[google-apps-apis] This account cannot be accessed because the login credentials could not be verified.

Thu, 26 Jun 2008 17:45:20 -0700 

Morning all,

Can anyone see anything obviously wrong with this SAML 2.0 AuthnResponse as
I'm getting the error 'This account cannot be accessed because the login
credentials could not be verified'. Assuming the sigs are right (any easy
way to check?) it seems likely to be a problem with the SPNameQualifier or
Audience attributes.

Kind regards,

Sam

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="
http://www.w3.org/2001/XMLSchema"; xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance";
ID="_2bd4e1fc104ce39eb5d6fad1bf89a24b52ebe3e8ee"
InResponseTo="nbbeecomabmohbpbokgaejdcnpjhjlplpcdhphjj" Version="2.0"
IssueInstant="2008-06-27T00:38:52Z" Destination="
https://www.google.com/a/samj.net/acs";>
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://mini.samj.net/~samj/simplesamlphp/www/saml2/idp/metadata.php
</saml:Issuer>
    <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion Version="2.0"
ID="pfxd2bb20db-24ef-58ae-aa2c-3b493c57736f"
IssueInstant="2008-06-27T00:38:52Z">
        <saml:Issuer>
https://mini.samj.net/~samj/simplesamlphp/www/saml2/idp/metadata.php
</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference
URI="#pfxd2bb20db-24ef-58ae-aa2c-3b493c57736f">
                    <ds:Transforms>
                        <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>18eZJl9xVNGSuPYLh/Mt0Ue18ro=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>

<ds:SignatureValue>KXbRATmwE+So4WXdiWntEXpWrDF7Jd1k0UBdxoLdFx1Sk/sC0Dp20NnRjjcfblfrHcj4YKwYOQkOupug5zrzI2jvpAy1wWSQunyOsh5vpNR0ubTwKmOlv2ufp1JxfgyDZFXm/u9kRpFUzdLFVqlmf/v07UupSfesDMO0lU2wYQM=</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>

<ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
SPNameQualifier="google.com/a/samj.net">samj</saml:NameID>
            <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData
NotOnOrAfter="2008-06-27T00:43:52Z"
InResponseTo="nbbeecomabmohbpbokgaejdcnpjhjlplpcdhphjj" Recipient="
https://www.google.com/a/samj.net/acs"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2008-06-27T00:38:22Z"
NotOnOrAfter="2008-06-27T00:43:52Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://www.google.com/a/samj.net/acs
</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2008-06-27T00:38:52Z"
SessionIndex="_e395fe58c997d9ad5f0b913ea68fd7f31e3797faeb">
            <saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to