3pQ65K3nEl1wxebdHG87pON/THB+3RgiwzSvrwgxH41iWK+FLKwpmJoD/
Om5MamYIdIIqaRDzCkGxhb61Get8w0joQVDGpEIL0ADwqkx3zoDqw4y09jeJe8G3pb84CyJewLpUvcJa5XHmL1aVl5f2jCVo
+4X4IDOFVo2wTjTEq+IgjfQl0653bhO906z1gJPkcuqSM9f
+TvcZG0543qSq8uESFuFmydM1hqopXzJU0aSp2Si2QaZZ5ICqEUxn6AF
+8QIDAQABo4HaMIHXMB0GA1UdDgQWBBQ7XEWL1I9Vi6fZZPq6ysRZd7I7qzCBpwYDVR0jBIGfMIGcgBQ7XEWL1I9Vi6fZZPq6ysRZd7I7q6F5pHcwdTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkF0dGljYTEPMA0GA1UEBxMGQXRoZW5zMRAwDgYDVQQKEwdNYWlsIGdyMRAwDgYDVQQDEwdtYWlsLmdyMSAwHgYJKoZIhvcNAQkBFhF3ZWJtYXN0ZXJAbWFpbC5ncoIJALJANO8UUIE5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABZixZUXTrGheP0wxsZlJe1Xo7MN8fGPtx8H6ReCQTmpBewj3M1s3a/
Eqq0EgfHWhMY6WNyx/JJxjbSzmCZHM8ONyOkLoXogMtzsahRL16l0liHbcGz4iZlUrkQw
+soZ5hT3BfNdoq3+flMQlKq6Lk+YB4Iyel3G9g/
p4smyAiwrDZ68V7V77+66zL3VnEi3Ac92dQWBDs5ihWSUVuLOllqoGFThqB41k5/
NjmuFvMGCXn7FgZpoxeUyPad4phwLKbWGf55SKgjRHOKclSETHt/
4uqhPY6DNwyvX8Q0w7BD9riy0gnKgE1JzBS6Cdn+osV4KoMaSnMxfbXxTI2r6md8=</
ds:X509Certificate>
DEBUG [8484b3b3bc] </ds:X509Data>
DEBUG [8484b3b3bc] </ds:KeyInfo>
DEBUG [8484b3b3bc] </ds:Signature>
DEBUG [8484b3b3bc] <samlp:Status>
DEBUG [8484b3b3bc] <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
DEBUG [8484b3b3bc] </samlp:Status>
DEBUG [8484b3b3bc] <saml:Assertion xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="pfxd9fd9ade-9144-9dd4-b1e5-54376e54ff43" Version="2.0"
IssueInstant="2011-10-26T14:14:05Z">
DEBUG [8484b3b3bc] <saml:Issuer>http://login.mysite.com/sso/saml2/
idp/metadata.php</saml:Issuer>
DEBUG [8484b3b3bc] <ds:Signature xmlns:ds="http://www.w3.org/
2000/09/xmldsig#">
DEBUG [8484b3b3bc] <ds:SignedInfo>
DEBUG [8484b3b3bc] <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [8484b3b3bc] <ds:SignatureMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#rsa-sha1"/>
DEBUG [8484b3b3bc] <ds:Reference URI="#pfxd9fd9ade-9144-9dd4-
b1e5-54376e54ff43">
DEBUG [8484b3b3bc] <ds:Transforms>
DEBUG [8484b3b3bc] <ds:Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature"/>
DEBUG [8484b3b3bc] <ds:Transform Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [8484b3b3bc] </ds:Transforms>
DEBUG [8484b3b3bc] <ds:DigestMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#sha1"/>
DEBUG [8484b3b3bc] <ds:DigestValue>tfzAFYaeQKqgnulpdN3cgY
+c1G4=</ds:DigestValue>
DEBUG [8484b3b3bc] </ds:Reference>
DEBUG [8484b3b3bc] </ds:SignedInfo>
DEBUG [8484b3b3bc]
<ds:SignatureValue>zccX3DPx7GOAYu6cLGIhtbPPFJhMgqjH0sGsQHjrEJgjuwCnEb2v6AiUzTO6WrH0R6McOfuMP89i2w68CCcQtethHyePeaKv
+cQLkY/iek+QQ+9LezW5VCUnZw9GlBO7KcD6RMkscEYT+fNEB5sjkD/
cBfqDQsQ4JqXfAY4Rv/4YCmJNXkLrco9dNbfXjI
+pc9zGo4vGawN5xAVuQ0IA2u30Wb1qJBFY0Pwo/
Rom0/8s9K4FNEFDrH2bAiy1LJOiFujUASGv4YzXLUErrGJlpgehUhFZbLlDyRo0FaZ78pKN4zKOhd3HNjtpQcaoITGdnIguyd97N11qYOHJjz87Cw==</
ds:SignatureValue>
DEBUG [8484b3b3bc] <ds:KeyInfo>
DEBUG [8484b3b3bc] <ds:X509Data>
DEBUG [8484b3b3bc]
<ds:X509Certificate>MIIESDCCAzCgAwIBAgIJALJANO8UUIE5MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIEwZBdHRpY2ExDzANBgNVBAcTBkF0aGVuczEQMA4GA1UEChMHTWFpbCBncjEQMA4GA1UEAxMHbWFpbC5ncjEgMB4GCSqGSIb3DQEJARYRd2VibWFzdGVyQG1haWwuZ3IwHhcNMTEwNzE4MTY0ODQyWhcNMjEwNzE3MTY0ODQyWjB1MQswCQYDVQQGEwJHUjEPMA0GA1UECBMGQXR0aWNhMQ8wDQYDVQQHEwZBdGhlbnMxEDAOBgNVBAoTB01haWwgZ3IxEDAOBgNVBAMTB21haWwuZ3IxIDAeBgkqhkiG9w0BCQEWEXdlYm1hc3RlckBtYWlsLmdyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Ulh70rZrQVdRnRefBn
+L7aFwjKT2yO9wp3ww6lJDLftrHh9dluXuj8i9cYhvOcvV2UG3hdrTOww/X3pd/
Y3pQ65K3nEl1wxebdHG87pON/THB+3RgiwzSvrwgxH41iWK+FLKwpmJoD/
Om5MamYIdIIqaRDzCkGxhb61Get8w0joQVDGpEIL0ADwqkx3zoDqw4y09jeJe8G3pb84CyJewLpUvcJa5XHmL1aVl5f2jCVo
+4X4IDOFVo2wTjTEq+IgjfQl0653bhO906z1gJPkcuqSM9f
+TvcZG0543qSq8uESFuFmydM1hqopXzJU0aSp2Si2QaZZ5ICqEUxn6AF
+8QIDAQABo4HaMIHXMB0GA1UdDgQWBBQ7XEWL1I9Vi6fZZPq6ysRZd7I7qzCBpwYDVR0jBIGfMIGcgBQ7XEWL1I9Vi6fZZPq6ysRZd7I7q6F5pHcwdTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkF0dGljYTEPMA0GA1UEBxMGQXRoZW5zMRAwDgYDVQQKEwdNYWlsIGdyMRAwDgYDVQQDEwdtYWlsLmdyMSAwHgYJKoZIhvcNAQkBFhF3ZWJtYXN0ZXJAbWFpbC5ncoIJALJANO8UUIE5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABZixZUXTrGheP0wxsZlJe1Xo7MN8fGPtx8H6ReCQTmpBewj3M1s3a/
Eqq0EgfHWhMY6WNyx/JJxjbSzmCZHM8ONyOkLoXogMtzsahRL16l0liHbcGz4iZlUrkQw
+soZ5hT3BfNdoq3+flMQlKq6Lk+YB4Iyel3G9g/
p4smyAiwrDZ68V7V77+66zL3VnEi3Ac92dQWBDs5ihWSUVuLOllqoGFThqB41k5/
NjmuFvMGCXn7FgZpoxeUyPad4phwLKbWGf55SKgjRHOKclSETHt/
4uqhPY6DNwyvX8Q0w7BD9riy0gnKgE1JzBS6Cdn+osV4KoMaSnMxfbXxTI2r6md8=</
ds:X509Certificate>
DEBUG [8484b3b3bc] </ds:X509Data>
DEBUG [8484b3b3bc] </ds:KeyInfo>
DEBUG [8484b3b3bc] </ds:Signature>
DEBUG [8484b3b3bc] <saml:Subject>
DEBUG [8484b3b3bc] <saml:NameID SPNameQualifier="google.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">bizeli</
saml:NameID>
DEBUG [8484b3b3bc] <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
DEBUG [8484b3b3bc] <saml:SubjectConfirmationData
NotOnOrAfter="2011-10-26T14:19:05Z" Recipient="https://www.google.com/
a/mysite.com/acs"
InResponseTo="gfplnkjhifpfcphagfodnilhgdcjokmlolcnacpm"/>
DEBUG [8484b3b3bc] </saml:SubjectConfirmation>
DEBUG [8484b3b3bc] </saml:Subject>
DEBUG [8484b3b3bc] <saml:Conditions
NotBefore="2011-10-26T14:13:35Z" NotOnOrAfter="2011-10-26T14:19:05Z">
DEBUG [8484b3b3bc] <saml:AudienceRestriction>
DEBUG [8484b3b3bc] <saml:Audience>google.com</saml:Audience>
DEBUG [8484b3b3bc] </saml:AudienceRestriction>
DEBUG [8484b3b3bc] </saml:Conditions>
DEBUG [8484b3b3bc] <saml:AuthnStatement
AuthnInstant="2011-10-26T14:12:04Z"
SessionNotOnOrAfter="2011-10-26T22:14:05Z"
