Discussion:
Issue parsing SAML Response - This account cannot be accessed because we could not parse the login request.
Yogs
2007-10-11 11:24:37 UTC
Permalink
Hi,

Whenever I am trying to access ACS URL, I am getting error -
"Google Apps - This account cannot be accessed because we could not
parse the login request. "

I've compared the SAML response with a site which is already using
Google Apps and is LIVE.

Can you please check the following SAML Response & RelayState Value
and suggest me if anything wrong with this SAML response?

========================

<html>
<head>
<META HTTP-EQUIV="content-type" CONTENT="text/html;
charset=iso-8859-1">
<META HTTP-EQUIV="pragma" CONTENT="no-cache">
</head>
<body onload="document.redir.submit()">
<form name="redir" action="https://www.google.com/a/myairtelmail.com/
acs" method="post">
<div style="display:none">
<textarea rows="10" cols="80" name="SAMLResponse">
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://www.google.com/a/myairtelmail.com/acs"
ID="lhmdkmihnppigfbomacneglainhnnpheamhacfin"
InResponseTo="kbeochpnenchndfdelcfckagnkkefhilcdfabdpe"
IssueInstant="2007-10-11T16:44:07Z" Version="2.0">
<samlp:Issuer xmlns:saml="urn:oasis:names:tc:SAML:
2.0:assertion">https://myairtelmail.com</samlp:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/
</samlp:StatusCode>
<samlp:StatusMessage>no session, user interaction forbidden by
isPassive.</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>

</textarea>
<input type="hidden" name="RelayState" value=https://www.google.com/
a/myairtelmail.com/ServiceLogin?
service=ig&passive=true&continue=http://partnerpage.google.com/
myairtelmail.com/default/postlogin?pid=myairtelmail.com&url=http://
partnerpage.google.com/myairtelmail.com&followup=http://
partnerpage.google.com/myairtelmail.com/default/postlogin?
pid=myairtelmail.com&url=http://partnerpage.google.com/
myairtelmail.com&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true /
</div>
</form>
</body>
</html>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Apps APIs" group.
To post to this group, send email to google-apps-***@googlegroups.com
To unsubscribe from this group, send email to google-apps-apis-***@googlegroups.com
For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
kinetek
2007-10-11 20:05:58 UTC
Permalink
You don't have a closing >
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:
2.0:status:NoPassive"/


and try removing...
<samlp:StatusMessage>no session, user interaction forbidden by
isPassive.</samlp:StatusMessage>
Post by Yogs
Hi,
Whenever I am trying to access ACS URL, I am getting error -
"Google Apps - This account cannot be accessed because we could not
parse the login request. "
I've compared the SAML response with a site which is already using
Google Apps and is LIVE.
Can you please check the following SAML Response & RelayState Value
and suggest me if anything wrong with this SAML response?
========================
<html>
<head>
<META HTTP-EQUIV="content-type" CONTENT="text/html;
charset=iso-8859-1">
<META HTTP-EQUIV="pragma" CONTENT="no-cache">
</head>
<body onload="document.redir.submit()">
<form name="redir" action="https://www.google.com/a/myairtelmail.com/
acs" method="post">
<div style="display:none">
<textarea rows="10" cols="80" name="SAMLResponse">
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://www.google.com/a/myairtelmail.com/acs"
ID="lhmdkmihnppigfbomacneglainhnnpheamhacfin"
InResponseTo="kbeochpnenchndfdelcfckagnkkefhilcdfabdpe"
IssueInstant="2007-10-11T16:44:07Z" Version="2.0">
2.0:assertion">https://myairtelmail.com</samlp:Issuer>
<samlp:Status>
2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/
</samlp:StatusCode>
<samlp:StatusMessage>no session, user interaction forbidden by
isPassive.</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>
</textarea>
<input type="hidden" name="RelayState" value=https://www.google.com/
a/myairtelmail.com/ServiceLogin?
service=ig&passive=true&continue=http://partnerpage.google.com/
myairtelmail.com/default/postlogin?pid=myairtelmail.com&url=http://
partnerpage.google.com/myairtelmail.com&followup=http://
partnerpage.google.com/myairtelmail.com/default/postlogin?
pid=myairtelmail.com&url=http://partnerpage.google.com/
myairtelmail.com&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true /
</div>
</form>
</body>
</html>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Apps APIs" group.
To post to this group, send email to google-apps-***@googlegroups.com
To unsubscribe from this group, send email to google-apps-apis-***@googlegroups.com
For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
Yogs
2007-10-12 07:19:07 UTC
Permalink
It was a typo-error. When I checked the SAML response again, I found
that the ending ">" exists there.

I also tried removing "samlp:StatusMessage" but it didnot work.

Can we get the logs from Google end to check what error they are
getting while parsing my SAML response? I think it should paste or
mail the error details which occurs while parsing SAML Response.

