Found it! Signature must be before Status... On Monday, October 22, 2012 4:06:01 PM UTC-4, Mobile Team wrote: > > Hello. > > I have been "racking my brain" trying to figure out how to get Google Apps > to work with my SAMLResponse. My SAMLResponse works just fine with a > simpleSAMLphp SP but fails every time with Google. > > Here is the request they are providing: > > <?xml version="1.0" encoding="UTF-8"?> > <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="mpbjjibncopjikaegdheinnnhljkapegmilnmbic" Version="2.0"IssueInstant > ="2012-10-22T19:54:58Z" > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"ProviderName > ="google.com" > IsPassive="false" AssertionConsumerServiceURL=" > https://www.google.com/a/XXX.apps-poc.com/acs";> > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > >google.com/a/XXX.apps-poc.com</saml:Issuer> > <samlp:NameIDPolicy AllowCreate="true" > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> > </samlp:AuthnRequest> > > And my response: > > <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > Destination="https://www.google.com/a/XXX.apps-poc.com/acs"; > ID="_48b9b368bcb048c392e14568b8fb7be7" InResponseTo= > "mpbjjibncopjikaegdheinnnhljkapegmilnmbic" > IssueInstant="2012-10-22T19:54:58Z" Version="2.0"> > <saml:Issuer>XXX.apps-poc.com</saml:Issuer> > <samlp:Status> > <samlp:StatusCode Value= > "urn:oasis:names:tc:SAML:2.0:status:Success"/> > </samlp:Status> > <saml:Assertion ID="_7c3c9cf9b30e41eea419fd262e81ec10" IssueInstant= > "2012-10-22T19:54:58Z" > Version="2.0"> > <saml:Issuer>XXX.apps-poc.com</saml:Issuer> > <saml:Subject> > <saml:NameID Format= > "urn:oasis:names:tc:SAML:2.0:nameid-format:email" > >[email protected]</saml:NameID> > <saml:SubjectConfirmation Method= > "urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml:SubjectConfirmationData > InResponseTo= > "mpbjjibncopjikaegdheinnnhljkapegmilnmbic" > NotOnOrAfter="2012-10-22T19:59:58Z" > Recipient=" > https://www.google.com/a/XXX.apps-poc.com/acs"/> > </saml:SubjectConfirmation> > </saml:Subject> > <saml:Conditions NotBefore="2012-10-22T19:49:58Z" NotOnOrAfter= > "2012-10-22T19:59:58Z"> > <saml:AudienceRestriction> > <saml:Audience>google.com/a/XXX.apps-poc.com > </saml:Audience> > </saml:AudienceRestriction> > </saml:Conditions> > <saml:AuthnStatement AuthnInstant="2012-10-22T19:54:58Z" > SessionIndex="_7c3c9cf9b30e41eea419fd262e81ec10"> > <saml:AuthnContext> > <saml:AuthnContextClassRef> > urn:oasis:names:tc:SAML:2.0:ac:classes:Password > </saml:AuthnContextClassRef> > </saml:AuthnContext> > </saml:AuthnStatement> > <saml:AttributeStatement> > <saml:Attribute Name="uid"> > <saml:AttributeValue>USER</saml:AttributeValue> > </saml:Attribute> > <saml:Attribute Name="givenName"> > <saml:AttributeValue>XXX</saml:AttributeValue> > </saml:Attribute> > <saml:Attribute Name="sn"> > <saml:AttributeValue>XXX</saml:AttributeValue> > </saml:Attribute> > <saml:Attribute Name="displayName"> > <saml:AttributeValue>XXX</saml:AttributeValue> > </saml:Attribute> > <saml:Attribute Name="employeeNumber"> > <saml:AttributeValue>XXX</saml:AttributeValue> > </saml:Attribute> > <saml:Attribute Name="employeeType"> > <saml:AttributeValue>XXX</saml:AttributeValue> > </saml:Attribute> > <saml:Attribute Name="departmentNumber"> > <saml:AttributeValue>XXX</saml:AttributeValue> > </saml:Attribute> > <saml:Attribute Name="mail"> > <saml:AttributeValue>[email