Saml2SecurityTokenHandler with EncryptedID support - saml

I'm trying to read a security token form a SAMLP 2.0 reponse with unencrypted assertions, but where the attributes are encrypted using EncryptedID.
I'm using the Saml2SecurityTokenHandler to get a secrity token via the ReadToken method. This will eventually call ReadSubject and that one throws the exception: 'Element' is an invalid XmlNodeType.
According to the source Saml2SecurityTokenHandler.cs EncryptedID is not supported. So I've to write my own implementation. Does anyone has experience with this? Or can point me to good code examples.
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">d1fd410b-d485-4956-a9d3-eef9291045c8</saml:NameID>
<saml2:EncryptedID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Id="_29dbab2c7ef41026f9ae573703ad233b" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_06c497ce9c9142a1f2d425011ddcda17" />
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>EmXVT1jw+uVQWTaAmYBYONRvoHkUDH+zTAJPg0a/AWT9XNjB+weF+NKDa5l9Tm1dNJd9OE8GyOGCrLLAcxCHvJwg9gk5WMUeBhtWltHJutsd94PioWoLFnaRRZUmF/wAJ4YK1AcOgK2cPZ0PH4lt18qkjcf/otmDUePQOSb8qox4JIINAgzlItJ5j4un16jh2tooIoRpklxglhISycv/RI2lTKmhSL4zpSrlTBwJWyBKPq0SEm29USrbVhrQK/z3RfZIO5DPghveT/fiJiuUrA==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<xenc:EncryptedKey Id="_06c497ce9c9142a1f2d425011ddcda17" Recipient="urn:etoegang:DV:00000003544415870000:entities:0001" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
</xenc:EncryptionMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>B9DC06853C0435DA253F23816E3665BEAE9C4A8E</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>iVTdD2P4k14PgQ6I3YR3M2rw1DmrsgAa2mKLvOD4Jhhwl8W7UDAIX5vc/tAFwyu1tF72WU4h9Oa8EapqaHazBw8c7VedDBwZTm6cIzTndbVDNXTP6iJTbvB2M4HIjo3y5lE4cbWk5fGaAtJ2jnQXoxTGxrC5B0Tllgf+L4oAFxxwKDueAEc9v736l/CoPteZhPp+Je4SYZlDZqq1isNSk40EQikrD9GubAdDuGUG3X22McuaQWi5FGWZLFoRfTOxZgls1TOsjtFiFToZ77/3+HlZYQ+6/25o1Nqvfci+MVR1feerkra1NzVwoScjJS+1BCYd0OyKBF4PvSx7io3R6Q==</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#_29dbab2c7ef41026f9ae573703ad233b" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
</saml2:EncryptedID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_3d9c46ba251c38d74901355011391aa4b7712a1c" NotOnOrAfter="2018-07-27T08:47:20.653Z" Recipient="https://eid.digidentity-preproduction.eu/hm/eh111/eb_hm" />
</saml:SubjectConfirmation>
</saml:Subject>
Thanks

Related

Databricks SSO authentication failed | Google IdP

I've configured Databricks SSO 2.0 to work with Google as IdP
When I try to test it I receive this error: "Single Sign-On authentication failed."
Tracking the SAML messages everything looks correct:
SAML REQUEST:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_956****d-44fe-**80-654e-b9ae3c8974e1"
Version="2.0"
IssueInstant="2021-10-19T12:38:10Z"
Destination="https://accounts.google.com/o/saml2/idp?idpid=*****sha*****"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://dbc-***990a9-*****.cloud.databricks.com/saml/consume"
>
<saml:Issuer>https://dbc-****990a9-*****.cloud.databricks.com/saml/consume</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true"
/>
</samlp:AuthnRequest>
SAML RESPONSE:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://dbc-*****990a9-*****.cloud.databricks.com/saml/consume"
ID="_d32****e5002e8760******d431c69"
InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_cb5ee***08cb7***********bd194"
IssueInstant="2021-10-19T12:38:21.957Z"
Version="2.0"
>
<saml2:Issuer>https://accounts.google.com/o/saml2?idpid=****sha*****</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_cb5ee92*******0652**2145*******4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>i45E******dCx*********zXr7AC2RX38=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>PeQTj**********************E8O46BoalK+7sblRLA5hCk/xuGRADeuGyGERwdEDdeY5tJK
uDhr+W4oML75eDYMSwYW6ZcDyFXFmQucia7HLD0pI************************************************iYZr8opwuzFkzOnnwulgTwlk9
137uW2/abZFV2M***************==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>*****************IBAgIGAVr9E/j7MA0GCSqGSIb3DQEBCwU***********************************qQIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQBSOUJWpyF3PEpiFHednZqU9U8yJ+fakv9CZrx0tvuAKLKfD7f8cZpH4FORCVg82stN3mOd
BlZ+3PyVr/tGz4Lf1vbXULC256HvmKBFI8jc/N*******************************</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">danilo.ca*****#********.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ONELOGIN_95*****2d-44fe-****-942e-b9ae3***9e1"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
Recipient="https://dbc-*******990a9-******.cloud.databricks.com/saml/consume"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-10-19T12:33:21.957Z"
NotOnOrAfter="2021-10-19T12:43:21.957Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://dbc-*******990a9-******.cloud.databricks.com/saml/consume</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-10-19T12:38:21.000Z"
SessionIndex="_**ee**********7c40*****cddbbd194"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
All information in the SAML looks correct, my email, google ID, databricks url, still it keeps failing.