SessionIndex="_a8f236e9acc634c9ff704dbc5f6980ce075781c008">
DEBUG [8484b3b3bc] <saml:AuthnContext>
DEBUG [8484b3b3bc]
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</saml:AuthnContextClassRef>
DEBUG [8484b3b3bc] </saml:AuthnContext>
DEBUG [8484b3b3bc] </saml:AuthnStatement>
DEBUG [8484b3b3bc] </saml:Assertion>
DEBUG [8484b3b3bc] </samlp:Response>
When I do a successful logout the following gets written:
INFO [8484b3b3bc] SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP
endpoint init Single Logout
INFO [8484b3b3bc] SAML2.0 - IdP.SingleLogoutService: Accessing SAML
2.0 IdP endpoint SingleLogoutService
DEBUG [8484b3b3bc] Saved state:
'_bb6b705caa17f9e8132602cd13979e7ff43119357c'
DEBUG [8484b3b3bc] Session: Valid session found with 'example-sql'.
DEBUG [8484b3b3bc] Session: doLogout('example-sql')
DEBUG [8484b3b3bc] Loading state:
'_bb6b705caa17f9e8132602cd13979e7ff43119357c'
DEBUG [8484b3b3bc] Saved state:
'_bb6b705caa17f9e8132602cd13979e7ff43119357c'
INFO [8484b3b3bc] Logging out of 'saml:google.com'.
INFO [8484b3b3bc] Sending SAML 2.0 LogoutRequest to: 'google.com'
WARNING [8484b3b3bc] Unable to initialize logout to 'saml:google.com'.
DEBUG [8484b3b3bc] Template: Reading [/var/simplesamlphp/dictionaries/
logout]
----
I can of course also provide the respective logs for failed and
successful logins.
I'm trying to understand what might be causing this failed logout/
login behavior in this 10-20% of attempts but have not managed to
discover anything yet. Perhaps you could deduce something from the
logs or the error description above?
Thank you very much for your time and your effort in providing all
this to the community.
Alex
Peter Schober
Oct 31, 2011, 1:50:13 PM10/31/11
to simpleSAMLphp
* alexm <alex19...@gmail.com> [2011-10-31 18:00]:
> When I do a successful logout the following gets written:
[...]
> INFO [8484b3b3bc] Sending SAML 2.0 LogoutRequest to: 'google.com'
> WARNING [8484b3b3bc] Unable to initialize logout to 'saml:google.com'.
> DEBUG [8484b3b3bc] Template: Reading [/var/simplesamlphp/dictionaries/
> logout]
> When I do a successful logout the following gets written:
> INFO [8484b3b3bc] Sending SAML 2.0 LogoutRequest to: 'google.com'
> WARNING [8484b3b3bc] Unable to initialize logout to 'saml:google.com'.
> DEBUG [8484b3b3bc] Template: Reading [/var/simplesamlphp/dictionaries/
> logout]
Interesting concept of "successful logout" when it clearly fails.
But Google does not support SAML SLO so if there's an logout endpoint
in your metadata it's wrong (possibly this is just SSP noticing that
there's no such endpoint).
As for your problem of required request parameters missing: not sure
what causes these to be missing (user error, b0rken webbrowser
bahaviour, misbehaving proxies?), but other probably will.
-peter
Olav Morken
Nov 1, 2011, 6:09:57 AM11/1/11
to simple...@googlegroups.com
On Mon, Oct 31, 2011 at 07:56:34 -0700, alexm wrote:
> I have setup simpleSAMLphp 1.8 as an IdP for use with Google Apps
> following this guide: http://simplesamlphp.org/docs/1.8/simplesamlphp-googleapps.
> I'm still in the testing stages, aiming to roll it out for
> authenticating in a Gmail Partner Edition I'm setting up. Things seem
> to have been setup fine, most of the time everything works fine but:
>
> The problem I'm facing is that, in around 10-20% of attempted logins
> or logouts, I get a Google page (https://www.google.com/a/
> [my_site_name]/acs) with a message saying:
>
> "The required response parameter SAMLResponse was missing" and the
> login/logout attempt stops there.
>
> In my debug attempts I'm seeing that, when a failed logout occurs, the
> following gets written in simplesamlphp.log (I have removed the '$date
> $time simplesamlphp' from the start of all log lines for simplicity):
>
> INFO [8484b3b3bc] SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP
> endpoint init Single Logout
> INFO [8484b3b3bc] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP
> endpoint SSOService
[...]> I have setup simpleSAMLphp 1.8 as an IdP for use with Google Apps
> following this guide: http://simplesamlphp.org/docs/1.8/simplesamlphp-googleapps.
> I'm still in the testing stages, aiming to roll it out for
> authenticating in a Gmail Partner Edition I'm setting up. Things seem
> to have been setup fine, most of the time everything works fine but:
>
> The problem I'm facing is that, in around 10-20% of attempted logins
> or logouts, I get a Google page (https://www.google.com/a/
> [my_site_name]/acs) with a message saying:
>
> "The required response parameter SAMLResponse was missing" and the
> login/logout attempt stops there.
>
> In my debug attempts I'm seeing that, when a failed logout occurs, the
> following gets written in simplesamlphp.log (I have removed the '$date
> $time simplesamlphp' from the start of all log lines for simplicity):
>
> INFO [8484b3b3bc] SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP
> endpoint init Single Logout
> INFO [8484b3b3bc] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP
> endpoint SSOService
For some reason a login is started during or after the logout. What is
interesting is how the browser comes from a logout to the login
request. Have you looked at what requests and responses the browser
goes through when it receives this error? I believe most browsers have
some method of inspecting requests & responses. For Firefox there is
also the SAML tracer extension[1], which is an extension we developed to
make it easier to examine SAML messages.
