Hello.
I have been "racking my brain" trying to figure out how to get Google Apps
to work with my SAMLResponse. My SAMLResponse works just fine with a
simpleSAMLphp SP but fails every time with Google.
Here is the request they are providing:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="mpbjjibncopjikaegdheinnnhljkapegmilnmbic" Version="2.0" IssueInstant
="2012-10-22T19:54:58Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"ProviderName
="google.com"
IsPassive="false" AssertionConsumerServiceURL=
"https://www.google.com/a/XXX.apps-poc.com/acs";>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>google.com/a/XXX.apps-poc.com</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
And my response:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://www.google.com/a/XXX.apps-poc.com/acs";
ID="_48b9b368bcb048c392e14568b8fb7be7" InResponseTo=
"mpbjjibncopjikaegdheinnnhljkapegmilnmbic"
IssueInstant="2012-10-22T19:54:58Z" Version="2.0">
<saml:Issuer>XXX.apps-poc.com</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/>
</samlp:Status>
<saml:Assertion ID="_7c3c9cf9b30e41eea419fd262e81ec10" IssueInstant=
"2012-10-22T19:54:58Z"
Version="2.0">
<saml:Issuer>XXX.apps-poc.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:email"
>[email protected]</saml:NameID>
<saml:SubjectConfirmation Method=
"urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="mpbjjibncopjikaegdheinnnhljkapegmilnmbic"
NotOnOrAfter="2012-10-22T19:59:58Z"
Recipient=
"https://www.google.com/a/XXX.apps-poc.com/acs"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2012-10-22T19:49:58Z" NotOnOrAfter=
"2012-10-22T19:59:58Z">
<saml:AudienceRestriction>
<saml:Audience>google.com/a/XXX.apps-poc.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2012-10-22T19:54:58Z"
SessionIndex="_7c3c9cf9b30e41eea419fd262e81ec10">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="uid">
<saml:AttributeValue>USER</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="givenName">
<saml:AttributeValue>XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sn">
<saml:AttributeValue>XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="displayName">
<saml:AttributeValue>XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="employeeNumber">
<saml:AttributeValue>XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="employeeType">
<saml:AttributeValue>XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="departmentNumber">
<saml:AttributeValue>XXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail">
<saml:AttributeValue>[email protected]
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
<SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>G7NNJ82H9NCDO/xAEvjB1SXx+TQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
adT7ZXk0LC8MWtpSMt5WChegDK/ShHfa/H1pd/XajUn91Bwy9hl0ZwIX8OVwO/ldno2c7GFn6J3L
1gnBtqaHBJXHaLIOKq6mGVNo41FSQabSpFuc5LVpKpbLM2XCrJ4b3z/WumiIF2FWYkiT03U3V17Z
hSx695ckAUWoJZX/MwwfTFrCFSwbfNXAgIyldrf/XjOdNlbvguN51IgHWH/UFvWDfGRkc6c+dQL0
oNxbg6fi6W6MhKfgCtYEPmjHmZPoSIoHGGO64YG9t1f7l9ySJgt9U96lPGTSIsWDjA7u5vbEaC0D
rdLw0WLJNxuJUk2v/2AmMsC2RzBZ6Oiaxouz2w==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIDkTCCAnmgAwIBAgIEFvzmHDANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzENMAsGA1UE
CBMET2hpbzERMA8GA1UEBxMIRmFpcmxhd24xHzAdBgNVBAoTFlN0ZXJsaW5nIEpld2VsZXJzIElu
Yy4xCzAJBgNVBAsTAklUMRowGAYDVQQDExFTdGVybGluZyBGZWRlcmF0ZTAeFw0xMjEwMjIxOTQ2
MDRaFw00MDAzMDgxOTQ2MDRaMHkxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRPaGlvMREwDwYDVQQH
EwhGYWlybGF3bjEfMB0GA1UEChMWU3RlcmxpbmcgSmV3ZWxlcnMgSW5jLjELMAkGA1UECxMCSVQx
GjAYBgNVBAMTEVN0ZXJsaW5nIEZlZGVyYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAo1F9Kslp8F1XkjaPperaZbVP3GAtSjPqlCCzL0uKPhYjeQJDi4oSWcQIurA8YczXzRpipwl0
2TvUewuSfmLCKnrXzTmXXIgoXczu9RdrQT7P4ftRnJflzoKllPlLbmHiqMoS6QDlYk4Eom9U0IXw
ZnDl7pmY1QvmilHe7cTteQWqz66S2AZb36vndz00nXspJXKi/y4WISU4xOQQF3sKl6H0865aFd4p
ifh0+Fu16uVzPzFzHX4QsrjwRkaIOfG9/DI4OZINr2bXKTJTs2d7RM1mB5Ph3vr79iewjd4CA7ev
1MjxrLw9/SZNrsJ6nI6rOIQYiAbMON6asMtgHboM/wIDAQABoyEwHzAdBgNVHQ4EFgQUOEbUyOdZ
nS6yX8O8tXaDl1ji3HcwDQYJKoZIhvcNAQELBQADggEBAGcYBOFMc8ZEvAaH8Me4eODvW03BrjqY
BxBEeMJ8pbBxfRIyRwwC+hAIHdzZYQJpeiYrefN/+S9jM9pIW06810Cz0aM5GoTZlCGtCfuywjFd
/WkChX6I3UlZDo6LZYZMFTKGcFvf3W/MOZ5BCylvUHmXQXyZcPE1PN5HQaiu7i0DGe9VByw0PkEP
6r3rSbRkSDNgaLziHLONURNAlsP1uTeLeIQCB0IPoXak23bh9Vv+8mtOakzbpKvfasRcVxHPRNjD
rJU6Ed0aULWrxDTrYuZl85okRWCrpxgfgYqOiwgHH7xHEmdpDXK40OMJuhNcRGNz4UtDfqcjIhb+
PZgN45Y=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</samlp:Response>
I have tried:
- Generating new certificates
- Using DSA instead of RSA
- Changing validity days to 180
- 1024 bits instead of 2048
- Removing the response Issuer
- Changing the Issuer
- Changing the NameID Format and value
- Setting Audience to the request Issuer
- Setting Audience to the ACS URL
- Removing SessionIndex
- Adding SPNameQualifier
- Removing all attributes
- Removing Destination from the response
- Using the request's IssueInstant for calculations
- Setting Reference URI in Signature to the Assertion ID (starting with
#) - this causes simpleSAMLphp to fail along with Google
- Replacing the _ in my UUIDs with the letter 'a'
So far I have not gotten it to work even once and I've tried just about
every combination of the above changes... Can anyone provide some insight
to why this is not working?
For reference, I created the cert by following
https://developers.google.com/google-apps/help/articles/sso-keygen#JavaKeyTool
Thank you!
--
You received this message because you are subscribed to the Google Groups
"Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/google-apps-mgmt-apis/-/eD6xt3-w-YUJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