Regards
Yogesh
Post by kinetek
You don't have a closing >
2.0:status:NoPassive"/
and try removing...
<samlp:StatusMessage>no session, user interaction forbidden by
isPassive.</samlp:StatusMessage>
Post by Yogs
Hi,
Whenever I am trying to access ACS URL, I am getting error -
"Google Apps - This account cannot be accessed because we could not
parse the login request. "
I've compared the SAML response with a site which is already using
Google Apps and is LIVE.
Can you please check the following SAML Response & RelayState Value
and suggest me if anything wrong with this SAML response?
========================
<html>
<head>
<META HTTP-EQUIV="content-type" CONTENT="text/html;
charset=iso-8859-1">
<META HTTP-EQUIV="pragma" CONTENT="no-cache">
</head>
<body onload="document.redir.submit()">
<form name="redir" action="https://www.google.com/a/myairtelmail.com/
acs" method="post">
<div style="display:none">
<textarea rows="10" cols="80" name="SAMLResponse">
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://www.google.com/a/myairtelmail.com/acs"
ID="lhmdkmihnppigfbomacneglainhnnpheamhacfin"
InResponseTo="kbeochpnenchndfdelcfckagnkkefhilcdfabdpe"
IssueInstant="2007-10-11T16:44:07Z" Version="2.0">
2.0:assertion">https://myairtelmail.com</samlp:Issuer>
<samlp:Status>
2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/
</samlp:StatusCode>
<samlp:StatusMessage>no session, user interaction forbidden by
isPassive.</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>
</textarea>
<input type="hidden" name="RelayState" value=https://www.google.com/
a/myairtelmail.com/ServiceLogin?
service=ig&passive=true&continue=http://partnerpage.google.com/
myairtelmail.com/default/postlogin?pid=myairtelmail.com&url=http://
partnerpage.google.com/myairtelmail.com&followup=http://
partnerpage.google.com/myairtelmail.com/default/postlogin?
pid=myairtelmail.com&url=http://partnerpage.google.com/
myairtelmail.com&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true /
</div>
</form>
</body>
</html>- Hide quoted text -
- Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Apps APIs" group.
To post to this group, send email to google-apps-***@googlegroups.com
To unsubscribe from this group, send email to google-apps-apis-***@googlegroups.com
For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
Alex (Google)
2007-10-12 17:10:59 UTC
Permalink
Hi Yogesh,

There are a few things.

- Make sure there is no space before <?xml

- <samlp:Issuer should be <saml:Issuer

- In the RelayState, make sure & is escaped as &amp;, otherwise you'll
have trouble with Internet Explorer since it interprets &ltmptlas <mpl

Let us know if it still gives a parse error after these adjustments.

-alex
Post by Yogs
It was a typo-error. When I checked the SAML response again, I found
that the ending ">" exists there.
I also tried removing "samlp:StatusMessage" but it didnot work.
Can we get the logs from Google end to check what error they are
getting while parsing my SAML response? I think it should paste or
mail the error details which occurs while parsing SAML Response.
Regards
Yogesh
Post by kinetek
You don't have a closing >
2.0:status:NoPassive"/
and try removing...
<samlp:StatusMessage>no session, user interaction forbidden by
isPassive.</samlp:StatusMessage>
Post by Yogs
Hi,
Whenever I am trying to access ACS URL, I am getting error -
"Google Apps - This account cannot be accessed because we could not
parse the login request. "
I've compared the SAML response with a site which is already using
Google Apps and is LIVE.
Can you please check the following SAML Response & RelayState Value
and suggest me if anything wrong with this SAML response?
========================
<html>
<head>
<META HTTP-EQUIV="content-type" CONTENT="text/html;
charset=iso-8859-1">
<META HTTP-EQUIV="pragma" CONTENT="no-cache">
</head>
<body onload="document.redir.submit()">
<form name="redir" action="https://www.google.com/a/myairtelmail.com/
acs" method="post">
<div style="display:none">
<textarea rows="10" cols="80" name="SAMLResponse">
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://www.google.com/a/myairtelmail.com/acs"
ID="lhmdkmihnppigfbomacneglainhnnpheamhacfin"
InResponseTo="kbeochpnenchndfdelcfckagnkkefhilcdfabdpe"
IssueInstant="2007-10-11T16:44:07Z" Version="2.0">
2.0:assertion">https://myairtelmail.com</samlp:Issuer>
<samlp:Status>
2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoPassive"/
</samlp:StatusCode>
<samlp:StatusMessage>no session, user interaction forbidden by
isPassive.</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>
</textarea>
<input type="hidden" name="RelayState" value=https://www.google.com/
a/myairtelmail.com/ServiceLogin?
service=ig&passive=true&continue=http://partnerpage.google.com/
myairtelmail.com/default/postlogin?pid=myairtelmail.com&url=http://
partnerpage.google.com/myairtelmail.com&followup=http://
partnerpage.google.com/myairtelmail.com/default/postlogin?
pid=myairtelmail.com&url=http://partnerpage.google.com/
myairtelmail.com&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true /
</div>
</form>
</body>
</html>- Hide quoted text -
- Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Google Apps APIs" group.
To post to this group, send email to google-apps-***@googlegroups.com
To unsubscribe from this group, send email to google-apps-apis-***@googlegroups.com
For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---

Loading...