Google SAML Response XML

2.3k views Asked by At

I am trying to setup Google as SP and my own database as IDP. I have configured my GSuite account with my login and logout URL and google is redirecting to them perfectly. But after SAML request from google, I try to generate SAML response, I am getting G Suite - This account cannot be accessed because the login credentials could not be verified.

Below is my SAML Response XML:

<?xml version="1.0"?>
<!DOCTYPE samlp:Response [
    <!ATTLIST samlp:Response ID ID #IMPLIED>
]>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="n7dff0678252c667b24cae2be1925746166d0906c" Version="2.0" IssueInstant="2017-01-12T12:05:23Z" Destination="https://www.google.com/a/demo.mediaagility.com/acs"><saml:Issuer>google.com/a/demo.mediaagility.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#n7dff0678252c667b24cae2be1925746166d0906c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>bcUzuWbYSccmvCXN25mXaW7u1qw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>6L7UmVK/76MeVupEUKSLySrLEntcDrI0CPad3TQEN3D7BDKgoRpfWXWiQElsk64i
H0c1iCfrDEApoAFe17iORowmJlghumTJzzCXfPhcvpecj2UmikivULyM87eKNVGa
kEG4ZXS/1OqWwZ3HpVtHK3VPYPQY1FnvAnAEeZNj3zRgv3hyuAHXaUcAEHVYbLGa
uvkbQrOSlVafHMPEj++go3AS6B6QFxonVGYbf5FE+txkKocyudLBf94IJl6Gd3o0
VCMj7UewcXm1MweXOZyh+M6AXTt125QQGZFPJWiTMDTjFWIKzGXdh/Rau/B1S1KU
BG4VbE0C8goQfGwbKhQ3jg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data>
<ds:X509Certificate>MIIEBzCCAu+gAwIBAgIJANPE0ekUwoLyMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD
VQQGEwJJTjERMA8GA1UECAwISGFyaXlhbmExEDAOBgNVBAcMB2d1cmdhb24xFTAT
BgNVBAoMDE1lZGlhYWdpbGl0eTELMAkGA1UECwwCSVQxFTATBgNVBAMMDERlZXBh
ayBWZXJtYTEqMCgGCSqGSIb3DQEJARYbYWRtaW5AZGVtby5tZWRpYWFnaWxpdHku
Y29tMB4XDTE3MDExMDEzNDEyNVoXDTE3MDIwOTEzNDEyNVowgZkxCzAJBgNVBAYT
AklOMREwDwYDVQQIDAhIYXJpeWFuYTEQMA4GA1UEBwwHZ3VyZ2FvbjEVMBMGA1UE
CgwMTWVkaWFhZ2lsaXR5MQswCQYDVQQLDAJJVDEVMBMGA1UEAwwMRGVlcGFrIFZl
cm1hMSowKAYJKoZIhvcNAQkBFhthZG1pbkBkZW1vLm1lZGlhYWdpbGl0eS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD+vxDJs6k2B2pcALaLly/c
bo/hiyEWZe11str5MuA5/HvZkv7lRtkhSTe3kRX3a+rp73v4adWrJr2milgAtaqS
VUo8lwYoIiqKj4Ge74iJxvCsdB3GlUU25jbbPLOUKdTsNaw1lPvk95af7EODulvQ
6nygazb4q/OycuuFfl4+nqPZwPothOClC+q3QaiZaGBjo4UmC07xMrFtuv8itsNO
MtwBvWnvPTXLGZU/g/yoj+Y6r6b8k+4jkoS9SsU/BTTtBP380JR1KOi/wEJV5Mny
dumItPSPu9pl5SnJJq4DWVwFpYHYJDXK9161kjcIz+JGi7H3S7MymfnkN29pw/wF
AgMBAAGjUDBOMB0GA1UdDgQWBBSWTdppBx2wxiVdbB+EO/TpYJsbpTAfBgNVHSME
GDAWgBSWTdppBx2wxiVdbB+EO/TpYJsbpTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQDWIV1TLM0pnNtEVeIUplYL8oq2jvSjvVUzNzN2TvXPBSr8GdAv
Awep/pJyeSARZb1bynkO6RGLPUgPB5/ISvS4I0HYT91TfO0iQWzY6ILGKb4CMQhc
x379pqesS6owd+zJ35H5/lnIC3jEIaWjq0/d8JoXIcehzkzIYzjt883KyD3EEe2Y
OoU7hK8eYJwKXNjk37HLfPZ9bmUec/s2Er6AFPp92KTR6wdspy0BvMnvdLmXtkh2
/yX9UMwyDcq4QW+f001i7H8nT3v7C4MqnCrHE2Y+a0XetS+5WIEXYHx7KBeYzTl4
CqkH0LFKuOBfEDBfMj+nGWyeG/vfh9MaELIW</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion Version="2.0" ID="gf860726b83c8386cdd3d89131223f535cb51f615" IssueInstant="2017-01-12T12:05:23Z"><saml:Issuer>google.com/a/demo.mediaagility.com</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">[email protected]</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="nhchacfajpmpbahlbbdoneoncpicjheamlgooigp" Recipient="https://www.google.com/a/demo.mediaagility.com/acs" NotOnOrAfter="2017-01-13T12:05:23Z"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2017-01-12T12:05:23Z" NotOnOrAfter="2017-01-13T12:05:23Z"><saml:AudienceRestriction><saml:Audience>google.com/a/demo.mediaagility.com</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2017-01-12T12:05:23Z" SessionIndex="gf860726b83c8386cdd3d89131223f535cb51f615"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

