[google-apps-apis] Re: This account cannot be accessed because the login credentials could not be verified.

Fri, 27 Jun 2008 19:52:25 -0700 

Hi Sam,

This error message usually indicates that there is a mismatch between
the public key certificate Google Apps has on file and the private key
used to sign the SAML Response.  Can you try uploading the public key
certificate to the control panel again?

-alex

On Jun 26, 5:45 pm, "Sam Johnston" <[EMAIL PROTECTED]> wrote:
> Morning all,
>
> Can anyone see anything obviously wrong with this SAML 2.0 AuthnResponse as
> I'm getting the error 'This account cannot be accessed because the login
> credentials could not be verified'. Assuming the sigs are right (any easy
> way to check?) it seems likely to be a problem with the SPNameQualifier or
> Audience attributes.
>
> Kind regards,
>
> Sam
>
> <?xml version="1.0"?>
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
> xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> ID="_2bd4e1fc104ce39eb5d6fad1bf89a24b52ebe3e8ee"
> InResponseTo="nbbeecomabmohbpbokgaejdcnpjhjlplpcdhphjj" Version="2.0"
> IssueInstant="2008-06-27T00:38:52Z" 
> Destination="https://www.google.com/a/samj.net/acs";>
>     <saml:Issuer 
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://mini.samj.net/~samj/simplesamlphp/www/saml2/idp/metadata.php
> </saml:Issuer>
>     <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
>         <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>     </samlp:Status>
>     <saml:Assertion Version="2.0"
> ID="pfxd2bb20db-24ef-58ae-aa2c-3b493c57736f"
> IssueInstant="2008-06-27T00:38:52Z">
>         
> <saml:Issuer>https://mini.samj.net/~samj/simplesamlphp/www/saml2/idp/metadata.php
> </saml:Issuer>
>         <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>             <ds:SignedInfo>
>                 <ds:CanonicalizationMethod 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                 <ds:SignatureMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>                 <ds:Reference
> URI="#pfxd2bb20db-24ef-58ae-aa2c-3b493c57736f">
>                     <ds:Transforms>
>                         <ds:Transform 
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                         <ds:Transform 
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                     </ds:Transforms>
>                     <ds:DigestMethod 
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> <ds:DigestValue>18eZJl9xVNGSuPYLh/Mt0Ue18ro=</ds:DigestValue>
>                 </ds:Reference>
>             </ds:SignedInfo>
>
> <ds:SignatureValue>KXbRATmwE+So4WXdiWntEXpWrDF7Jd1k0UBdxoLdFx1Sk/sC0Dp20NnRjjcfblfrHcj4YKwYOQkOupug5zrzI2jvpAy1wWSQunyOsh5vpNR0ubTwKmOlv2ufp1JxfgyDZFXm/u9kRpFUzdLFVqlmf/v07UupSfesDMO0lU2wYQM=</ds:SignatureValue>
>             <ds:KeyInfo>
>                 <ds:X509Data>
>
> <ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate>
>                 </ds:X509Data>
>             </ds:KeyInfo>
>         </ds:Signature>
>         <saml:Subject>
>             <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> SPNameQualifier="google.com/a/samj.net">samj</saml:NameID>
>             <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>                 <saml:SubjectConfirmationData
> NotOnOrAfter="2008-06-27T00:43:52Z"
> InResponseTo="nbbeecomabmohbpbokgaejdcnpjhjlplpcdhphjj" 
> Recipient="https://www.google.com/a/samj.net/acs"/>
>             </saml:SubjectConfirmation>
>         </saml:Subject>
>         <saml:Conditions NotBefore="2008-06-27T00:38:22Z"
> NotOnOrAfter="2008-06-27T00:43:52Z">
>             <saml:AudienceRestriction>
>                 <saml:Audience>https://www.google.com/a/samj.net/acs
> </saml:Audience>
>             </saml:AudienceRestriction>
>         </saml:Conditions>
>         <saml:AuthnStatement AuthnInstant="2008-06-27T00:38:52Z"
> SessionIndex="_e395fe58c997d9ad5f0b913ea68fd7f31e3797faeb">
>             <saml:AuthnContext>
>
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
>             </saml:AuthnContext>
>         </saml:AuthnStatement>
>     </saml:Assertion>
> </samlp:Response>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to