Google SAML SSO:无法访问此帐户,因为无法验证登录凭据

时间:2015-12-28 05:23:04

标签: single-sign-on google-apps saml saml-2.0

我一直在尝试使用SAML为我们公司验证Google应用。但我总是得到"无法访问此帐户,因为无法验证登录凭据。"看来我的签名很好,因为我在https://www.samltool.com/validate_response.php

上测试了它

响应:

<?xml 
version="1.0" 
encoding="UTF-8"?>
<samlp:Response 
    ID="_fc7fc038e01043acd7d4" 
    IssueInstant="2015-12-28T04:57:37.087Z" 
    Version="2.0" 
    Destination="https://www.google.com/a/sellyx.com/acs" 
    InResponseTo="inkglhhncmbkicmioiiinchbbhepenfoemkcpiej" 
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <ds:Signature 
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod 
                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod 
                Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference 
                URI="#_fc7fc038e01043acd7d4">
                <ds:Transforms>
                    <ds:Transform 
                        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod 
                    Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>
                    m0Lhn42KcGeOXuTdzMRY93MsPNY=
                </ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>I7nlVY44KWeURB35YjOZ2Rt3kkN8zj1rzF66789U7diOaR4WJazv/i+38RkqlCc1DvSxy3uVsXCq11BmdA3k0r9vnhuKMsZUktrpIAhW93H1cs37PfuYoiu7FFaEgbCcg+OcyjyJ18JcvbgXqKbvv/i8ltRM7JUOr6V+OT/
            U6l8=
        </ds:SignatureValue>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion 
        ID="_bba47c30283081e8468c" 
        IssueInstant="2003-04-17T00:46:02Z" 
        Version="2.0" 
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>https://auth.sellyx.com/IDP</Issuer>
        <Subject>
            <NameID 
                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">abc@sellyx.com
            </NameID>
            <SubjectConfirmation 
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData 
                    Recipient="https://www.google.com/a/sellyx.com/acs" 
                    NotOnOrAfter="2015-12-28T05:00:57.087Z" 
                    InResponseTo="inkglhhncmbkicmioiiinchbbhepenfoemkcpiej"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions 
            NotBefore="2015-12-28T04:54:17.087Z" 
            NotOnOrAfter="2015-12-28T05:00:57.087Z">
            <AudienceRestriction>
                <Audience>https://www.google.com/a/sellyx.com/acs</Audience>
            </AudienceRestriction>
        </Conditions>
        <AuthnStatement 
            AuthnInstant="2015-12-28T04:57:37.087Z">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

1 个答案:

答案 0 :(得分:0)

添加另一个封装签名变换,然后解决问题。

相关问题
最新问题