This is the doc for Google workspace SSO:
v1: https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite.html
v2: https://docs.databricks.com/administration-guide/users-groups/single-sign-on/gsuite20.html
Troubleshooting docs:
https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#troubleshooting
If you are using Google Workspace (formerly GSuite) single sign-on (SSO v2.0).
Double-check Step 7: (Required) Select Signed response.. The response also has to be signed.

The solution is to mark the signed response to the signature will come before the assertion tag
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://*************.cloud.databricks.com/saml/consume"
ID="******************d3952e02"
InResponseTo="ONELOGIN_bc2cb9***************7-bb86-0***********fc4"
IssueInstant="2021-10-28T12:48:45.663Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=************</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_****************46dd50562**************52e02">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>***********2kA0VqohW***************OeeTyCnKuvVlGI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>*****************************JmIrnaHPRjm87OXyqnvOhNBjKD24BfBxnodbUmx9IeWKT4mBS13huje99DBl9S9
USPnKD3zwb1htVBWbT1TxSeD6EUZbl8**********************************3ODow==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
<ds:X509Certificate>MIIDd**************************************UgwwH4Y/yQZx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>

Issuer of the Assertion not found or multiple. A valid SubjectConfirmation was not found

I am generating unsigned SAML response with signed assertion for my IDP. When I am validating it using samltool.com, it fails with following errors:
Issuer of the Assertion not found or multiple.
A valid SubjectConfirmation was not found on this Response Found an invalid Signed Element. SAML Response rejected.
But when I generate Signed response with Unsigned assertion it passes without any error. I checked the overall XML is valid. I checked other posts but could find any answer.
Any thoughts around this issue, would help.
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c2658c71-1361-48c6-b733-c95858146230" Version="2.0" IssueInstant="2019-02-10T04:19:45.482Z" Destination="XXXXXXX" InResponseTo="samlrequest_25369109d2af475ebe51e0e94a95967a">
<saml:Issuer>XXXXXXX</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_3c6a8bfd-292a-473f-91b5-fac5352de06a" Version="2.0" IssueInstant="2019-02-10T04:19:45.482Z">
<saml:Issuer>XXXXXXX</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_c2658c71-1361-48c6-b733-c95858146230">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>AYG+ZKBzsXPfpq94EcgFsvRgFLg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">XXXXX#XXXXXXXX.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2019-02-10T04:24:45.482Z" Recipient="XXXXXXX" InResponseTo="samlrequest_25369109d2af475ebe51e0e94a95967a"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2019-02-10T04:19:45.482Z" NotOnOrAfter="2019-02-10T04:24:45.482Z">
<saml:AudienceRestriction>
<saml:Audience>XXXXXXX</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2019-02-10T04:19:45.482Z" SessionNotOnOrAfter="2019-02-10T04:24:45.482Z" SessionIndex="9cb0eb45-3a0c-4fcf-90b7-3fab83a855ac">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">XXXXXXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Gender" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">XXXXXXXXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">XXXXXX</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">XXXXXXX</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

The reference of your signature refers to the Response element whose id is _c2658c71-1361-48c6-b733-c95858146230 (search for ds:Reference URI="#_c2658c71-1361-48c6-b733-c95858146230"). You need to generate a signature for the Assertion element whose id is _3c6a8bfd-292a-473f-91b5-fac5352de06a.

