I see a few potential issues here: - You don't have a RSAKeyValue listed. See my attachmentexample for what that should look like - Issuer should be your Google Apps domain - Your XML doesn't seem to be fully canonized. If you're signing a non-canonized version of the XML, the signature won't match what Google thinks it should be. See http://www.w3.org/TR/xml-c14n for details on canonical XML. I found it easiest to just make sure my templates were canonical instead of trying to convert in and out of canonical format. - The NameID can be just the username if you're not using multiple domains in Google Apps. If you are using multiple domains or think you ever might, use the email address.
attached is a samlresponse I generated with my working SAML implementation for Google Apps. I made no modifications to the format but did make changes to the modulus, signature and anywhere the domain was listed for privacy/security reasons. It should still give you plenty to go on though. You might also be interested in my open source implementation of Google Apps SAML, Google Apps Improved Login (GAIL)<http://code.google.com/p/google-apps-improved-login>. I don't really support GAIL much anymore but the SAML portion of the code (take a look at the templates in particular) should be of some use to you. Jay -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/B8VO0TcN0zMJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
<?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; ID="pgljgiknbpomnoeldckfbgmlmlfcahpdiffiohp" IssueInstant="2011-11-08T16:41:09Z" Version="2.0"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"; xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments";></CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature";></Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> <DigestValue>nTq8aaQzyKsrZVD2GnQw4IeRi3g=</DigestValue> </Reference> </SignedInfo> <SignatureValue>oLTqJBmbZwJVDM3RtZTJwdnDpIh6tvqsgoxCRPqQGKNX8NwHwQM0ZWlBQurhUFg2IuuC92CQb4m43ZBmBkMKfFV7x76le7mUjmMFZXAV1+/tShfloV6CRfDpQXu33I6idQwjNcGKRPFAfp0drA9RSNrDhJmQRZuXe9cuKJK90PIJCtpcx3sPD3VeWwfui6VAqkH8mcm1xwYPv/nwplC4FQT1UjI/iNsNnB5NAd5+XeGpIIZ7HpH+8swbgKShFUz+gKbaKgebV4tszgsDz8F6DwQ4rcyPDWV6EFpvAH1QN+ZbhcCJ0pXFBvQ7bO9C+rKj4W6sPlauWFwEJ2wc5RFoGg==</SignatureValue> <KeyInfo><KeyValue> <RSAKeyValue> <Modulus> 8oLgQSroN501gMgkBj+F/YFf2Ks3jFzQ8LHTAla93QibklqcjGpzXE4wTuzJW2pc33yQ7l2jyOeXAPjj9rYvRIcTHknNcvCAExLiX96ez3bqPufU3Tb8HStPlAIpdVgisrElnojjavtaBTyN70vbwQjl6kJfe9E4I+JZIbFKoS5Vcom45G0CKtRZy0AdR+R0b5FdXysr17gc8LIpA8w8trI7p/zo9cUVfGVInHSLDIWljZYvUBpN6oeJMg9tT+7gzlGEEifAMCnX4Cv4fJbaLz49KmsAKlvcjBaz3Wpb0xQhlbi6I5BFexZnuLVwpBTxnEGDFG5VlTubmn/yICxIUw== </Modulus> <Exponent> AQAB </Exponent> </RSAKeyValue> </KeyValue></KeyInfo> </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode> </samlp:Status> <Assertion ID="ofphljedmkcamifllngidddkiehdkeggnfhkldf" IssueInstant="2011-11-08T16:41:09Z" Version="2.0"> <Issuer>xxxxx.myb.com </Issuer> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"> jl710 </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData Recipient="https://www.google.com/a/xxxxx.myb.com/acs";></SubjectConfirmationData> </SubjectConfirmation> </Subject> <Conditions NotBefore="2011-11-08T16:36:09Z" NotOnOrAfter="2011-11-08T16:51:09Z"> </Conditions> <AuthnStatement AuthnInstant="2011-11-08T16:41:09Z"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response>