[1] https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
Regards,
Olav Morken
UNINETT / Feide
alexm
Nov 1, 2011, 2:26:12 PM11/1/11
to simpleSAMLphp
Peter, thank you for your help - you are indeed right about the
"successful logout" - I will be analyzing what's going wrong there.
Olav, thank you for pointing me to the direction of analyzing http
responses.
I've decided to analyze the login procedure further (instead of
logout). For a successful login I get the following in SAML tracer and
simplesamlphp.log:
1) SAML tracer:
-http:
POST https://www.google.com/a/mysite.com/acs HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101
Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://login.mysite.com/sso/module.php/core/loginuserpass.php?
Cookie: GoogleAccountsLocale_session=el;
PREF=ID=904195283dbeff07:FF=0:TM=1320168540:LM=1320168540:GM=1:S=5p39YuPhFd671wtY;
TZ=-120;
NID=52=EK_f60pXI20xhHrX6Zcz46tuMTbuq93HGkQ6NVCrWBvm6eOlw6GKfmxGreY2DiLeiNuPtzIVws6TGKd1xos5HJu2Io_IDiU7IXcbh_nU-
a3cdYH3b5NDa31ufr8WjAFZ
Content-Type: application/x-www-form-urlencoded
Content-Length: 9557
HTTP/?.? 200 OK
Content-Type: text/html; charset=UTF-8
Set-Cookie: HID=DQAAAKQAAACE2EWQWOw_bfUFCz08vCTQu2fUA637EUHCf-
dXX_MbQ2RCMKKg77DAELo31K_9LBGeLo17Adzf8eONZ1R0T55-
nf1ygjfcNMk1BOHj4Fn8Gkt2_GmUkfr-J-
iZ0DZZJrxhz1wJ2LCLIO2GHivV_le7P0mnv93aFEB9dF3Y26-6QkO0EDYN5HonYp3nG8WxSHKCehgdips87gjWZ5VzzQ9wgeJOUR3qeDH4_xfaMK7yHw;Domain=www.google.com;Path=/
a/mysite.com/;Secure
HID=EXPIRED;Domain=.google.com;Path=/a/mysite.com/;Expires=Mon, 01-
Jan-1990 00:00:00 GMT
HUSR=al...@mysite.com;Path=/a/mysite.com/;Secure
ASIDAS=TGtJNXpYd0JBQUE9LmZ2SUNjeHg1b0Q4dmJISU1KaVR4TVE9PS4vZEI0NXp4UFF6cHBjRTJUZVhaNVhBPT0=;Domain=www.google.com;Path=/
a/
X-XSS-Protection: 0
Content-Encoding: gzip
Date: Tue, 01 Nov 2011 18:04:14 GMT
Expires: Tue, 01 Nov 2011 18:04:14 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Content-Length: 451
Server: GSE
-parameters:
POST
SAMLResponse: --- removed for simplicty -----
RelayState:
https://www.google.com/a/mysite.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fa%2Fmysite.com%2F<mpl=default<mplcache=2
-SAML:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
.... a properly formed SAML response - removed for simplicity
</samlp:Response>
2) simplesamlphp.log:
DEBUG [46a2abf38e] Loading state:
'_16938f47b2438fb8c780f0e5063ca9599dc06cb450:http://login.mysite.com/
sso/saml2/idp/SSOService.php?
spentityid=google.com&cookieTime=1320170538&RelayState=https%3A%2F
%2Fwww.google.com%2Fa%2Fmysite.com%2FServiceLogin%3Fservice%3Dmail
%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F
%252Fmail.google.com%252Fa%252Fmysite.com%252F%26ltmpl%3Ddefault
%26ltmplcache%3D2'
DEBUG [46a2abf38e] Loading state:
'_16938f47b2438fb8c780f0e5063ca9599dc06cb450:http://login.mysite.com/
sso/saml2/idp/SSOService.php?
spentityid=google.com&cookieTime=1320170538&RelayState=https%3A%2F
%2Fwww.google.com%2Fa%2Fmysite.com%2FServiceLogin%3Fservice%3Dmail
%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F
%252Fmail.google.com%252Fa%252Fmysite.com%252F%26ltmpl%3Ddefault
%26ltmplcache%3D2'
INFO [46a2abf38e] sqlauth:example-sql: Got 1 rows from database
INFO [46a2abf38e] sqlauth:example-sql: Attributes: username,uid
DEBUG [46a2abf38e] Deleting state:
'_16938f47b2438fb8c780f0e5063ca9599dc06cb450'
DEBUG [46a2abf38e] Session: doLogin("example-sql")
DEBUG [46a2abf38e] Session: Valid session found with 'example-sql'.
DEBUG [46a2abf38e] Session: Valid session found with 'example-sql'.
DEBUG [46a2abf38e] Filter config for http://login.mysite.com/sso/saml2/idp/metadata.php->google.com:
http://login.mysite.com/sso/saml2/idp/metadata.php NA
NOTICE STAT [46a2abf38e] saml20-idp-SSO google.com
http://login.mysite.com/sso/saml2/idp/metadata.php NA
INFO [46a2abf38e] Sending SAML 2.0 Response to 'google.com'
DEBUG [46a2abf38e] Sending message:
DEBUG [46a2abf38e] <samlp:Response xmlns:samlp
..... the response - exactly as above - removed for simplicity .......
DEBUG [46a2abf38e] </samlp:Response>
----------------------------------------------------
For a failed login, (the user gets the usual "The required response
parameter SAMLResponse was missing" message) the logs show the
following:
1) SAML tracer:
-http:
POST https://www.google.com/a/mysite.com/acs HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101
Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://login.mysite.com/sso/module.php/core/loginuserpass.php?
Cookie: GoogleAccountsLocale_session=el;
ASIDAS=QkVRNXpYd0JBQUE9LmZ2SUNjeHg1b0Q4dmJISU1KaVR4TVE9PS5EZ2toczRsZWEwYk9kd0d4Z0hLUkNRPT0=;
PREF=ID=904195283dbeff07:U=992bb9b0e533b1b6:FF=0:TM=1320168540:LM=1320170658:GM=1:S=pZ28zmCZNETpaeQR;
TZ=-120;
NID=52=EK_f60pXI20xhHrX6Zcz46tuMTbuq93HGkQ6NVCrWBvm6eOlw6GKfmxGreY2DiLeiNuPtzIVws6TGKd1xos5HJu2Io_IDiU7IXcbh_nU-
a3cdYH3b5NDa31ufr8WjAFZ
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
HTTP/?.? 200 OK
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Date: Tue, 01 Nov 2011 18:08:28 GMT
Expires: Tue, 01 Nov 2011 18:08:28 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 1596
Server: GSE
* as you see there is no SAML response in the post(!), however
interestingly an SAML response does get recorded (!) in
simplesamlphp.log:
2) simplesamlphp.log:
DEBUG [46a2abf38e] Loading state:
'_cae62552e195e6b9849c60dfdef5f3aaccc6901de5:http://login.mail.gr/sso/
saml2/idp/SSOService.php?
spentityid=google.com&cookieTime=1320170900&RelayState=https%3A%2F
%2Fwww.google.com%2Fa%2Fmail.gr%2FServiceLogin%3Fservice%3Dmail
%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F
%252Fmail.google.com%252Fa%252Fmail.gr%252F%26ltmpl%3Ddefault
%26ltmplcache%3D2'
DEBUG [46a2abf38e] Loading state:
'_cae62552e195e6b9849c60dfdef5f3aaccc6901de5:http://login.mail.gr/sso/
saml2/idp/SSOService.php?
spentityid=google.com&cookieTime=1320170900&RelayState=https%3A%2F
%2Fwww.google.com%2Fa%2Fmail.gr%2FServiceLogin%3Fservice%3Dmail
%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F
%252Fmail.google.com%252Fa%252Fmail.gr%252F%26ltmpl%3Ddefault
%26ltmplcache%3D2'
INFO [46a2abf38e] sqlauth:example-sql: Got 1 rows from database
INFO [46a2abf38e] sqlauth:example-sql: Attributes: username,uid
DEBUG [46a2abf38e] Deleting state:
'_cae62552e195e6b9849c60dfdef5f3aaccc6901de5'
DEBUG [46a2abf38e] Session: doLogin("example-sql")
DEBUG [46a2abf38e] Session: Valid session found with 'example-sql'.