Google SAML SSO : This account cannot be accessed because the login credentials could not be verified

I've been trying to use SAML to authenticate google apps for our company. But I always get "This account cannot be accessed because the login credentials could not be verified." It seems my signature is good because I have it tested on https://www.samltool.com/validate_response.php
Response:
<?xml
version="1.0"
encoding="UTF-8"?>
<samlp:Response
ID="_fc7fc038e01043acd7d4"
IssueInstant="2015-12-28T04:57:37.087Z"
Version="2.0"
Destination="https://www.google.com/a/sellyx.com/acs"
InResponseTo="inkglhhncmbkicmioiiinchbbhepenfoemkcpiej"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference
URI="#_fc7fc038e01043acd7d4">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
m0Lhn42KcGeOXuTdzMRY93MsPNY=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>I7nlVY44KWeURB35YjOZ2Rt3kkN8zj1rzF66789U7diOaR4WJazv/i+38RkqlCc1DvSxy3uVsXCq11BmdA3k0r9vnhuKMsZUktrpIAhW93H1cs37PfuYoiu7FFaEgbCcg+OcyjyJ18JcvbgXqKbvv/i8ltRM7JUOr6V+OT/
U6l8=
</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion
ID="_bba47c30283081e8468c"
IssueInstant="2003-04-17T00:46:02Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://auth.sellyx.com/IDP</Issuer>
<Subject>
<NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">abc#sellyx.com
</NameID>
<SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData
Recipient="https://www.google.com/a/sellyx.com/acs"
NotOnOrAfter="2015-12-28T05:00:57.087Z"
InResponseTo="inkglhhncmbkicmioiiinchbbhepenfoemkcpiej"/>
</SubjectConfirmation>
</Subject>
<Conditions
NotBefore="2015-12-28T04:54:17.087Z"
NotOnOrAfter="2015-12-28T05:00:57.087Z">
<AudienceRestriction>
<Audience>https://www.google.com/a/sellyx.com/acs</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement
AuthnInstant="2015-12-28T04:57:37.087Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>

Add another enveloped signature transform and then solve the problem.

SimpleSamlPHP (SP) & OKTA (IdP)

I have a web application on my local computer: https://test.staging.me
This is PHP (cakephp) application.
I installed SimpleSamlPHP and configured it as the Service Provider(SP).
I created some tests from instruction: https://simplesamlphp.org/docs/stable/simplesamlphp-sp
And my tests with openidp.feide.no were successfully.
But I have problem with OKTA. I created "Test App Cakephp" and assigned people and configured SimpleSamlPHP for this.
But after logIn I get this SAML (without user attributes):
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" ID="id12087736095048056708868080" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" >
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id12087736095048056708868080">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>pU2jLhg9A4w97r8NVnBKl3IQZLE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>VPDveGXR0s0aL87FHcwlgox2jpF8Ka68+35u5sAwtNPu6YGLeHBZXMM0VJBGubXaP43p7U/bOCEDN28Unvdu+r7nsPayg7KRJtEBG5IPS0aHAsAVvFWCNKwbj/F3V+mNfjj6tyCYxfUv0VzGYFx74sR4jyatwMWM0C8Tn5/
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id120877360951785121155512781" IssueInstant="2015-04-07T15:49:27.571Z" Version="2.0" >
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >http://www.okta.com/exk3ov34irLCZc7Ti0h7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id120877360951785121155512781">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>lob8Do3NlCm0YApUEdGks7Lvj5g=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cxCVxow1zv7/C9fyG3n8FqXLNUCx6J3WMzZSB7oOQhBCWt1x+EmkB/Hh3l1AajeCRe50uCZlSfy5eN1kpLQPy1oqyTH/i08cdnzeb94eMh06JRpljSrGFBRyNz7RfoHSs13v8R3PEweDsM0XIUhfX3oL2JpGm7yxwcm/+UZpI2eq
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAUx+YiPyMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJv
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test1#my_domain.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2015-04-07T15:54:27.571Z" Recipient="https://test.staging.me/simplesamlphp/module.php/saml/sp/saml2-acs.php/okta-sp" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-04-07T15:44:27.571Z" NotOnOrAfter="2015-04-07T15:54:27.571Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >
<saml2:AudienceRestriction>
<saml2:Audience>https://test.staging.me/simplesamlphp/module.php/saml/sp/metadata.php/okta-sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-04-07T15:49:27.571Z" SessionIndex="id1428421767571.740119289" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
I cut off "ds:SignatureValue" and "ds:X509Certificate" fields for convenience.
My question: Why I don't receive attributes of the user?
Thanks )

