SAML IDP does no with Google Apps and Lasso 2.3.5
I have an error with Google Apps, and I think (I am really not sure) that it happens after an upgrade to Lasso 2.3.5. I cannot apt-get an previous version so I cannot test with Lasso 2.3.3 for example.
Here is the SAML request from Google Apps :
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="ebphihcoeeboinkidokjahofhdoijkbabcljnokp" Version="2.0"
IssueInstant="2011-06-09T09:57:36Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="google.com" IsPassive="false"
AssertionConsumerServiceURL="https://www.google.com/a/linid.org/acs"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer><samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
/></samlp:AuthnRequest>
{code}
And my SAML response :
{code:type=xml}
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_BC879894F2C57802616D7906BF6D3D8E"
InResponseTo="ebphihcoeeboinkidokjahofhdoijkbabcljnokp" Version="2.0"
IssueInstant="2011-06-09T09:58:45Z"
Destination="https://www.google.com/a/linid.org/acs"><saml:Issuer>https://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_BC879894F2C57802616D7906BF6D3D8E">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>Dz2FFhUCxyrIEe2frnSV1Ky+lik=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
</Signature><samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion
Version="2.0" ID="_4D06B95DA2882A90FE455A45219C33D4"
IssueInstant="2011-06-09T09:58:45Z"><saml:Issuer>https://auth.vm2.lemonsaml.linagora.com/saml/metadata</saml:Issuer><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_4D06B95DA2882A90FE455A45219C33D4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>IBQUiylgZMBBO0Ja+nPe32epM/I=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
</Signature><saml:Subject><saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">lemonsaml@linid.org</saml:NameID><saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
NotOnOrAfter="2011-06-10T05:13:00Z"
Recipient="https://www.google.com/a/linid.org/acs"
InResponseTo="ebphihcoeeboinkidokjahofhdoijkbabcljnokp"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions><saml:AudienceRestriction><saml:Audience>google.com</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement
AuthnInstant="2011-06-09T09:13:00Z"
SessionIndex="fcVWQrAw+z2m+kruAnSFpIWDNPQIALDIepbAaD9xU+o7Q2Ofg8O+sfoTn4/g2T1G"
SessionNotOnOrAfter="2011-06-10T05:13:00Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
{code}
The error on Google Apps is : This service cannot be accessed because
your login credentials have expired. Please log in and try again.
The answer from Lasso devel list:
{panel}
The conditions->notBefore/noOnOrAfter initialization was removed because
it is not mandatory by the specification, and some SP broke because of
it, but it seems that Google wants it, as the example given on
http://code.google.com/intl/fr-FR/googleapps/domain/sso/saml_reference_implementation_web.html.
To restore it you can do:
$login->assertion->setBasicConditions(60, 86400, False)
or something like that (I'm never sure of the Perl syntax from memory)
near your call to $login->buildAssertion.
{panel}
So we just need to add this code in IssuerDBSAML.pm, before creating the attribute statement:
{code}
$response_assertions[0]->set_basic_conditions(60, 86400, 0);