One thing that I noticed is that the namespace for some of the items was not prefixed properly, so I changed those to saml: (and updated the prefix delcaration). However, this still does not work with Google. I can run it against an opensso SP and the assertion is accepted properly, plus the email address is extracted correctly. Can anyone at Google help? What does the issuer need to be (for Google Apps) - anything? The domain name? Thanks! Here is the latest example (which works successfully with OpenSSO): <?xml version="1.0" encoding="UTF-8" standalone="no"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc=" http://www.w3.org/2001/04/xmlenc#"; ID="cfd2e57a-4aa6-4e99-b373-ccb196c96861" IssueInstant="2011-11-08T15:55:46Z" Version="2.0"> <saml:Issuer>Does this matter as long as it's consistent? </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="24d61f6f-361e-4ee9-a3f9-c69f5dca4209" IssueInstant="2011-11-08T15:55:46Z" Version="2.0"> <saml:Issuer>Does this matter as long as it's consistent? </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo> <CanonicalizationMethod Algorithm=" http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> <SignatureMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#24d61f6f-361e-4ee9-a3f9-c69f5dca4209"> <Transforms><Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms> <DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>BofV+xJ/B7rVIla0hk3l2NLR5v4=</DigestValue> </Reference> </SignedInfo> <SignatureValue>PZv+rVLy7Gh2HSKQVtuddzZBYmgIHAjHQJR+v/cV27h2bJcL853xfYoXrumyJr3KRxU+ABrr1mtV C9qdIckbQZ8JSmCV/DnE8WuldxyqetZ7EG3UwMJp5VaqE0V5RSxBzLr8lxlbNNPzgQGQy4PJbJ2t ZtsCR5/Cpo/s79K2kJxlJbOTvpHFiLWbDQf+EJ0uSUoo67ErkElhApyiuMJU4mHvdcUgqu7LwOhS Fuc+zWYigYs18RVZUalR3DKSzsE3qAWB9D18GBt0xxIyEvPHd3BEdQTb9oTpr6X2nTJsaVwmVvSn oTEyGC2QiRnYsbhXnT1N4CTtbmaz5EZi//OjiQ==</SignatureValue> </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> [email protected] </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="pekgifbbgabindmplnnkmiklaellcdppmmgingfn" NotOnOrAfter="2011-11-08T16:00:46Z" Recipient=" https://www.google.com/a/mydomain.com/acs"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2011-11-08T15:50:46Z" NotOnOrAfter="2011-11-08T16:00:46Z"> <saml:AudienceRestriction> <saml:Audience>https://www.google.com/a/mydomain.com/acs</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2011-11-08T15:55:46Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>
-- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/pHVXVZfJg7AJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