protected] > </saml:AttributeValue> > </saml:Attribute> > </saml:AttributeStatement> > </saml:Assertion> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod > Algorithm=" > http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> > <SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <Reference URI=""> > <Transforms> > <Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>G7NNJ82H9NCDO/xAEvjB1SXx+TQ=</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue> > adT7ZXk0LC8MWtpSMt5WChegDK/ShHfa/H1pd/XajUn91Bwy9hl0ZwIX8OVwO/ldno2c7GFn6J3L > > 1gnBtqaHBJXHaLIOKq6mGVNo41FSQabSpFuc5LVpKpbLM2XCrJ4b3z/WumiIF2FWYkiT03U3V17Z > > hSx695ckAUWoJZX/MwwfTFrCFSwbfNXAgIyldrf/XjOdNlbvguN51IgHWH/UFvWDfGRkc6c+dQL0 > > oNxbg6fi6W6MhKfgCtYEPmjHmZPoSIoHGGO64YG9t1f7l9ySJgt9U96lPGTSIsWDjA7u5vbEaC0D > rdLw0WLJNxuJUk2v/2AmMsC2RzBZ6Oiaxouz2w==</SignatureValue> > <KeyInfo> > <X509Data> > <X509Certificate> > MIIDkTCCAnmgAwIBAgIEFvzmHDANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzENMAsGA1UE > > CBMET2hpbzERMA8GA1UEBxMIRmFpcmxhd24xHzAdBgNVBAoTFlN0ZXJsaW5nIEpld2VsZXJzIElu > > Yy4xCzAJBgNVBAsTAklUMRowGAYDVQQDExFTdGVybGluZyBGZWRlcmF0ZTAeFw0xMjEwMjIxOTQ2 > > MDRaFw00MDAzMDgxOTQ2MDRaMHkxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRPaGlvMREwDwYDVQQH > > EwhGYWlybGF3bjEfMB0GA1UEChMWU3RlcmxpbmcgSmV3ZWxlcnMgSW5jLjELMAkGA1UECxMCSVQx > > GjAYBgNVBAMTEVN0ZXJsaW5nIEZlZGVyYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC > > AQEAo1F9Kslp8F1XkjaPperaZbVP3GAtSjPqlCCzL0uKPhYjeQJDi4oSWcQIurA8YczXzRpipwl0 > > 2TvUewuSfmLCKnrXzTmXXIgoXczu9RdrQT7P4ftRnJflzoKllPlLbmHiqMoS6QDlYk4Eom9U0IXw > > ZnDl7pmY1QvmilHe7cTteQWqz66S2AZb36vndz00nXspJXKi/y4WISU4xOQQF3sKl6H0865aFd4p > > ifh0+Fu16uVzPzFzHX4QsrjwRkaIOfG9/DI4OZINr2bXKTJTs2d7RM1mB5Ph3vr79iewjd4CA7ev > > 1MjxrLw9/SZNrsJ6nI6rOIQYiAbMON6asMtgHboM/wIDAQABoyEwHzAdBgNVHQ4EFgQUOEbUyOdZ > > nS6yX8O8tXaDl1ji3HcwDQYJKoZIhvcNAQELBQADggEBAGcYBOFMc8ZEvAaH8Me4eODvW03BrjqY > > BxBEeMJ8pbBxfRIyRwwC+hAIHdzZYQJpeiYrefN/+S9jM9pIW06810Cz0aM5GoTZlCGtCfuywjFd > > /WkChX6I3UlZDo6LZYZMFTKGcFvf3W/MOZ5BCylvUHmXQXyZcPE1PN5HQaiu7i0DGe9VByw0PkEP > > 6r3rSbRkSDNgaLziHLONURNAlsP1uTeLeIQCB0IPoXak23bh9Vv+8mtOakzbpKvfasRcVxHPRNjD > > rJU6Ed0aULWrxDTrYuZl85okRWCrpxgfgYqOiwgHH7xHEmdpDXK40OMJuhNcRGNz4UtDfqcjIhb+ > PZgN45Y=</X509Certificate> > </X509Data> > </KeyInfo> > </Signature> > </samlp:Response> > > I have tried: > > - Generating new certificates > - Using DSA instead of RSA > - Changing validity days to 180 > - 1024 bits instead of 2048 > - Removing the response Issuer > - Changing the Issuer > - Changing the NameID Format and value > - Setting Audience to the request Issuer > - Setting Audience to the ACS URL > - Removing SessionIndex > - Adding SPNameQualifier > - Removing all attributes > - Removing Destination from the response > - Using the request's IssueInstant for calculations > - Setting Reference URI in Signature to the Assertion ID (starting > with #) - this causes simpleSAMLphp to fail along with Google > - Replacing the _ in my UUIDs with the letter 'a' > > So far I have not gotten it to work even once and I've tried just about > every combination of the above changes... Can anyone provide some insight > to why this is not working? > > For reference, I created the cert by following > https://developers.google.com/google-apps/help/articles/sso-keygen#JavaKeyTool > > Thank you! >
-- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/1J5Fj7oyj50J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