DEBUG [46a2abf38e] Session: Valid session found with 'example-sql'.
DEBUG [46a2abf38e] Filter config for http://login.mail.gr/sso/saml2/idp/metadata.php->google.com:
http://login.mail.gr/sso/saml2/idp/metadata.php NA
NOTICE STAT [46a2abf38e] saml20-idp-SSO google.com
http://login.mail.gr/sso/saml2/idp/metadata.php NA
INFO [46a2abf38e] Sending SAML 2.0 Response to 'google.com'
DEBUG [46a2abf38e] Sending message:
DEBUG [46a2abf38e] <samlp:Response
a5f3-6b73-490f-d4aacd5f8d22" Version="2.0"
IssueInstant="2011-11-01T18:08:27Z" Destination="https://
www.google.com/a/mail.gr/acs"
InResponseTo="kiefpfniefcafgbeffdiepeojijfdbhjfebhaceg">
DEBUG [46a2abf38e] <saml:Issuer>http://login.mail.gr/sso/saml2/idp/
metadata.php</saml:Issuer>
DEBUG [46a2abf38e] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/
xmldsig#">
DEBUG [46a2abf38e] <ds:SignedInfo>
DEBUG [46a2abf38e] <ds:CanonicalizationMethod Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [46a2abf38e] <ds:SignatureMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#rsa-sha1"/>
DEBUG [46a2abf38e] <ds:Reference URI="#pfxd1452774-
a5f3-6b73-490f-d4aacd5f8d22">
DEBUG [46a2abf38e] <ds:Transforms>
DEBUG [46a2abf38e] <ds:Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature"/>
DEBUG [46a2abf38e] <ds:Transform Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [46a2abf38e] </ds:Transforms>
DEBUG [46a2abf38e] <ds:DigestMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#sha1"/>
DEBUG [46a2abf38e] <ds:DigestValue>3xntj+W0ddLzKeTPTjwcH/
2YdAQ=</ds:DigestValue>
DEBUG [46a2abf38e] </ds:Reference>
DEBUG [46a2abf38e] </ds:SignedInfo>
DEBUG [46a2abf38e] <ds:SignatureValue>LfxJAJtITMzrKkkzpSzAERycpXl
+0z50u+e0Hp+Jvyrpw8g0gg6LfmP9O4/bpEKWpaMeu28eBTa7309y64t/AGPkPpq
+DajDZd45Osi5cs2T3uqx/HahLgmXTACOSVE8f4BbPFQC4xc8N8DlTvlczY4eyIjy/
VunDnvrYPdXgX5CDYECXkbey/0OiIRJO+Nh2qmY7XkMBBqymOQ23+ZwJKn8pEeO0se/
iEaGPfx3FdUyRgHvis9xjAzVIy7MlK3OBoRpcp29wup0AG01OIGtYAf6u9J062v9p/
pLXdgKWYPHdICo1Qm52hNeFYj0E1NBHjR8BEEuW6M4npYk9TGyFg==</
ds:SignatureValue>
DEBUG [46a2abf38e] <ds:KeyInfo>
DEBUG [46a2abf38e] <ds:X509Data>
DEBUG [46a2abf38e]
DEBUG [46a2abf38e] </ds:KeyInfo>
DEBUG [46a2abf38e] </ds:Signature>
DEBUG [46a2abf38e] <samlp:Status>
DEBUG [46a2abf38e] <samlp:StatusCode
DEBUG [46a2abf38e] <saml:Assertion xmlns:xsi="http://www.w3.org/2001/
IssueInstant="2011-11-01T18:08:27Z">
DEBUG [46a2abf38e] <saml:Issuer>http://login.mail.gr/sso/saml2/idp/
metadata.php</saml:Issuer>
DEBUG [46a2abf38e] <ds:Signature xmlns:ds="http://www.w3.org/
2000/09/xmldsig#">
DEBUG [46a2abf38e] <ds:SignedInfo>
DEBUG [46a2abf38e] <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [46a2abf38e] <ds:SignatureMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#rsa-sha1"/>
DEBUG [46a2abf38e] <ds:Reference URI="#pfxad97740c-c702-6cc9-
d610-304b8789170f">
DEBUG [46a2abf38e] <ds:Transforms>
DEBUG [46a2abf38e] <ds:Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature"/>
DEBUG [46a2abf38e] <ds:Transform Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [46a2abf38e] </ds:Transforms>
DEBUG [46a2abf38e] <ds:DigestMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#sha1"/>
DEBUG [46a2abf38e] <ds:DigestValue>AmkZb56C1X9P+MvOhB
+Y8VZWM7E=</ds:DigestValue>
DEBUG [46a2abf38e] </ds:Reference>
DEBUG [46a2abf38e] </ds:SignedInfo>
DEBUG [46a2abf38e]
<ds:SignatureValue>z71bvMn5Ns5DoKvBXdhI1Wu6RZvEJZLgINRazUHp6IygJ2t5+DpMcYsJkSZz52Bkn8MG0NNbHhIWaKa8Id0Tt4a7HNgSUGPptP2ziqukYB8kivzVUkmQnmg
+PHHehlmN6zqB+iMvfarfbIpxlixB0+Kc6KCgCw+Ynsw5G/jxanzxywvv0qiW3ft9/
YzUBIUmxrazqVxYuInVGZPWEFGMwmGH
+ayijDME7CyrUMgC5KU42yzORH7VsOh51BbIb1utf8TVCYqpqfhe1i3ECHl/
yz3LJZEyBeR9hUWOSxR1THuUMcF9TqviScUdr32tuyrpEdXQAM/e1jltXDmxvRWXbQ==</
ds:SignatureValue>
DEBUG [46a2abf38e] <ds:KeyInfo>
DEBUG [46a2abf38e] <ds:X509Data>
DEBUG [46a2abf38e]
DEBUG [46a2abf38e] </ds:KeyInfo>
DEBUG [46a2abf38e] </ds:Signature>
DEBUG [46a2abf38e] <saml:Subject>
DEBUG [46a2abf38e] <saml:NameID SPNameQualifier="google.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">alex</
saml:NameID>
DEBUG [46a2abf38e] <saml:SubjectConfirmation
NotOnOrAfter="2011-11-01T18:13:27Z" Recipient="https://www.google.com/
a/mail.gr/acs" InResponseTo="kiefpfniefcafgbeffdiepeojijfdbhjfebhaceg"/
>
DEBUG [46a2abf38e] </saml:SubjectConfirmation>
DEBUG [46a2abf38e] </saml:Subject>
DEBUG [46a2abf38e] <saml:Conditions
NotBefore="2011-11-01T18:07:57Z" NotOnOrAfter="2011-11-01T18:13:27Z">
DEBUG [46a2abf38e] <saml:AudienceRestriction>
DEBUG [46a2abf38e] <saml:Audience>google.com</saml:Audience>
DEBUG [46a2abf38e] </saml:AudienceRestriction>
DEBUG [46a2abf38e] </saml:Conditions>
DEBUG [46a2abf38e] <saml:AuthnStatement
AuthnInstant="2011-11-01T18:08:27Z"
SessionNotOnOrAfter="2011-11-02T02:08:27Z"
SessionIndex="_adda2e6613e5ac5f118cdcc638d2a85855cbc0d0d0">
DEBUG [46a2abf38e] <saml:AuthnContext>
DEBUG [46a2abf38e]
DEBUG [46a2abf38e] </saml:AuthnStatement>
DEBUG [46a2abf38e] </saml:Assertion>
DEBUG [46a2abf38e] </samlp:Response>
----
Are we getting somewhere with this finding? What could be causing the
failed post request to be empty of SAML content in the HTTP header
analysis while seeming fine in simplesamlphp.log?
