Hi Ali, Actually the error message you mentioned:
"This service cannot be accessed because your login credentials could not be verified. Please log in and try again." indicates that the Assertion time is not valid, e.g. the current time is before the NotBefore time. <Conditions NotBefore="2008-01-04T05:46:31Z" NotOnOrAfter="2008-01-04T06:01:31Z"> Can you double-check your system clock? Make sure the system time is accurate. -alex On Jan 8, 12:30 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > Hi Ali, > > This is puzzling, since the steps you've listed seem correct. The > RelayState in form 2 should be the same as the RelayState in form 1, > however that would not cause the error message you are seeing. Can > you delete (or move) the keys which came with the sample, just to make > sure they are not being used? > > If you still get this error message, would you mind submitting a > support request so someone can work on this further? Instructions on > how to submit a support request are in the control panel. > > -alex > > On Jan 3, 7:00 am, tengkorak <[EMAIL PROTECTED]> wrote: > > > Good day everyone, > > > I have spent the last few days configuring SSO for my domain, i- > > Learn.uitm.edu.my but kept getting the following error: > > > "This service cannot be accessed because your login credentials could > > not be verified. Please log in and try again." > > > I read in the forum that this is probably due to public/private key > > but I have regenerate the keys and upload the cert multiple times and > > still get the same error. > > > I hope someone can tell me where my mistake is, here is the steps that > > I have taken: > > > 1. generate public/private key and cert by running the following > > command > > > openssl dsaparam -out dsaparam.pem 1024 > > openssl gendsa -out dsaprivkey.pem dsaparam.pem > > openssl dsa -in dsaprivkey.pem -outform DER -pubout -out dsapubkey.der > > openssl pkcs8 -topk8 -inform PEM -outform DER -in dsaprivkey.pem -out > > dsaprivkey.der -nocrypt > > openssl req -new -x509 -key dsaprivkey.pem -out dsacert.pem > > > 2. upload dsacert.pem on Google Apps control panel > > > 3. modify process_response.php to use dsapubkey.der and dsaprivkey.pem > > > 4. create two forms to get SAMLRequest and the others is process the > > response. Here are the two forms: > > > Form 1: > > > <form action='process_response.php' method='POST' name='frm'> > > <input type="hidden" name="SAMLRequest" value="fZJNT+MwEIbvK+1/ > > sHzPV0ErZDVBXRCiEh8RDXvYm+tMUhd7nPXYLfz7TVMQcIDr+J1532c88/Nna9gOPGmHJS/ > > SnDNA5VqNfckfm6vkjJ9XP3/ > > MSVoziEUMG3yAfxEosLETSUwPJY8ehZOkSaC0QCIosVrc3ohZmovBu+CUM5wtL0u > > +6dC0btNuW7Pu0Pb9BvTTkzZ22OJ6u96i7hVaO3D25y3W7BBrSRRhiRQkhrGU52dJXiT5SVOcipNfIp/ > > 95ax > > +dfqt8UjwXaz1UUTiumnqpL5fNdOAnW7B343qkvfO9QZS5SxnCyLwYYxz4ZCiBb8Cv9MKHh9uRqYQBhJZtt/ > > v0/emTGY6MSA9plEHm0IbU/ > > uSSUUHmloS6d3o0klDwKtpxWKi9B92+z2DfEvFq3ffefZhVPX6dQei5WXtjFYvbGGM2194kGH0Dz4CZ1fOWxm > > +divSYqroNukmqYhIAyjdaWg5y6qj6+cbGS/nPw=="> > > <input type="hidden" name="RelayState" value="https://www.google.com/a/ > > i-learn.uitm.edu.my/ServiceLogin? > > service=mail&passive=true&rm=false&continue=http%3A%2F > > %2Fmail.google.com%2Fa%2Fi-learn.uitm.edu.my > > %2F<mpl=default<mplcache=2"> > > <input type="hidden" name="returnPage" value="i-learn.uitm.edu.my"> > > <input type="hidden" name="samlAction" value="Generate SAML Response"> > > </form> > > > <script language="javascript"> > > document.frm.submit(); > > </script> > > > Form 2: > > > <form name="acsForm" action="https://www.google.com/a/i- > > learn.uitm.edu.my/acs" method="post" target="_self"> > > <div style="display: none"> > > <textarea rows=10 cols=80 name="SAMLResponse"> > > <?xml version="1.0"?