[google-apps-apis] Re: sso SAML response issue

Thu, 03 Apr 2008 00:51:19 -0700 

Hi Wes,

A few things are missing.  The SAMLResponse needs to be digitally
signed.  The Assertion is missing Issuer, and the AuthnStatement is
missing an AuthnContext.

Also, the Google Apps ACS handler looks for a time interval Condition
in the Assertion.

You might want to check with ComponentSpace to see if they offer
support for their product.

For reference:

http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

-alex

On Apr 1, 1:39 pm, "Wes Plybon" <[EMAIL PROTECTED]> wrote:
> I've gotten everything in my SSO connection worked out except for my
> response.  When I POST the response back to Google, it tells me:
>
> "This account cannot be accessed because we could not parse the login
> request."
>
> Everything looks good to me, but I figured I'd let someone here take a
> look.  I'm using a SAML 2.0 .NET component developed by ComponentSpace.
> Here's my response:
>
> <samlp:Response
>
>             ID="_b3edfeaa-d8b9-48a0-9492-331ab6f53020"
>
>             Version="2.0"
>
>             IssueInstant="2008-04-01T20:19:24Z"
>
>             xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
>
>             <saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://beta.whipplehi
> ll.com/sso/saml2.0/</saml:Issuer>
>
>             <samlp:Status>
>
>                         <samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>
>             </samlp:Status>
>
>             <saml:Assertion
>
>                         Version="2.0"
>
>                         ID="_19b86b5a-db51-45ea-a576-606e13e1d540"
>
>                         IssueInstant="2008-04-01T20:19:24Z"
>
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
>
>                         <saml:Subject>
>
>                                     <saml:NameID>wh_user</saml:NameID>
>
>                         </saml:Subject>
>
>                         <saml:AuthnStatement
> AuthnInstant="2008-04-01T20:19:24Z" />
>
>             </saml:Assertion>
>
> </samlp:Response>
>
> Wes Plybon
>
> Application Programmer
>
> Whipplehill Communications
>
> (603) 669-5979 x3252
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to