I used python-saml python package to sign my saml response:-

from onelogin.saml2.utils import OneLogin_Saml2_Utils
bPath = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))), "keys")
cert = open(os.path.join(bPath, "cert.pem")).read()
key = open(os.path.join(bPath, "private_key.pem")).read()
signedData = OneLogin_Saml2_Utils.add_sign(samlXML, key, cert)
return signedData

Any help will be much appreciated.and I am using python language.

Below is my Google SSO configuration Google SSO configuration

1

There are 1 answers

9
Thuan On

You need to base64 your response. One way to test your code is to test it against another SP that can give you better error message such as SimpleSamlPhp. Anyway, below is a response for Google Apps that works for me. Two things I noticed: your response doesn't have Issuer and audience restriction is different.

    <samlp :Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
       xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
       ID="_e8d051da91c78463aab61868a575a99bbba1266a2b"
       Version="2.0"
       IssueInstant="2017-01-09T04:43:37Z"
       Destination="https://www.google.com/a/mydomain.com/acs"
       InResponseTo="dcbcmhemepohapphnloohdmmmimbmanljcnmkabp">
  <saml:Issuer>myissuer</saml:Issuer>
  <ds :Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds :CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds :SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds :Reference URI="#_e8d051da91c78463aab61868a575a99bbba1266a2b">
        <ds:Transforms>
          <ds :Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds :Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds :DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>G5fRiUNgyak14pNsjas8UCWfzUQ=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Sz8Aa9oEnOiWW4MscHdgTjJxtstzYo2IGdVBZC3jlIIBYUYS1HPdva5M9pfdL+wJohnZ4id+xfeW+xDVQmL0/ivgFR7PRBWQicGmcbPxMhynPkS3JUbUIDKuqwcKWqKJ2aOdyxr2MBOQjRrGwOG/Q1b55j6q4mBJKqW0JmKgeYZOW6Af9R3D/oyLKvG/IHNiptSsPbwuz+QLPtglbwjYocRpXyV4oW267CJleqtlXt9gprVERXtaKEAx1LVNLFiy8YYwuBVjUMljxvqfkvu9ygsaOTDyUE6X8u1U6wXhEALvX+bL9aqOtj3OS7XAHyzlHDyxuqAybqHsFkUWO66d7g==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
blah blah
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>
    <samlp :StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <saml :Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        ID="_03d8531d7a6344272153841942e3a4c3aa298ff0ce"
        Version="2.0"
        IssueInstant="2017-01-09T04:43:37Z">
    <saml:Issuer>myissuer</saml:Issuer>
    <saml:Subject>
      <saml :NameID SPNameQualifier="google.com/a/mydomain.com"
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">[email protected]</saml:NameID>
      <saml :SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml :SubjectConfirmationData NotOnOrAfter="2017-01-09T04:48:37Z"
              Recipient="https://www.google.com/a/mydomain.com/acs"
              InResponseTo="dcbcmhemepohapphnloohdmmmimbmanljcnmkabp" />
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml :Conditions NotBefore="2017-01-09T04:43:07Z"
          NotOnOrAfter="2017-01-09T04:48:37Z">
      <saml:AudienceRestriction>
        <saml:Audience>google.com/a/mydomain.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml :AuthnStatement AuthnInstant="2017-01-09T04:43:37Z"
          SessionNotOnOrAfter="2017-01-09T12:43:37Z"
          SessionIndex="_f2e2722e24cb27743c12de9ca41765554aa3186214">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml :Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml :AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
RelayState
https://www.google.com/a/mydomain.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&ltmpl=default&ltmplcache=2&emr=1&osid=1