Hi Chris, I'm glad you figured it out. It's buried in XML schema, but ID needs to start with a letter. If you have a XML validator, you can validate the SAML Response with these:
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd Thanks for your suggestion about having a test for this. You're right, it would make it a lot easier. -alex On Jul 15, 9:57 pm, chriskl <[EMAIL PROTECTED]> wrote: > Forget it - turns out that the IDs need to be all-letters. Sigh. Why > isn't there a test service that will just tell you these things? > > Chris > > On Jul 16, 12:40 pm, chriskl <[EMAIL PROTECTED]> wrote: > > > Hi, > > > I'm having a problem with Google saying that the SAML response is > > malformed. However, there is literally zero information given as to > > the exact problem. > > > Here is my webpage: > > > <form name="acsForm" action="https://www.google.com/a/navitas.edu.au/ > > acs" method="post"> > > <textarea rows=10 cols=80 name="SAMLResponse"><?xml > > version="1.0"?> > > <samlp:Response xmlns="urn:oasis:names:tc:SAML: > > 2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML: > > 2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/ > > xmlenc#" ID="e9957140-07c8-e410-27a6-c034d5a1bccb" > > IssueInstant="2008-07-16T04:35:36Z" Version="2.0" > > Destination="https://www.google.com/a/navitas.edu.au/acs"; > > InResponseTo="eahdbofnaodknppfbopgnbpbboplpmiknjpcbldh"> > > <Signature xmlns="http://www.w3.org/2000/09/ > > xmldsig#"> > > <SignedInfo> > > <CanonicalizationMethod > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> > > <SignatureMethod Algorithm="http://www.w3.org/ > > 2000/09/xmldsig#dsa-sha1"/> > > <Reference URI=""> > > <Transforms> > > <Transform Algorithm="http://www.w3.org/ > > 2000/09/xmldsig#enveloped-signature"/> > > </Transforms> > > <DigestMethod Algorithm="http://www.w3.org/ > > 2000/09/xmldsig#sha1"/> > > <DigestValue>+V68HaThO31DMBvUHNVMlgtQtww=</ > > DigestValue> > > </Reference> > > </SignedInfo> > > <SignatureValue>Ah53NcCb9LM+4rD0rRZGIo > > +UV7WBH1ZQllwK6QF0NqUk+3tVa3wsfA==</SignatureValue> > > <KeyInfo> > > <KeyValue> > > <DSAKeyValue> > > <P> > > /KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxeEu0Imb > > zRMqzVDZkVG9xD7nN1kuFw== > > </P> > > <Q> > > li7dzDacuo67Jg7mtqEm2TRuOMU= > > </Q> > > <G> > > Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/XPaF5Bpsy4pNWMO > > HCBiNU0NogpsQW5QvnlMpA== > > </G> > > <Y> > > VMoV//Oh7VytBbZVySNmVZevV1bw7vmJwx5hHszeR25bforBFA19nk+3ehg6SgUj > > WiXn7HsybemjRFs5x4+XFg== > > </Y> > > </DSAKeyValue> > > </KeyValue> > > </KeyInfo> > > </Signature> > > <samlp:Status> > > <samlp:StatusCode > > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> > > </samlp:Status> > > <Assertion xmlns="urn:oasis:names:tc:SAML: > > 2.0:assertion" ID="70e553f0-0d6c-79f5-bf7d- > > aeda5303e3a6" IssueInstant="2008-07-16T04:35:36Z" > > Version="2.0"> > > <Issuer>portal2.dev.local</Issuer> > > <Subject> > > <NameID > > Format="urn:oasis:names:tc:SAML:1.1:nameid- > > format:emailAddress">_rsh</NameID> > > <SubjectConfirmation > > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > > <SubjectConfirmationData > > Recipient="https://www.google.com/a/navitas.edu.au/acs"; > > NotOnOrAfter="2008-07-16T04:45:36Z" > > InResponseTo="eahdbofnaodknppfbopgnbpbboplpmiknjpcbldh"/> > > </SubjectConfirmation> > > </Subject> > > <Conditions NotBefore=" > > 2008-07-16T04:30:36Z" NotOnOrAfter=" > > 2008-07-16T04:45:36Z"> > > <AudienceRestriction> > > <Audience>https://www.google.com/ > > a/navitas.edu.au/acs</Audience> > > </AudienceRestriction> > > </Conditions> > > <AuthnStatement AuthnInstant=" > > 2008-07-16T04:35:36Z"> > > <AuthnContext> > > <AuthnContextClassRef> > > urn:oasis:names:tc:SAML: > > 2.0:ac:classes:Password > > </AuthnContextClassRef> > > </AuthnContext> > > </AuthnStatement> > > </Assertion> > > </samlp:Response> > > > </textarea> > > <textarea rows=10 cols=80 