Cheers,
Alex
"successful logout" - I will be analyzing what's going wrong there.
Olav, thank you for pointing me to the direction of analyzing http
responses.
I've decided to analyze the login procedure further (instead of
logout). For a successful login I get the following in SAML tracer and
simplesamlphp.log:
1) SAML tracer:
-http:
POST https://www.google.com/a/mysite.com/acs HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101
Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://login.mysite.com/sso/module.php/core/loginuserpass.php?
Cookie: GoogleAccountsLocale_session=el;
PREF=ID=904195283dbeff07:FF=0:TM=1320168540:LM=1320168540:GM=1:S=5p39YuPhFd671wtY;
TZ=-120;
NID=52=EK_f60pXI20xhHrX6Zcz46tuMTbuq93HGkQ6NVCrWBvm6eOlw6GKfmxGreY2DiLeiNuPtzIVws6TGKd1xos5HJu2Io_IDiU7IXcbh_nU-
a3cdYH3b5NDa31ufr8WjAFZ
Content-Type: application/x-www-form-urlencoded
Content-Length: 9557
HTTP/?.? 200 OK
Content-Type: text/html; charset=UTF-8
Set-Cookie: HID=DQAAAKQAAACE2EWQWOw_bfUFCz08vCTQu2fUA637EUHCf-
dXX_MbQ2RCMKKg77DAELo31K_9LBGeLo17Adzf8eONZ1R0T55-
nf1ygjfcNMk1BOHj4Fn8Gkt2_GmUkfr-J-
iZ0DZZJrxhz1wJ2LCLIO2GHivV_le7P0mnv93aFEB9dF3Y26-6QkO0EDYN5HonYp3nG8WxSHKCehgdips87gjWZ5VzzQ9wgeJOUR3qeDH4_xfaMK7yHw;Domain=www.google.com;Path=/
a/mysite.com/;Secure
HID=EXPIRED;Domain=.google.com;Path=/a/mysite.com/;Expires=Mon, 01-
Jan-1990 00:00:00 GMT
HUSR=al...@mysite.com;Path=/a/mysite.com/;Secure
ASIDAS=TGtJNXpYd0JBQUE9LmZ2SUNjeHg1b0Q4dmJISU1KaVR4TVE9PS4vZEI0NXp4UFF6cHBjRTJUZVhaNVhBPT0=;Domain=www.google.com;Path=/
a/
X-XSS-Protection: 0
Content-Encoding: gzip
Date: Tue, 01 Nov 2011 18:04:14 GMT
Expires: Tue, 01 Nov 2011 18:04:14 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Content-Length: 451
Server: GSE
-parameters:
POST
SAMLResponse: --- removed for simplicty -----
RelayState:
https://www.google.com/a/mysite.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fa%2Fmysite.com%2F<mpl=default<mplcache=2
-SAML:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
</samlp:Response>
2) simplesamlphp.log:
DEBUG [46a2abf38e] Loading state:
'_16938f47b2438fb8c780f0e5063ca9599dc06cb450:http://login.mysite.com/
sso/saml2/idp/SSOService.php?
spentityid=google.com&cookieTime=1320170538&RelayState=https%3A%2F
%2Fwww.google.com%2Fa%2Fmysite.com%2FServiceLogin%3Fservice%3Dmail
%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F
%252Fmail.google.com%252Fa%252Fmysite.com%252F%26ltmpl%3Ddefault
%26ltmplcache%3D2'
DEBUG [46a2abf38e] Loading state:
'_16938f47b2438fb8c780f0e5063ca9599dc06cb450:http://login.mysite.com/
sso/saml2/idp/SSOService.php?
spentityid=google.com&cookieTime=1320170538&RelayState=https%3A%2F
%2Fwww.google.com%2Fa%2Fmysite.com%2FServiceLogin%3Fservice%3Dmail
%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F
%252Fmail.google.com%252Fa%252Fmysite.com%252F%26ltmpl%3Ddefault
%26ltmplcache%3D2'
INFO [46a2abf38e] sqlauth:example-sql: Got 1 rows from database
INFO [46a2abf38e] sqlauth:example-sql: Attributes: username,uid
DEBUG [46a2abf38e] Deleting state:
'_16938f47b2438fb8c780f0e5063ca9599dc06cb450'
DEBUG [46a2abf38e] Session: doLogin("example-sql")
DEBUG [46a2abf38e] Session: Valid session found with 'example-sql'.
DEBUG [46a2abf38e] Session: Valid session found with 'example-sql'.
DEBUG [46a2abf38e] Filter config for http://login.mysite.com/sso/saml2/idp/metadata.php->google.com:
array ( 0 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 30, )), 1 =>
sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute'
=> 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' =>
45, )), 2 =>
sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes'
=> array ( ), 'isDefault' => false, 'priority' =>
50, )), 3 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 99, )),)
NOTICE STAT [46a2abf38e] saml20-idp-SSO-first google.com
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 30, )), 1 =>
sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute'
=> 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' =>
45, )), 2 =>
sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes'
=> array ( ), 'isDefault' => false, 'priority' =>
50, )), 3 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 99, )),)
http://login.mysite.com/sso/saml2/idp/metadata.php NA
NOTICE STAT [46a2abf38e] saml20-idp-SSO google.com
http://login.mysite.com/sso/saml2/idp/metadata.php NA
INFO [46a2abf38e] Sending SAML 2.0 Response to 'google.com'
DEBUG [46a2abf38e] Sending message:
DEBUG [46a2abf38e] <samlp:Response xmlns:samlp
..... the response - exactly as above - removed for simplicity .......
DEBUG [46a2abf38e] </samlp:Response>
----------------------------------------------------
For a failed login, (the user gets the usual "The required response
parameter SAMLResponse was missing" message) the logs show the
following:
1) SAML tracer:
-http:
POST https://www.google.com/a/mysite.com/acs HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101
Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://login.mysite.com/sso/module.php/core/loginuserpass.php?
