SAML Response for Google apps?

Just taking a quick glance I do not believe Google supports signatures on both the Response & Assertion. I would simplify the setup by removing the signature from the Assertion and leave the Response signed as a first step. You may also want to double check the Audience value and see whether "google.Com" or "google.com/a/sparxlabs.com" is the expected value.

I took this response from shibboleth, then I actually mimicked it. Shiboleth response does work and has both signatures – daniel Aug 12 at 18:51.

I see some points that may be a problem: The two Reference ID in your signatures are empty. There is an ambiguity as implicitely this means that both signature cover the complete XML document, which is wrong. The SAML specification say that you should explicitely point to the ID of the signed element.

The code you post seems to suggest that this a custom-made response. Generating a enveloped XML Digital signature is not that simple as it needs to be embedded at the exact moment you sign the document. You only apply the canonization.

You should also apply the two transforms specified in the signature. As stated there, the Audience element should point to the EntityID of your ACS, like Ian suggested. It's also possible that "google.Com" is accepted, but this is a violation of the SAML 2.0 specs.

Your NameID attribute seems strange, it should be an email-address. The previous link gives an example of a valid NameID element. If you want to generate a custom-made response, you should start from an unsigned template, and then apply the XML DSIG with the ad-hoc library, like XML::Sig.

It should be sufficient to sign the Assertion or the Response. Hope this helps..

All things sk_ pointed out are right, but also : NEVER include the xml declaration in the samlResponse message Your digest value is wrong, it should be the base64 of the BINARY digest, not the HEX form I don't know ruby, but the signature is the same as the digest, b64(BINARY-RSA-SHA1(elem)) It's the canonical form of the whole you have to sign, not just the digest don't forget to base64 encode the whole samlResponse before sending it over a post-binding and don't touch a BIT from the relaystate param, just post it as is Also you may verify yourself the xmldsig signature the (cool-and-life-saver) xmlsec1 tool And never forget: Xml Sucks, c14n/xmldsig is MORONIC! GooD Luck!

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.