Good day everyone, I have spent the last few days configuring SSO for my domain, i- Learn.uitm.edu.my but kept getting the following error:
"This service cannot be accessed because your login credentials could not be verified. Please log in and try again." I read in the forum that this is probably due to public/private key but I have regenerate the keys and upload the cert multiple times and still get the same error. I hope someone can tell me where my mistake is, here is the steps that I have taken: 1. generate public/private key and cert by running the following command openssl dsaparam -out dsaparam.pem 1024 openssl gendsa -out dsaprivkey.pem dsaparam.pem openssl dsa -in dsaprivkey.pem -outform DER -pubout -out dsapubkey.der openssl pkcs8 -topk8 -inform PEM -outform DER -in dsaprivkey.pem -out dsaprivkey.der -nocrypt openssl req -new -x509 -key dsaprivkey.pem -out dsacert.pem 2. upload dsacert.pem on Google Apps control panel 3. modify process_response.php to use dsapubkey.der and dsaprivkey.pem 4. create two forms to get SAMLRequest and the others is process the response. Here are the two forms: Form 1: <form action='process_response.php' method='POST' name='frm'> <input type="hidden" name="SAMLRequest" value="fZJNT+MwEIbvK+1/ sHzPV0ErZDVBXRCiEh8RDXvYm+tMUhd7nPXYLfz7TVMQcIDr+J1532c88/Nna9gOPGmHJS/ SnDNA5VqNfckfm6vkjJ9XP3/ MSVoziEUMG3yAfxEosLETSUwPJY8ehZOkSaC0QCIosVrc3ohZmovBu+CUM5wtL0u +6dC0btNuW7Pu0Pb9BvTTkzZ22OJ6u96i7hVaO3D25y3W7BBrSRRhiRQkhrGU52dJXiT5SVOcipNfIp/ 95ax +dfqt8UjwXaz1UUTiumnqpL5fNdOAnW7B343qkvfO9QZS5SxnCyLwYYxz4ZCiBb8Cv9MKHh9uRqYQBhJZtt/ v0/emTGY6MSA9plEHm0IbU/ uSSUUHmloS6d3o0klDwKtpxWKi9B92+z2DfEvFq3ffefZhVPX6dQei5WXtjFYvbGGM2194kGH0Dz4CZ1fOWxm +divSYqroNukmqYhIAyjdaWg5y6qj6+cbGS/nPw=="> <input type="hidden" name="RelayState" value="https://www.google.com/a/ i-learn.uitm.edu.my/ServiceLogin? service=mail&passive=true&rm=false&continue=http%3A%2F %2Fmail.google.com%2Fa%2Fi-learn.uitm.edu.my %2F<mpl=default<mplcache=2"> <input type="hidden" name="returnPage" value="i-learn.uitm.edu.my"> <input type="hidden" name="samlAction" value="Generate SAML Response"> </form> <script language="javascript"> document.frm.submit(); </script> Form 2: <form name="acsForm" action="https://www.google.com/a/i- learn.uitm.edu.my/acs" method="post" target="_self"> <div style="display: none"> <textarea rows=10 cols=80 name="SAMLResponse"> <?xml version="1.0"?> <samlp:Response xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http:// www.w3.org/2001/04/xmlenc#" ID="hfofapgneehcblkdmbaeadfhckbbfnkmcjcdjjan" IssueInstant="2008-01-04T05:51:31Z" Version="2.0" Destination="https:// www.google.com/a/i-learn.uitm.edu.my/acs" InResponseTo="hfnldohdjdlbfnmggheikkilmpjnbjbjnigcnmmp"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/ 2001/REC-xml-c14n-20010315#WithComments"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#dsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/ xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#sha1"/> <DigestValue>pu03mI1TpbIYOfoL5gBUI7IkcpA=</ DigestValue> </Reference> </SignedInfo> <SignatureValue>YtY0Jbcha7J5aGdOEtN2JtqfEf00SBgEn6vQNwTOfL3/ Sok6+Ervgw==</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P> 8YxPfiWogufP/ozlubtJGyE4BYArgyRzURstYtCQ3zBflYR09dG87Zqjq8vp1eYr CFx1baBGB9K5Ag1WS7r/RamCPU0btLFZUG6e7LjtXtVErf33iiG02U07W9YSrs4A RLAhoO2GOMSc4qStcCwTzCiXJSffRNmDRHnjXy4pI2s= </P> <Q> kXhcmhDedyVqOq9UgQ1PfYILYlM= </Q> <G> 6d1OPwYCUy8zkK/n8ygrHr+MVkC6zhXXinbnBZcsFr+0nt7NF/lzlXpgXTzx2zCR uQtIOPkUAO3/i39S+zoyllMKtsm2M/FNt2V+X+UhUTVjFGB44f7DcdY7sWR+rIkX Lvo+MRxHKU24nWfypShAh7dq4GDbkuvnzfxoBAv3XP0= </G> <Y> xq0zzBGN5DbmPkM4ALKB4i3fb/CJJXJp7cRgUtuAU4lrIAHRTgwWuCJ4DLzq5AVF KUdZhoyyhwxw2TSpvg5O9pgu+Pbp89C2mbSZ4TembLbJBTt54nUH6ZFwdoVH+TkZ AK22s1B6U0n1U0tMl+ZOLQFJZ3gsovW6K7paUbD8/sA= </Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/ > </samlp:Status> <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ohapckcomddmgjeidfkjcfgepjhichfapfpbacam" IssueInstant="2008-01-04T05:51:31Z" Version="2.0"> <Issuer>i-learn.uitm.edu.my</Issuer> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid- format:emailAddress"> tengkorak </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/ > </Subject> <Conditions NotBefore="2008-01-04T05:46:31Z" NotOnOrAfter="2008-01-04T06:01:31Z"> </Conditions> <AuthnStatement AuthnInstant="2008-01-04T05:51:31Z"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response> </textarea> <input type="text" name="RelayState" value="http://mail.google.com/a/i- learn.uitm.edu.my" > </div> </form> >From what I understand is that when user go to >http://mail.google.com/a/i-learn.uitm.edu.my it will be redirected to form 1, then form 1 will submit the request to form 2, form 2 will then generate the response and then send it to https://www.google.com/a/i-learn.uitm.edu.my/acs and the user should be log in to their gmail account. Problem is I kept getting error about: ""This service cannot be accessed because your login credentials could not be verified. Please log in and try again." Please help, thanks ... Ali --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