Cookie: GoogleAccountsLocale_session=el;
ASIDAS=QkVRNXpYd0JBQUE9LmZ2SUNjeHg1b0Q4dmJISU1KaVR4TVE9PS5EZ2toczRsZWEwYk9kd0d4Z0hLUkNRPT0=;
PREF=ID=904195283dbeff07:U=992bb9b0e533b1b6:FF=0:TM=1320168540:LM=1320170658:GM=1:S=pZ28zmCZNETpaeQR;
TZ=-120;
NID=52=EK_f60pXI20xhHrX6Zcz46tuMTbuq93HGkQ6NVCrWBvm6eOlw6GKfmxGreY2DiLeiNuPtzIVws6TGKd1xos5HJu2Io_IDiU7IXcbh_nU-
a3cdYH3b5NDa31ufr8WjAFZ
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
HTTP/?.? 200 OK
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Date: Tue, 01 Nov 2011 18:08:28 GMT
Expires: Tue, 01 Nov 2011 18:08:28 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 1596
Server: GSE
* as you see there is no SAML response in the post(!), however
interestingly an SAML response does get recorded (!) in
simplesamlphp.log:
2) simplesamlphp.log:
DEBUG [46a2abf38e] Loading state:
'_cae62552e195e6b9849c60dfdef5f3aaccc6901de5:http://login.mail.gr/sso/
saml2/idp/SSOService.php?
spentityid=google.com&cookieTime=1320170900&RelayState=https%3A%2F
%2Fwww.google.com%2Fa%2Fmail.gr%2FServiceLogin%3Fservice%3Dmail
%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F
%252Fmail.google.com%252Fa%252Fmail.gr%252F%26ltmpl%3Ddefault
%26ltmplcache%3D2'
DEBUG [46a2abf38e] Loading state:
'_cae62552e195e6b9849c60dfdef5f3aaccc6901de5:http://login.mail.gr/sso/
saml2/idp/SSOService.php?
spentityid=google.com&cookieTime=1320170900&RelayState=https%3A%2F
%2Fwww.google.com%2Fa%2Fmail.gr%2FServiceLogin%3Fservice%3Dmail
%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F
%252Fmail.google.com%252Fa%252Fmail.gr%252F%26ltmpl%3Ddefault
%26ltmplcache%3D2'
INFO [46a2abf38e] sqlauth:example-sql: Got 1 rows from database
INFO [46a2abf38e] sqlauth:example-sql: Attributes: username,uid
DEBUG [46a2abf38e] Deleting state:
'_cae62552e195e6b9849c60dfdef5f3aaccc6901de5'
DEBUG [46a2abf38e] Session: doLogin("example-sql")
DEBUG [46a2abf38e] Session: Valid session found with 'example-sql'.
DEBUG [46a2abf38e] Session: Valid session found with 'example-sql'.
DEBUG [46a2abf38e] Filter config for http://login.mail.gr/sso/saml2/idp/metadata.php->google.com:
array ( 0 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 30, )), 1 =>
sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute'
=> 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' =>
45, )), 2 =>
sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes'
=> array ( ), 'isDefault' => false, 'priority' =>
50, )), 3 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 99, )),)
NOTICE STAT [46a2abf38e] saml20-idp-SSO-first google.com
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 30, )), 1 =>
sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute'
=> 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' =>
45, )), 2 =>
sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes'
=> array ( ), 'isDefault' => false, 'priority' =>
50, )), 3 =>
sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr'
=> 'preferredLanguage', 'priority' => 99, )),)
http://login.mail.gr/sso/saml2/idp/metadata.php NA
NOTICE STAT [46a2abf38e] saml20-idp-SSO google.com
http://login.mail.gr/sso/saml2/idp/metadata.php NA
INFO [46a2abf38e] Sending SAML 2.0 Response to 'google.com'
DEBUG [46a2abf38e] Sending message:
DEBUG [46a2abf38e] <samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxd1452774-
a5f3-6b73-490f-d4aacd5f8d22" Version="2.0"
IssueInstant="2011-11-01T18:08:27Z" Destination="https://
www.google.com/a/mail.gr/acs"
InResponseTo="kiefpfniefcafgbeffdiepeojijfdbhjfebhaceg">
DEBUG [46a2abf38e] <saml:Issuer>http://login.mail.gr/sso/saml2/idp/
metadata.php</saml:Issuer>
DEBUG [46a2abf38e] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/
xmldsig#">
DEBUG [46a2abf38e] <ds:SignedInfo>
DEBUG [46a2abf38e] <ds:CanonicalizationMethod Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [46a2abf38e] <ds:SignatureMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#rsa-sha1"/>
DEBUG [46a2abf38e] <ds:Reference URI="#pfxd1452774-
a5f3-6b73-490f-d4aacd5f8d22">
DEBUG [46a2abf38e] <ds:Transforms>
DEBUG [46a2abf38e] <ds:Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature"/>
DEBUG [46a2abf38e] <ds:Transform Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [46a2abf38e] </ds:Transforms>
DEBUG [46a2abf38e] <ds:DigestMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#sha1"/>
DEBUG [46a2abf38e] <ds:DigestValue>3xntj+W0ddLzKeTPTjwcH/
2YdAQ=</ds:DigestValue>
DEBUG [46a2abf38e] </ds:Reference>
DEBUG [46a2abf38e] </ds:SignedInfo>
DEBUG [46a2abf38e] <ds:SignatureValue>LfxJAJtITMzrKkkzpSzAERycpXl
+0z50u+e0Hp+Jvyrpw8g0gg6LfmP9O4/bpEKWpaMeu28eBTa7309y64t/AGPkPpq
+DajDZd45Osi5cs2T3uqx/HahLgmXTACOSVE8f4BbPFQC4xc8N8DlTvlczY4eyIjy/
VunDnvrYPdXgX5CDYECXkbey/0OiIRJO+Nh2qmY7XkMBBqymOQ23+ZwJKn8pEeO0se/
iEaGPfx3FdUyRgHvis9xjAzVIy7MlK3OBoRpcp29wup0AG01OIGtYAf6u9J062v9p/