> > > <samlp:Response xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > ID="hfofapgneehcblkdmbaeadfhckbbfnkmcjcdjjan" > > IssueInstant="2008-01-04T05:51:31Z" Version="2.0" > > Destination="https://www.google.com/a/i-learn.uitm.edu.my/acs"; > > InResponseTo="hfnldohdjdlbfnmggheikkilmpjnbjbjnigcnmmp"> > > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > > <SignedInfo> > > <CanonicalizationMethod Algorithm="http://www.w3.org/TR/ > > 2001/REC-xml-c14n-20010315#WithComments"/> > > <SignatureMethod Algorithm="http://www.w3.org/2000/09/ > > xmldsig#dsa-sha1"/> > > <Reference URI=""> > > <Transforms> > > <Transform Algorithm="http://www.w3.org/2000/09/ > > xmldsig#enveloped-signature"/> > > </Transforms> > > <DigestMethod Algorithm="http://www.w3.org/2000/09/ > > xmldsig#sha1"/> > > <DigestValue>pu03mI1TpbIYOfoL5gBUI7IkcpA=</ > > DigestValue> > > </Reference> > > </SignedInfo> > > <SignatureValue>YtY0Jbcha7J5aGdOEtN2JtqfEf00SBgEn6vQNwTOfL3/ > > Sok6+Ervgw==</SignatureValue> > > <KeyInfo> > > <KeyValue> > > <DSAKeyValue> > > <P> > > 8YxPfiWogufP/ozlubtJGyE4BYArgyRzURstYtCQ3zBflYR09dG87Zqjq8vp1eYr > > CFx1baBGB9K5Ag1WS7r/RamCPU0btLFZUG6e7LjtXtVErf33iiG02U07W9YSrs4A > > RLAhoO2GOMSc4qStcCwTzCiXJSffRNmDRHnjXy4pI2s= > > </P> > > <Q> > > kXhcmhDedyVqOq9UgQ1PfYILYlM= > > </Q> > > <G> > > 6d1OPwYCUy8zkK/n8ygrHr+MVkC6zhXXinbnBZcsFr+0nt7NF/lzlXpgXTzx2zCR > > uQtIOPkUAO3/i39S+zoyllMKtsm2M/FNt2V+X+UhUTVjFGB44f7DcdY7sWR+rIkX > > Lvo+MRxHKU24nWfypShAh7dq4GDbkuvnzfxoBAv3XP0= > > </G> > > <Y> > > xq0zzBGN5DbmPkM4ALKB4i3fb/CJJXJp7cRgUtuAU4lrIAHRTgwWuCJ4DLzq5AVF > > KUdZhoyyhwxw2TSpvg5O9pgu+Pbp89C2mbSZ4TembLbJBTt54nUH6ZFwdoVH+TkZ > > AK22s1B6U0n1U0tMl+ZOLQFJZ3gsovW6K7paUbD8/sA= > > </Y> > > </DSAKeyValue> > > </KeyValue> > > </KeyInfo> > > </Signature> > > <samlp:Status> > > <samlp:StatusCode > > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/ > > > </samlp:Status> > > <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > ID="ohapckcomddmgjeidfkjcfgepjhichfapfpbacam" > > IssueInstant="2008-01-04T05:51:31Z" Version="2.0"> > > <Issuer>i-learn.uitm.edu.my</Issuer> > > <Subject> > > <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid- > > format:emailAddress"> > > tengkorak > > </NameID> > > <SubjectConfirmation > > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/ > > > </Subject> > > <Conditions NotBefore="2008-01-04T05:46:31Z" > > NotOnOrAfter="2008-01-04T06:01:31Z"> > > </Conditions> > > <AuthnStatement AuthnInstant="2008-01-04T05:51:31Z"> > > <AuthnContext> > > <AuthnContextClassRef> > > > > urn:oasis:names:tc:SAML:2.0:ac:classes:Password > > </AuthnContextClassRef> > > </AuthnContext> > > </AuthnStatement> > > </Assertion> > > </samlp:Response> > > </textarea> > > > <input type="text" name="RelayState" value="http://mail.google.com/a/i- > > learn.uitm.edu.my" > > > </div> > > </form> > > > From what I understand is that when user go > > tohttp://mail.google.com/a/i-learn.uitm.edu.my > > it will be redirected to form 1, then form 1 will submit the request > > to form 2, form 2 will then generate the response and then send it > > tohttps://www.google.com/a/i-learn.uitm.edu.my/acsandthe user should > > be log in to their gmail account. > > > Problem is I kept getting error about: > > > ""This service cannot be accessed because your login credentials could > > not be verified. Please log in and try again." > > > Please help, thanks ... > > > Ali --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
