Python googlesaml响应XML

我正在尝试将Google设置为SP，将我自己的数据库设置为IDP。我已经用我的登录和注销URL配置了我的GSuite帐户，google正在完美地重定向到它们。 但在收到谷歌的SAML请求后，我尝试生成SAML响应，我得到了G套件-无法访问此帐户，因为无法验证登录凭据。

下面是我的SAML Resposne XML：

    <?xml version="1.0"?>
<!DOCTYPE samlp:Response [
<!ATTLIST samlp:Response ID ID #IMPLIED>
]>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="n7dff0678252c667b24cae2be1925746166d0906c" Version="2.0" IssueInstant="2017-01-12T12:05:23Z" Destination="https://www.google.com/a/demo.mediaagility.com/acs"><saml:Issuer>google.com/a/demo.mediaagility.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#n7dff0678252c667b24cae2be1925746166d0906c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>bcUzuWbYSccmvCXN25mXaW7u1qw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>6L7UmVK/76MeVupEUKSLySrLEntcDrI0CPad3TQEN3D7BDKgoRpfWXWiQElsk64i
H0c1iCfrDEApoAFe17iORowmJlghumTJzzCXfPhcvpecj2UmikivULyM87eKNVGa
kEG4ZXS/1OqWwZ3HpVtHK3VPYPQY1FnvAnAEeZNj3zRgv3hyuAHXaUcAEHVYbLGa
uvkbQrOSlVafHMPEj++go3AS6B6QFxonVGYbf5FE+txkKocyudLBf94IJl6Gd3o0
VCMj7UewcXm1MweXOZyh+M6AXTt125QQGZFPJWiTMDTjFWIKzGXdh/Rau/B1S1KU
BG4VbE0C8goQfGwbKhQ3jg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data>
<ds:X509Certificate>MIIEBzCCAu+gAwIBAgIJANPE0ekUwoLyMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD
VQQGEwJJTjERMA8GA1UECAwISGFyaXlhbmExEDAOBgNVBAcMB2d1cmdhb24xFTAT
BgNVBAoMDE1lZGlhYWdpbGl0eTELMAkGA1UECwwCSVQxFTATBgNVBAMMDERlZXBh
ayBWZXJtYTEqMCgGCSqGSIb3DQEJARYbYWRtaW5AZGVtby5tZWRpYWFnaWxpdHku
Y29tMB4XDTE3MDExMDEzNDEyNVoXDTE3MDIwOTEzNDEyNVowgZkxCzAJBgNVBAYT
AklOMREwDwYDVQQIDAhIYXJpeWFuYTEQMA4GA1UEBwwHZ3VyZ2FvbjEVMBMGA1UE
CgwMTWVkaWFhZ2lsaXR5MQswCQYDVQQLDAJJVDEVMBMGA1UEAwwMRGVlcGFrIFZl
cm1hMSowKAYJKoZIhvcNAQkBFhthZG1pbkBkZW1vLm1lZGlhYWdpbGl0eS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD+vxDJs6k2B2pcALaLly/c
bo/hiyEWZe11str5MuA5/HvZkv7lRtkhSTe3kRX3a+rp73v4adWrJr2milgAtaqS
VUo8lwYoIiqKj4Ge74iJxvCsdB3GlUU25jbbPLOUKdTsNaw1lPvk95af7EODulvQ
6nygazb4q/OycuuFfl4+nqPZwPothOClC+q3QaiZaGBjo4UmC07xMrFtuv8itsNO
MtwBvWnvPTXLGZU/g/yoj+Y6r6b8k+4jkoS9SsU/BTTtBP380JR1KOi/wEJV5Mny
dumItPSPu9pl5SnJJq4DWVwFpYHYJDXK9161kjcIz+JGi7H3S7MymfnkN29pw/wF
AgMBAAGjUDBOMB0GA1UdDgQWBBSWTdppBx2wxiVdbB+EO/TpYJsbpTAfBgNVHSME
GDAWgBSWTdppBx2wxiVdbB+EO/TpYJsbpTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQDWIV1TLM0pnNtEVeIUplYL8oq2jvSjvVUzNzN2TvXPBSr8GdAv
Awep/pJyeSARZb1bynkO6RGLPUgPB5/ISvS4I0HYT91TfO0iQWzY6ILGKb4CMQhc
x379pqesS6owd+zJ35H5/lnIC3jEIaWjq0/d8JoXIcehzkzIYzjt883KyD3EEe2Y
OoU7hK8eYJwKXNjk37HLfPZ9bmUec/s2Er6AFPp92KTR6wdspy0BvMnvdLmXtkh2
/yX9UMwyDcq4QW+f001i7H8nT3v7C4MqnCrHE2Y+a0XetS+5WIEXYHx7KBeYzTl4
CqkH0LFKuOBfEDBfMj+nGWyeG/vfh9MaELIW</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion Version="2.0" ID="gf860726b83c8386cdd3d89131223f535cb51f615" IssueInstant="2017-01-12T12:05:23Z"><saml:Issuer>google.com/a/demo.mediaagility.com</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">admin@demo.mediaagility.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="nhchacfajpmpbahlbbdoneoncpicjheamlgooigp" Recipient="https://www.google.com/a/demo.mediaagility.com/acs" NotOnOrAfter="2017-01-13T12:05:23Z"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2017-01-12T12:05:23Z" NotOnOrAfter="2017-01-13T12:05:23Z"><saml:AudienceRestriction><saml:Audience>google.com/a/demo.mediaagility.com</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2017-01-12T12:05:23Z" SessionIndex="gf860726b83c8386cdd3d89131223f535cb51f615"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

