Google Apps + v3 Idp (again)

Andrew Morgan morgan at orst.edu
Thu Apr 14 12:10:14 EDT 2016 

On Thu, 14 Apr 2016, Dave Perry wrote:

> That (with the odd change) has got me to the same point I reached 
> yesterday - I have a SAML response which has my email address in the 
> NameID, in the right format according to DEBUG. But google is still 
> rejecting it. No attribute beyond the nameID being released.
>
> Would you be willing to share a response, with your certificate element 
> snipped, for me to compare to.

Here is a complete assertion:

<saml2p:Response Destination="https://www.google.com/a/oregonstate.edu/acs"
                  ID="_2ebca78d34426e121093b5ebaf186c86"
                  InResponseTo="oamfblagmnmgedckhinmcmdpdfddpjinkmicdeal"
                  IssueInstant="2016-04-14T16:03:49.708Z"
                  Version="2.0"
                  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                  >
     <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://login.oregonstate.edu/idp/shibboleth</saml2:Issuer>
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
             <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
             <ds:Reference URI="#_2ebca78d34426e121093b5ebaf186c86">
                 <ds:Transforms>
                     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                 </ds:Transforms>
                 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                 <ds:DigestValue>biEJ9Jrp264dNAeZdRb1vJMZvZt5aBq5tET21YbhXa4=</ds:DigestValue>
             </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>
KzNIKjKa9QX168fDIulSdVym0EYHi5dEqMMh1H6FPAf9u8UL/11JkAeMdxEUqJvd0Q+NndS1BGQM
BlFRb2rxnDYL4ZObyyz7lmcu4ZPFXotA+QuxtIkf6YyUq3qtFWFWkh04OJD1v2mu5qnUoA12kBMK
6ko33WXDSE+4ypmeePpinYzIY+FJhHtE0HTIESjMLp6D/xmQ8AkgT/UIGPOyLWb72wdnt8IXwhDz
OfgJ4/MOHQcxiWWv26wxk+aTmr//8OlCF3SqevJjAzgCRIwbnM5wZEsFhwsCGOIUcXST6KSTiAwi
7Y0jaKXAt5wMniNdPrFJVdSDAV6TteW5Cza4PQ==
</ds:SignatureValue>
         <ds:KeyInfo>
             <ds:X509Data>
                 <ds:X509Certificate>MIIDPzCCAiegAwIBAgIUEfvjo0YbOpCuYoilEkORPgg2kOEwDQYJKoZIhvcNAQEFBQAwIDEeMBwG
A1UEAxMVbG9naW4ub3JlZ29uc3RhdGUuZWR1MB4XDTEyMTAxMjE5NDk1NloXDTMyMTAxMjE5NDk1
NlowIDEeMBwGA1UEAxMVbG9naW4ub3JlZ29uc3RhdGUuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAg9NvfUSFgi3Ns7kiPBjUgBB5WOezJo4yGOaOR5H1AiKdbcWz7xXbK47AG8ys
j0C1BZV0x7g0G1GISMBn6rWU5nMMOn0/yoICt1aAlgrcCY4FkKnWUBi4H4Qzt16QGFT8hz3/BdD+
/G+NV59hGEOIdwr5RVV+2ELLobeMEGQ5fyffc0DYvxq55gN7FvtgYWjLzRrLOC+9nhAUYlCi8HHy
NkSqLVEX/rKBsURQrGUG/D/1EXlRrpA29LxBrcg91iQoRSH/78rs43WHVOra3IONWJxClt0wGLvy
iGh8/Ty5zZbV4UYwYNeqOhHtFAnyqQ0kSXOqfHNMsCZBwcvYFND2ywIDAQABo3EwbzBOBgNVHREE
RzBFghVsb2dpbi5vcmVnb25zdGF0ZS5lZHWGLGh0dHBzOi8vbG9naW4ub3JlZ29uc3RhdGUuZWR1
L2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBSgIqH+urOXUrrM+yCzxSm8v5Jf4TANBgkqhkiG9w0B
AQUFAAOCAQEANnnFrilv6DoifHhRTOZRtfuJFP/3x10kqrJqyGPd/GAiXiXfO6mEnmOiSlC39K07
KbOCt/qsoWoW0QQzZgB36CCyuKi7ZZ4zp5oUzQnqPTNPgdaBkj+mwngQ3hjrsxXJdu3UN4dUZ8Oy
DgTO1I3NsA7VYDewpA/DdfrAdisN0coEW7ppeU7BVHFNxBvSyfbBaXLdxVLWOh3nAAha2tXUr0FR
bZU3rREOVBPKuamYWmGES7Q2WphbBwfOcghxCHcq133UmHyK8LQ6SbbyiTBBQuivbhPELucJzIeU
oJ7U089J5huDBQendCNS534DHcsvwYzQX/yDdIlusEse97Zcnw==</ds:X509Certificate>
             </ds:X509Data>
         </ds:KeyInfo>
     </ds:Signature>
     <saml2p:Status>
         <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
     </saml2p:Status>
     <saml2:Assertion ID="_8c4a38d16c0dd4d30184ba6bc85cb24b"
                      IssueInstant="2016-04-14T16:03:49.708Z"
                      Version="2.0"
                      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                      >
         <saml2:Issuer>https://login.oregonstate.edu/idp/shibboleth</saml2:Issuer>
         <saml2:Subject>
             <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                           NameQualifier="https://login.oregonstate.edu/idp/shibboleth"
                           SPNameQualifier="google.com/a/oregonstate.edu"
                           >morgana at oregonstate.edu</saml2:NameID>
             <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                 <saml2:SubjectConfirmationData Address="10.214.121.42"
                                                InResponseTo="oamfblagmnmgedckhinmcmdpdfddpjinkmicdeal"
                                                NotOnOrAfter="2016-04-14T16:08:49.715Z"
                                                Recipient="https://www.google.com/a/oregonstate.edu/acs"
                                                />
             </saml2:SubjectConfirmation>
         </saml2:Subject>
         <saml2:Conditions NotBefore="2016-04-14T16:03:49.708Z"
                           NotOnOrAfter="2016-04-14T16:08:49.708Z"
                           >
             <saml2:AudienceRestriction>
                 <saml2:Audience>google.com/a/oregonstate.edu</saml2:Audience>
             </saml2:AudienceRestriction>
         </saml2:Conditions>
         <saml2:AuthnStatement AuthnInstant="2016-04-14T16:03:49.647Z"
                               SessionIndex="_e79b9d2af5dfd6ac754bd9bcc81705a4"
                               >
             <saml2:SubjectLocality Address="10.214.121.42" />
             <saml2:AuthnContext>
                 <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
             </saml2:AuthnContext>
         </saml2:AuthnStatement>
     </saml2:Assertion>
</saml2p:Response>



Kind of an obvious question, but have you compared the assertions between 
your IDPv2 and IDPv3 attempts?

 	Andy

More information about the users mailing list