Okta, by default, doesn't send any attributes in the <saml2:AttributeStatement>. To configure the optional Attribute Statement take a look at Configuring the Okta Template SAML 2.0 App. The five standard Okta profile attributes you can send are First Name, Last Name, Email, and Okta Username.
For the users first and last name to be included in the SAMLResponse from Okta:
<saml2:AttributeStatement>
<saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Thomas</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Kirk</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
You must configure your Okta SAML 2.0 app to include the following Attribute Statement:
FirstName|${user.firstName},LastName|${user.lastName}
In addition to the standard Okta profile attributes (First Name, Last Name, Email, and Okta Username), you can use additional attributes that have been pulled into Okta from Workday, Active Directory, and other LDAP directories.

Google Apps - This account cannot be accessed because we could not parse the login request

I want to do SSO through SAMLResponse, which is generated after receiving the authrequest from Google. But with outlook, I have found that error:
Google Apps - This account cannot be accessed because we could not parse the login request.
Email address and cert is hide due to security.
SAML response is given below:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Destination="https://www.google.com/a/dev.authen2cate.com/acs"
ID="gahbmmoclhngahdkmgijdmfnjoajnonpfhojkdii"
InResponseTo="eopmnjkanijnhaooojjipjcfiapacicmgfnkmhmj"
IssueInstant="2014-01-09T07:43:26Z"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://debug-ad.authen2cate.com</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>XmexZKht13MLScVBPcrd+Dp1+jw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Z5u23PrImHZndHYkMbJtj4+n1F7bW3G3GLwogR6wYDLi2vFwt1EzKWSd5ATJjRlTnQT11W8+Wf8P
mlVthcvuQeZY9/jijoOT88y/Li4+B9hgmpnZI6WmgZWtOdRmAUvTvUGF3fR13iUxuttmWCNG+0Bf
bwxj5pnkQOsXVdnDgY0rkN9qe2XxFx3VFuFcoEE3dQVTxLT4xZBsjX+N/ao9b/+tEwQHvdwHsAr7
hDaQWxkSXT5/T8+0Lljtv1NZ4GZHkI59i3f2j8UQ3LR19LfY0EykEvWCHP3x5EdVSarkzYyQOddB
R3480a6KQjJOOw+Hhsu/tL+bWrw2sJ7HpUXVkw==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIEzzCCA7egAwIBAgI............</X509Certificate>
</X509Data>
<KeyValue>
<RSAKeyValue>
<Modulus>wB4Uiws31Hjx0folWTMCJDrGFniKajRUgTgcVjNo8r/MUoWQEEh7lH7fOBPbdcREUQFllBMNLiFX
uSpKIsQPZVzPOwaWkWkBjTTISmG+nz9FCgOsyZnkWc0HFprC8Eg7x6I2TfPWZ1lKJhIiBWOI35m5
z9Xcr/LhleOPrDq66yTeCHABej4xs5kxFRGdgYtm9fdTQ78psHJseJm7hP6DbVCtVlBkesq7AAd6
r7B9Rj8nEQk4ZVtQWoo/4soF+nFwW6u4UyaLKswystI+B40XTizv4pNYQM6U6XZ+eoYJxTGlW2sU
gkeMWvYgM6BbNu5ex2i2DzTq3/lS8VnTpZEMWQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="gahbmmoclhngahdkmgijdmfnjoajnonpfhojkdii"
IssueInstant="2014-01-09T07:43:26Z"
Version="2.0"
>
<saml:Issuer>http://debug-ad.authen2cate.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">email_address</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="eopmnjkanijnhaooojjipjcfiapacicmgfnkmhmj"
NotOnOrAfter="2014-01-10T07:43:26Z"
Recipient="https://www.google.com/a/dev.authen2cate.com/acs"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-01-09T07:38:25Z"
NotOnOrAfter="2014-01-10T07:43:26Z"
>
<saml:AudienceRestriction>
<saml:Audience>https://www.google.com/a/dev.authen2cate.com/acs</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-01-09T07:43:26Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>