任何帮助都将不胜感激。我正在使用python语言

Blow是我的Google SSO配置

---

您需要根据您的回答。测试代码的一种方法是针对另一个SP进行测试，该SP可以为您提供更好的错误消息，例如SimpleSamlPhp。不管怎样，下面是对谷歌应用程序的一个回应，它对我来说是有效的。我注意到两件事：你的回答没有问题，观众限制也不同

    <samlp :Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
       xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
       ID="_e8d051da91c78463aab61868a575a99bbba1266a2b"
       Version="2.0"
       IssueInstant="2017-01-09T04:43:37Z"
       Destination="https://www.google.com/a/mydomain.com/acs"
       InResponseTo="dcbcmhemepohapphnloohdmmmimbmanljcnmkabp">
  <saml:Issuer>myissuer</saml:Issuer>
  <ds :Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds :CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds :SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds :Reference URI="#_e8d051da91c78463aab61868a575a99bbba1266a2b">
        <ds:Transforms>
          <ds :Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds :Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds :DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>G5fRiUNgyak14pNsjas8UCWfzUQ=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Sz8Aa9oEnOiWW4MscHdgTjJxtstzYo2IGdVBZC3jlIIBYUYS1HPdva5M9pfdL+wJohnZ4id+xfeW+xDVQmL0/ivgFR7PRBWQicGmcbPxMhynPkS3JUbUIDKuqwcKWqKJ2aOdyxr2MBOQjRrGwOG/Q1b55j6q4mBJKqW0JmKgeYZOW6Af9R3D/oyLKvG/IHNiptSsPbwuz+QLPtglbwjYocRpXyV4oW267CJleqtlXt9gprVERXtaKEAx1LVNLFiy8YYwuBVjUMljxvqfkvu9ygsaOTDyUE6X8u1U6wXhEALvX+bL9aqOtj3OS7XAHyzlHDyxuqAybqHsFkUWO66d7g==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
blah blah
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>
    <samlp :StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <saml :Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        ID="_03d8531d7a6344272153841942e3a4c3aa298ff0ce"
        Version="2.0"
        IssueInstant="2017-01-09T04:43:37Z">
    <saml:Issuer>myissuer</saml:Issuer>
    <saml:Subject>
      <saml :NameID SPNameQualifier="google.com/a/mydomain.com"
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">info@mydomain.com</saml:NameID>
      <saml :SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml :SubjectConfirmationData NotOnOrAfter="2017-01-09T04:48:37Z"
              Recipient="https://www.google.com/a/mydomain.com/acs"
              InResponseTo="dcbcmhemepohapphnloohdmmmimbmanljcnmkabp" />
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml :Conditions NotBefore="2017-01-09T04:43:07Z"
          NotOnOrAfter="2017-01-09T04:48:37Z">
      <saml:AudienceRestriction>
        <saml:Audience>google.com/a/mydomain.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml :AuthnStatement AuthnInstant="2017-01-09T04:43:37Z"
          SessionNotOnOrAfter="2017-01-09T12:43:37Z"
          SessionIndex="_f2e2722e24cb27743c12de9ca41765554aa3186214">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml :Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml :AttributeValue xsi:type="xs:string">info@mydomain.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
RelayState
https://www.google.com/a/mydomain.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&ltmpl=default&ltmplcache=2&emr=1&osid=1

我的发行人
G5fRiUNgyak14pNsjas8UCWfzUQ=
8月8日，一个新的一家报纸发表了一篇文章。这篇文章的内容是一篇文章，一篇文章，一篇文章，一个新的文章，一个新的文章，一个新的文章，一个新的文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇关于一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇文章，一篇论文一篇论文一篇论文一篇论文一篇论文一篇论文一篇论文一篇文章，一篇文章一篇文章YXUQYBQHSFKUWO66D7G==
废话
我的发行人
info@mydomain.com
google.com/a/mydomain.com
urn:oasis:name:tc:SAML:2.0:ac:classes:Password
info@mydomain.com
再结晶
https://www.google.com/a/mydomain.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1<mpl=default<mplcache=2&emr=1&osid=1