pLXdgKWYPHdICo1Qm52hNeFYj0E1NBHjR8BEEuW6M4npYk9TGyFg==</
ds:SignatureValue>
DEBUG [46a2abf38e] <ds:KeyInfo>
DEBUG [46a2abf38e] <ds:X509Data>
DEBUG [46a2abf38e]
<ds:X509Certificate>MIIESDCCAzCgAwIBAgIJALJANO8UUIE5MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIEwZBdHRpY2ExDzANBgNVBAcTBkF0aGVuczEQMA4GA1UEChMHTWFpbCBncjEQMA4GA1UEAxMHbWFpbC5ncjEgMB4GCSqGSIb3DQEJARYRd2VibWFzdGVyQG1haWwuZ3IwHhcNMTEwNzE4MTY0ODQyWhcNMjEwNzE3MTY0ODQyWjB1MQswCQYDVQQGEwJHUjEPMA0GA1UECBMGQXR0aWNhMQ8wDQYDVQQHEwZBdGhlbnMxEDAOBgNVBAoTB01haWwgZ3IxEDAOBgNVBAMTB21haWwuZ3IxIDAeBgkqhkiG9w0BCQEWEXdlYm1hc3RlckBtYWlsLmdyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Ulh70rZrQVdRnRefBn
+L7aFwjKT2yO9wp3ww6lJDLftrHh9dluXuj8i9cYhvOcvV2UG3hdrTOww/X3pd/
Y3pQ65K3nEl1wxebdHG87pON/THB+3RgiwzSvrwgxH41iWK+FLKwpmJoD/
Om5MamYIdIIqaRDzCkGxhb61Get8w0joQVDGpEIL0ADwqkx3zoDqw4y09jeJe8G3pb84CyJewLpUvcJa5XHmL1aVl5f2jCVo
+4X4IDOFVo2wTjTEq+IgjfQl0653bhO906z1gJPkcuqSM9f
+TvcZG0543qSq8uESFuFmydM1hqopXzJU0aSp2Si2QaZZ5ICqEUxn6AF
+8QIDAQABo4HaMIHXMB0GA1UdDgQWBBQ7XEWL1I9Vi6fZZPq6ysRZd7I7qzCBpwYDVR0jBIGfMIGcgBQ7XEWL1I9Vi6fZZPq6ysRZd7I7q6F5pHcwdTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkF0dGljYTEPMA0GA1UEBxMGQXRoZW5zMRAwDgYDVQQKEwdNYWlsIGdyMRAwDgYDVQQDEwdtYWlsLmdyMSAwHgYJKoZIhvcNAQkBFhF3ZWJtYXN0ZXJAbWFpbC5ncoIJALJANO8UUIE5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABZixZUXTrGheP0wxsZlJe1Xo7MN8fGPtx8H6ReCQTmpBewj3M1s3a/
Eqq0EgfHWhMY6WNyx/JJxjbSzmCZHM8ONyOkLoXogMtzsahRL16l0liHbcGz4iZlUrkQw
+soZ5hT3BfNdoq3+flMQlKq6Lk+YB4Iyel3G9g/
p4smyAiwrDZ68V7V77+66zL3VnEi3Ac92dQWBDs5ihWSUVuLOllqoGFThqB41k5/
NjmuFvMGCXn7FgZpoxeUyPad4phwLKbWGf55SKgjRHOKclSETHt/
4uqhPY6DNwyvX8Q0w7BD9riy0gnKgE1JzBS6Cdn+osV4KoMaSnMxfbXxTI2r6md8=</
ds:X509Certificate>
DEBUG [46a2abf38e] </ds:X509Data>
+L7aFwjKT2yO9wp3ww6lJDLftrHh9dluXuj8i9cYhvOcvV2UG3hdrTOww/X3pd/
Y3pQ65K3nEl1wxebdHG87pON/THB+3RgiwzSvrwgxH41iWK+FLKwpmJoD/
Om5MamYIdIIqaRDzCkGxhb61Get8w0joQVDGpEIL0ADwqkx3zoDqw4y09jeJe8G3pb84CyJewLpUvcJa5XHmL1aVl5f2jCVo
+4X4IDOFVo2wTjTEq+IgjfQl0653bhO906z1gJPkcuqSM9f
+TvcZG0543qSq8uESFuFmydM1hqopXzJU0aSp2Si2QaZZ5ICqEUxn6AF
+8QIDAQABo4HaMIHXMB0GA1UdDgQWBBQ7XEWL1I9Vi6fZZPq6ysRZd7I7qzCBpwYDVR0jBIGfMIGcgBQ7XEWL1I9Vi6fZZPq6ysRZd7I7q6F5pHcwdTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkF0dGljYTEPMA0GA1UEBxMGQXRoZW5zMRAwDgYDVQQKEwdNYWlsIGdyMRAwDgYDVQQDEwdtYWlsLmdyMSAwHgYJKoZIhvcNAQkBFhF3ZWJtYXN0ZXJAbWFpbC5ncoIJALJANO8UUIE5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABZixZUXTrGheP0wxsZlJe1Xo7MN8fGPtx8H6ReCQTmpBewj3M1s3a/
Eqq0EgfHWhMY6WNyx/JJxjbSzmCZHM8ONyOkLoXogMtzsahRL16l0liHbcGz4iZlUrkQw
+soZ5hT3BfNdoq3+flMQlKq6Lk+YB4Iyel3G9g/
p4smyAiwrDZ68V7V77+66zL3VnEi3Ac92dQWBDs5ihWSUVuLOllqoGFThqB41k5/
NjmuFvMGCXn7FgZpoxeUyPad4phwLKbWGf55SKgjRHOKclSETHt/
4uqhPY6DNwyvX8Q0w7BD9riy0gnKgE1JzBS6Cdn+osV4KoMaSnMxfbXxTI2r6md8=</
ds:X509Certificate>
DEBUG [46a2abf38e] </ds:KeyInfo>
DEBUG [46a2abf38e] </ds:Signature>
DEBUG [46a2abf38e] <samlp:Status>
DEBUG [46a2abf38e] <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
DEBUG [46a2abf38e] </samlp:Status>
DEBUG [46a2abf38e] <saml:Assertion xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"
ID="pfxad97740c-c702-6cc9-d610-304b8789170f" Version="2.0"
IssueInstant="2011-11-01T18:08:27Z">
DEBUG [46a2abf38e] <saml:Issuer>http://login.mail.gr/sso/saml2/idp/
metadata.php</saml:Issuer>
DEBUG [46a2abf38e] <ds:Signature xmlns:ds="http://www.w3.org/
2000/09/xmldsig#">
DEBUG [46a2abf38e] <ds:SignedInfo>
DEBUG [46a2abf38e] <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [46a2abf38e] <ds:SignatureMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#rsa-sha1"/>
DEBUG [46a2abf38e] <ds:Reference URI="#pfxad97740c-c702-6cc9-
d610-304b8789170f">
DEBUG [46a2abf38e] <ds:Transforms>
DEBUG [46a2abf38e] <ds:Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature"/>
DEBUG [46a2abf38e] <ds:Transform Algorithm="http://
www.w3.org/2001/10/xml-exc-c14n#"/>
DEBUG [46a2abf38e] </ds:Transforms>
DEBUG [46a2abf38e] <ds:DigestMethod Algorithm="http://
www.w3.org/2000/09/xmldsig#sha1"/>
DEBUG [46a2abf38e] <ds:DigestValue>AmkZb56C1X9P+MvOhB
+Y8VZWM7E=</ds:DigestValue>
DEBUG [46a2abf38e] </ds:Reference>
DEBUG [46a2abf38e] </ds:SignedInfo>
DEBUG [46a2abf38e]
<ds:SignatureValue>z71bvMn5Ns5DoKvBXdhI1Wu6RZvEJZLgINRazUHp6IygJ2t5+DpMcYsJkSZz52Bkn8MG0NNbHhIWaKa8Id0Tt4a7HNgSUGPptP2ziqukYB8kivzVUkmQnmg
+PHHehlmN6zqB+iMvfarfbIpxlixB0+Kc6KCgCw+Ynsw5G/jxanzxywvv0qiW3ft9/
YzUBIUmxrazqVxYuInVGZPWEFGMwmGH
+ayijDME7CyrUMgC5KU42yzORH7VsOh51BbIb1utf8TVCYqpqfhe1i3ECHl/
yz3LJZEyBeR9hUWOSxR1THuUMcF9TqviScUdr32tuyrpEdXQAM/e1jltXDmxvRWXbQ==</
ds:SignatureValue>
DEBUG [46a2abf38e] <ds:KeyInfo>
DEBUG [46a2abf38e] <ds:X509Data>
DEBUG [46a2abf38e]