name="RelayState">https://www.google.com/ > > a/navitas.edu.au/ServiceLogin?continue=http%3A%2F > > %2Fpartnerpage.google.com%2Fnavitas.edu.au%2Fdefault%2Fpostlogin%3Fpid > > %3Dnavitas.edu.au%26url%3Dhttp%3A%2F%2Fpartnerpage.google.com > > %2Fnavitas.edu.au&followup=http%3A%2F%2Fpartnerpage.google.com > > %2Fnavitas.edu.au%2Fdefault%2Fpostlogin%3Fpid%3Dnavitas.edu.au%26url > > %3Dhttp%3A%2F%2Fpartnerpage.google.com > > %2Fnavitas.edu.au&service=ig&passive=true&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true > > </textarea> > > <input type="submit"> > > </form> > > > For the benefit of humans who find it hard to read html and url > > escaped stuff, here are the two variables: > > > SAMLResponse: > > <?xml version="1.0"?> > > <samlp:Response xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > ID="925b3a8a-d556-0737-6683-f1d4691f79ee" > > IssueInstant="2008-07-16T04:39:19Z" Version="2.0" > > Destination="https://www.google.com/a/navitas.edu.au/acs"; > > InResponseTo="eahdbofnaodknppfbopgnbpbboplpmiknjpcbldh"> > > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > > <SignedInfo> > > <CanonicalizationMethod Algorithm="http://www.w3.org/TR/ > > 2001/REC-xml-c14n-20010315#WithComments"/> > > <SignatureMethod Algorithm="http://www.w3.org/2000/09/ > > xmldsig#dsa-sha1"/> > > <Reference URI=""> > > <Transforms> > > <Transform Algorithm="http://www.w3.org/2000/09/ > > xmldsig#enveloped-signature"/> > > </Transforms> > > <DigestMethod Algorithm="http://www.w3.org/2000/09/ > > xmldsig#sha1"/> > > <DigestValue>GLMg4/6hX2ykTYDYiYkoRfV/XWM=</ > > DigestValue> > > </Reference> > > </SignedInfo> > > <SignatureValue>kE4kR/ > > Cvn6pRT6cqFd5yuxpJmRxM892pBwGQ2DmYedk169KPRzWjeQ==</SignatureValue> > > <KeyInfo> > > <KeyValue> > > <DSAKeyValue> > > <P> > > /KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxeEu0Imb > > zRMqzVDZkVG9xD7nN1kuFw== > > </P> > > <Q> > > li7dzDacuo67Jg7mtqEm2TRuOMU= > > </Q> > > <G> > > Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/XPaF5Bpsy4pNWMO > > HCBiNU0NogpsQW5QvnlMpA== > > </G> > > <Y> > > VMoV//Oh7VytBbZVySNmVZevV1bw7vmJwx5hHszeR25bforBFA19nk+3ehg6SgUj > > WiXn7HsybemjRFs5x4+XFg== > > </Y> > > </DSAKeyValue> > > </KeyValue> > > </KeyInfo> > > </Signature> > > <samlp:Status> > > <samlp:StatusCode Value="urn:oasis:names:tc:SAML: > > 2.0:status:Success"/> > > </samlp:Status> > > <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > ID="260825ab-637c-41f1-1b3c-eb4607940c18" > > IssueInstant="2008-07-16T04:39:19Z" Version="2.0"> > > <Issuer>portal2.dev.local</Issuer> > > <Subject> > > <NameID Format="urn:oasis:names:tc:SAML: > > 1.1:nameid-format:emailAddress">_rsh</NameID> > > <SubjectConfirmation > > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > > <SubjectConfirmationData > > Recipient="https://www.google.com/a/navitas.edu.au/acs"; > > NotOnOrAfter="2008-07-16T04:49:19Z" > > InResponseTo="eahdbofnaodknppfbopgnbpbboplpmiknjpcbldh"/> > > </SubjectConfirmation> > > </Subject> > > <Conditions NotBefore="2008-07-16T04:34:19Z" > > NotOnOrAfter="2008-07-16T04:49:19Z"> > > <AudienceRestriction> > > <Audience>https://www.google.com/a/ > > navitas.edu.au/acs</Audience> > > </AudienceRestriction> > > </Conditions> > > <AuthnStatement AuthnInstant="2008-07-16T04:39:19Z"> > > <AuthnContext> > > <AuthnContextClassRef> > > urn:oasis:names:tc:SAML: > > 2.0:ac:classes:Password > > </AuthnContextClassRef> > > </AuthnContext> > > </AuthnStatement> > > </Assertion> > > </samlp:Response> > > > RelayState: > > >https://www.google.com/a/navitas.edu.au/ServiceLogin?continue=http%3A... > > > Any help would be appreciated, as well as if it's possible to see logs > > of what's going wrong somewhere, and if there is in fact a SAML test > > service available from Google. I actually find it rather surprising > > that there isn't! > > > Cheers, > > > Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
