Hi Ed, Thanks for the pointer, but it doesn't look related to my problem. In my case, a response is being sent to Google, but it's not being accepted at their end. I'm also running CAS 3.5.1, in which that bug should already be fixed.
David On Feb 7, 2013, at 1:37 PM, Ed Hillis <[email protected]> wrote: > It may not apply to your CAS version, and it may not be related, but did you > see https://issues.jasig.org/browse/CAS-868? > > Ed > > > On Thu, Feb 7, 2013 at 2:05 PM, Lynxlogic <[email protected]> wrote: > Hi, > > I'm getting started with CAS and my first chore is to setup SSO with Google > apps. I followed the directions here: > https://wiki.jasig.org/pages/viewpage.action?pageId=6063484 > > When I try to sign in Google redirects to my CAS server, I sign in, then CAS > posts back to Google, but Google apparently has a problem with the SAML > response. I get an error page saying "This account cannot be accessed because > the login credentials could not be verified." > > According to Google's SSO FAQ, this is usually due to the private key used to > sign the response not matching the uploaded certificate. I verified the cert > matches the private key (https://kb.wisc.edu/middleware/page.php?id=4064). > > I've also tried sending the username in the NameID element as just "username" > as well as "username@domain", with no change in result. > > I've even tried customizing the response template in the > GoogleAccountsService class and tried changing the NameID format to email > instead of emailAddress as well as other tweaks, such as setting the Issuer > to a host matching the CN on the certificate. > > I've also run cas in a debugger and could see it loading the private key via > the classpath, so I'm fairly confident the right private key is being used. > > At this point I'm stumped. Does anyone have any pointers? > > P.S. I built CAS using the maven overlay approach. > > Thanks, > David > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > Ed Hillis, Web Programmer > Southwestern University > 1001 East University Avenue, Georgetown, TX 78626 > 512.863.1066 [email protected] > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