<ds:X509Certificate>MIIESDCCAzCgAwIBAgIJALJANO8UUIE5MA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIEwZBdHRpY2ExDzANBgNVBAcTBkF0aGVuczEQMA4GA1UEChMHTWFpbCBncjEQMA4GA1UEAxMHbWFpbC5ncjEgMB4GCSqGSIb3DQEJARYRd2VibWFzdGVyQG1haWwuZ3IwHhcNMTEwNzE4MTY0ODQyWhcNMjEwNzE3MTY0ODQyWjB1MQswCQYDVQQGEwJHUjEPMA0GA1UECBMGQXR0aWNhMQ8wDQYDVQQHEwZBdGhlbnMxEDAOBgNVBAoTB01haWwgZ3IxEDAOBgNVBAMTB21haWwuZ3IxIDAeBgkqhkiG9w0BCQEWEXdlYm1hc3RlckBtYWlsLmdyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Ulh70rZrQVdRnRefBn
+L7aFwjKT2yO9wp3ww6lJDLftrHh9dluXuj8i9cYhvOcvV2UG3hdrTOww/X3pd/
Y3pQ65K3nEl1wxebdHG87pON/THB+3RgiwzSvrwgxH41iWK+FLKwpmJoD/
Om5MamYIdIIqaRDzCkGxhb61Get8w0joQVDGpEIL0ADwqkx3zoDqw4y09jeJe8G3pb84CyJewLpUvcJa5XHmL1aVl5f2jCVo
+4X4IDOFVo2wTjTEq+IgjfQl0653bhO906z1gJPkcuqSM9f
+TvcZG0543qSq8uESFuFmydM1hqopXzJU0aSp2Si2QaZZ5ICqEUxn6AF
+8QIDAQABo4HaMIHXMB0GA1UdDgQWBBQ7XEWL1I9Vi6fZZPq6ysRZd7I7qzCBpwYDVR0jBIGfMIGcgBQ7XEWL1I9Vi6fZZPq6ysRZd7I7q6F5pHcwdTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkF0dGljYTEPMA0GA1UEBxMGQXRoZW5zMRAwDgYDVQQKEwdNYWlsIGdyMRAwDgYDVQQDEwdtYWlsLmdyMSAwHgYJKoZIhvcNAQkBFhF3ZWJtYXN0ZXJAbWFpbC5ncoIJALJANO8UUIE5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABZixZUXTrGheP0wxsZlJe1Xo7MN8fGPtx8H6ReCQTmpBewj3M1s3a/
Eqq0EgfHWhMY6WNyx/JJxjbSzmCZHM8ONyOkLoXogMtzsahRL16l0liHbcGz4iZlUrkQw
+soZ5hT3BfNdoq3+flMQlKq6Lk+YB4Iyel3G9g/
p4smyAiwrDZ68V7V77+66zL3VnEi3Ac92dQWBDs5ihWSUVuLOllqoGFThqB41k5/
NjmuFvMGCXn7FgZpoxeUyPad4phwLKbWGf55SKgjRHOKclSETHt/
4uqhPY6DNwyvX8Q0w7BD9riy0gnKgE1JzBS6Cdn+osV4KoMaSnMxfbXxTI2r6md8=</
ds:X509Certificate>
DEBUG [46a2abf38e] </ds:X509Data>
+L7aFwjKT2yO9wp3ww6lJDLftrHh9dluXuj8i9cYhvOcvV2UG3hdrTOww/X3pd/
Y3pQ65K3nEl1wxebdHG87pON/THB+3RgiwzSvrwgxH41iWK+FLKwpmJoD/
Om5MamYIdIIqaRDzCkGxhb61Get8w0joQVDGpEIL0ADwqkx3zoDqw4y09jeJe8G3pb84CyJewLpUvcJa5XHmL1aVl5f2jCVo
+4X4IDOFVo2wTjTEq+IgjfQl0653bhO906z1gJPkcuqSM9f
+TvcZG0543qSq8uESFuFmydM1hqopXzJU0aSp2Si2QaZZ5ICqEUxn6AF
+8QIDAQABo4HaMIHXMB0GA1UdDgQWBBQ7XEWL1I9Vi6fZZPq6ysRZd7I7qzCBpwYDVR0jBIGfMIGcgBQ7XEWL1I9Vi6fZZPq6ysRZd7I7q6F5pHcwdTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkF0dGljYTEPMA0GA1UEBxMGQXRoZW5zMRAwDgYDVQQKEwdNYWlsIGdyMRAwDgYDVQQDEwdtYWlsLmdyMSAwHgYJKoZIhvcNAQkBFhF3ZWJtYXN0ZXJAbWFpbC5ncoIJALJANO8UUIE5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABZixZUXTrGheP0wxsZlJe1Xo7MN8fGPtx8H6ReCQTmpBewj3M1s3a/
Eqq0EgfHWhMY6WNyx/JJxjbSzmCZHM8ONyOkLoXogMtzsahRL16l0liHbcGz4iZlUrkQw
+soZ5hT3BfNdoq3+flMQlKq6Lk+YB4Iyel3G9g/
p4smyAiwrDZ68V7V77+66zL3VnEi3Ac92dQWBDs5ihWSUVuLOllqoGFThqB41k5/
NjmuFvMGCXn7FgZpoxeUyPad4phwLKbWGf55SKgjRHOKclSETHt/
4uqhPY6DNwyvX8Q0w7BD9riy0gnKgE1JzBS6Cdn+osV4KoMaSnMxfbXxTI2r6md8=</
ds:X509Certificate>
DEBUG [46a2abf38e] </ds:KeyInfo>
DEBUG [46a2abf38e] </ds:Signature>
DEBUG [46a2abf38e] <saml:Subject>
DEBUG [46a2abf38e] <saml:NameID SPNameQualifier="google.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">alex</
saml:NameID>
DEBUG [46a2abf38e] <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
DEBUG [46a2abf38e] <saml:SubjectConfirmationData
NotOnOrAfter="2011-11-01T18:13:27Z" Recipient="https://www.google.com/
a/mail.gr/acs" InResponseTo="kiefpfniefcafgbeffdiepeojijfdbhjfebhaceg"/
>
DEBUG [46a2abf38e] </saml:SubjectConfirmation>
DEBUG [46a2abf38e] </saml:Subject>
DEBUG [46a2abf38e] <saml:Conditions
NotBefore="2011-11-01T18:07:57Z" NotOnOrAfter="2011-11-01T18:13:27Z">
DEBUG [46a2abf38e] <saml:AudienceRestriction>
DEBUG [46a2abf38e] <saml:Audience>google.com</saml:Audience>
DEBUG [46a2abf38e] </saml:AudienceRestriction>
DEBUG [46a2abf38e] </saml:Conditions>
DEBUG [46a2abf38e] <saml:AuthnStatement
AuthnInstant="2011-11-01T18:08:27Z"
SessionNotOnOrAfter="2011-11-02T02:08:27Z"
SessionIndex="_adda2e6613e5ac5f118cdcc638d2a85855cbc0d0d0">
DEBUG [46a2abf38e] <saml:AuthnContext>
DEBUG [46a2abf38e]
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:
2.0:ac:classes:Password</saml:AuthnContextClassRef>
DEBUG [46a2abf38e] </saml:AuthnContext>
2.0:ac:classes:Password</saml:AuthnContextClassRef>
DEBUG [46a2abf38e] </saml:AuthnStatement>
DEBUG [46a2abf38e] </saml:Assertion>
DEBUG [46a2abf38e] </samlp:Response>
----
Are we getting somewhere with this finding? What could be causing the
failed post request to be empty of SAML content in the HTTP header
analysis while seeming fine in simplesamlphp.log?
Cheers,
Alex
Olav Morken
Nov 3, 2011, 8:15:49 AM11/3/11
to simple...@googlegroups.com
There should not be any differences in how the POST request to the
Google Apps AssertionConsumerService endpoint is sent for the different
requests. Is this only happening in Firefox? In that case, have you
tested it with a clean install of Firefox (without any Add-ons). The
POST data may have been blocked by an Add-on, e.g. NoScript.
You can also try to disable javascript in your browser. That will make
the browser stop on the "POST data" page, which is the page that sends
the POST request. That will allow you to examine the page source for
that page.
Reply all
Reply to author
Forward
0 new messages