我以前遇到过这条消息。发生在我身上的事情是，我将响应返回到GoogleSuite的登录请求端点。换句话说，当Google Suite担任IdP角色时，该端点用于接收AuthnRequest。我在这里没有环境来检查我使用的端点，尽管我使用下面的表单发布：where SAML_RESPONSE is over completexml@Thuan，我的表单有问题吗？我可以发送并创建一个有效的SAML响应，但现在我得到了“G套件-无法访问此帐户，因为无法验证登录凭据。“你能帮忙吗。我正在用有效的saml响应更新我的问题。这是一个很好的进步：）可能会有所帮助。我仍然无法找出我的saml响应有什么问题，并且仍然无法获得登录凭据。我正在更新问题的细节。是因为我用（localhost url）而不是我的domain demo.mediaagility.com配置了Google SSO？我建议您从响应中删除DOCTYPE和ATTLIST元素，将inresponseto添加到响应元素，并检查您是否将正确的证书上载到GSuite管理控制台。最后，检查您是否返回了正确的电子邮件帐户，该帐户可以访问GSuite。除此之外，我没有其他想法：）我正在使用Gsuite管理员帐户作为SSO登录。我是如何做到这一点的，我向google.com/a/demo.mediaagilty.com/acs发送一个请求，然后google使用SAMLRequest和RelayState键重定向到我的本地主机，我在那里显示登录页面，我使用GSuite管理员帐户登录，从openldap验证用户，并返回上面的saml响应。我们可以使用管理员电子邮件从SAML以这种方式登录，还是需要一个通用用户帐户？

    <samlp :Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
       xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
       ID="_e8d051da91c78463aab61868a575a99bbba1266a2b"
       Version="2.0"
       IssueInstant="2017-01-09T04:43:37Z"
       Destination="https://www.google.com/a/mydomain.com/acs"
       InResponseTo="dcbcmhemepohapphnloohdmmmimbmanljcnmkabp">
  <saml:Issuer>myissuer</saml:Issuer>
  <ds :Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds :CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds :SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds :Reference URI="#_e8d051da91c78463aab61868a575a99bbba1266a2b">
        <ds:Transforms>
          <ds :Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds :Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds :DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>G5fRiUNgyak14pNsjas8UCWfzUQ=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Sz8Aa9oEnOiWW4MscHdgTjJxtstzYo2IGdVBZC3jlIIBYUYS1HPdva5M9pfdL+wJohnZ4id+xfeW+xDVQmL0/ivgFR7PRBWQicGmcbPxMhynPkS3JUbUIDKuqwcKWqKJ2aOdyxr2MBOQjRrGwOG/Q1b55j6q4mBJKqW0JmKgeYZOW6Af9R3D/oyLKvG/IHNiptSsPbwuz+QLPtglbwjYocRpXyV4oW267CJleqtlXt9gprVERXtaKEAx1LVNLFiy8YYwuBVjUMljxvqfkvu9ygsaOTDyUE6X8u1U6wXhEALvX+bL9aqOtj3OS7XAHyzlHDyxuqAybqHsFkUWO66d7g==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
blah blah
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>
    <samlp :StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <saml :Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        ID="_03d8531d7a6344272153841942e3a4c3aa298ff0ce"
        Version="2.0"
        IssueInstant="2017-01-09T04:43:37Z">
    <saml:Issuer>myissuer</saml:Issuer>
    <saml:Subject>
      <saml :NameID SPNameQualifier="google.com/a/mydomain.com"
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">info@mydomain.com</saml:NameID>
      <saml :SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml :SubjectConfirmationData NotOnOrAfter="2017-01-09T04:48:37Z"
              Recipient="https://www.google.com/a/mydomain.com/acs"
              InResponseTo="dcbcmhemepohapphnloohdmmmimbmanljcnmkabp" />
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml :Conditions NotBefore="2017-01-09T04:43:07Z"
          NotOnOrAfter="2017-01-09T04:48:37Z">
      <saml:AudienceRestriction>
        <saml:Audience>google.com/a/mydomain.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml :AuthnStatement AuthnInstant="2017-01-09T04:43:37Z"
          SessionNotOnOrAfter="2017-01-09T12:43:37Z"
          SessionIndex="_f2e2722e24cb27743c12de9ca41765554aa3186214">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml :Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml :AttributeValue xsi:type="xs:string">info@mydomain.com</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
RelayState
https://www.google.com/a/mydomain.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&ltmpl=default&ltmplcache=2&emr=1&osid=1