We are encountering an issue where the browser gets redirected back and forth between the acs URL and our IdP site when logging-in a user for the first time using the SSO API on our domain (upr.edu). We have verified proper operation of the IdP site for the same scenario on our test domain (ws.uprm.edu). The site also works fine with the upr.edu domain when the user has logged in previously. The expected behavior is for the user to see the initial page where the terms of use are accepted and the account is "created". Instead, the browser alternates through the following three pages in order and then starts over with the first. This continues indefinitely. I'm using a heavily modified version of the SAML library provided by Google, although the pages look alike. The first two pages are part of our IdP and it works pretty much like the Gogle SSO library, with changes made to increase security and robustness. The third page is what we get from the acs when our IdP sends the SAMLResponse.
I suspect the acs is not redirecting the user correctly to the "Terms Acceptance" page, and as such has not finished granting her access to the account, but it redirects her to the start page, which will in turn send a SAMLRequest back to the IdP. And the cycle goes on... Of course, I might be missing something too. ************* https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=... <title>Portal de Servicios Electrónicos - Universidad de Puerto Rico</title> <meta content="noindex,nofollow" name="robots"> <style type="text/css"><!-- body {background-color: #ffffff} body,td,div,p,a,font,span {font-family: arial,sans-serif} body {margin-top:2} .c {width: 4; height: 4} .bubble {background-color:#C3D9FF} .tl {padding: 0; width: 4; text-align: left; vertical-align: top} .tr {padding: 0; width: 4; text-align: right; vertical-align: top} .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom} .br {padding: 0; width: 4; text-align: right; vertical-align: bottom} .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding: 15px; margin: 0 15px 0 0; text-align: center;} .x, .x td {font-size: 80%} .x table {margin: 0px; text-align: left;} .x p {text-align: left;} .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;} .errormsg {color: #cc0000} --> </style> </head> <body onload="document.ValidSessionForm.submit();"> <!-- <h1> 119262075F459A384D6C1AC55735DFAC </h1> --> <form name="ValidSessionForm" action="SAMLResponseServlet" method="post"> <input type="hidden" name="SAMLRequest" value="fVLJTsMwEL0j8Q +W79mKEMhqUoUiRCWWqA0cuLnOJLUS28Fjt/ D3pCkVcKDX8VvHM519qI5swaI0OqVJGFMCWphK6ialL +VdcE1n2fnZFLnqepZ7t9FLePeAjgxMjWx8SKm3mhmOEpnmCpA5wVb54wObhDHrrXFGmI6SxW1KW1EJ0ai11m3bbuoO1gOj0UZLxXuoVNvzpuZqQ8nrMdZkH2uB6GGh0XHthlEcXwVJEiQXZXzFkgt2Gb9RUnw73Uh9aHAq1voAQnZflkVQPK/ KUWArK7BPAzqljTFNB6EwipIcEawb4syNRq/ ArsBupYCX5UNKN871yKJot9uFP6SIR763IVQ +4gL3DQqOKLeDsrMeaDZulY3F7K91no7Nj0Fo9mM1jX5JZd+/tS +xuC1MJ8UnybvO7OYWuDvakztjFXf/ uyVhMk5kFdQjlHmNPQhZS6goibKD69+zGI7lCw=="/> <input type="hidden" name="RelayState" value="http:// inicio.upr.edu"/> <input type="hidden" name="returnPage" value="identity_provider.jsp"/> <input type="hidden" name="samlAction" value="Generate SAML Response"/> <input type="hidden" name="username" value="usuario.deprueba4"/ > </form> </body> </html> **************** https://gaemail.upr.edu/GAESSO/SAMLResponseServlet <!-- Copyright (C) 2006 Google Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Portal de Servicios Electrónicos - Universidad de Puerto Rico</title> <meta content="noindex,nofollow" name="robots"> <style type="text/css"><!-- body {background-color: #ffffff} body,td,div,p,a,font,span {font-family: arial,sans-serif} body {margin-top:2} .c {width: 4; height: 4} .bubble {background-color:#C3D9FF} .tl {padding: 0; width: 4; text-align: left; vertical-align: top} .tr {padding: 0; width: 4; text-align: right; vertical-align: top} .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom} .br {padding: 0; width: 4; text-align: right; vertical-align: bottom} .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding: 15px; margin: 0 15px 0 0; text-align: center;} .x, .x td {font-size: 80%} .x table {margin: 0px; text-align: left;} .x p {text-align: left;} .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;} .errormsg {color: #cc0000} --> </style> </head> <body onload="document.acsForm.submit();"> <form name="acsForm" action="https://www.google.com/a/upr.edu/ acs" method="post" > <!-- target="_blank"> --> <div style="display: none"> <textarea rows=10 cols=80 name="SAMLResponse"><?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http:// www.w3.org/2001/04/xmlenc#" ID="cnmgjabfkgohhpglmnlidfhghhobccfgjehfkeid" IssueInstant="2007-11-13T03:11:13Z" Version="2.0"> <Signature xmlns="http://www.w3.org/2000/09/ xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http:// www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" / ><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa- sha1" /><Reference URI=""><Transforms><Transform Algorithm="http:// www.w3.org/2000/09/xmldsig#enveloped-signature" /></ Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/ xmldsig#sha1" /><DigestValue>jYEMJxhv//WsosloT2Fw1romdAM=</ DigestValue></Reference></SignedInfo><SignatureValue>eAnvq46Mf +DBxfnSzibiqZVX78gGQ3kEL8aOAS8DhV9fyGbohcI+0g==</ SignatureValue><KeyInfo><KeyValue><DSAKeyValue><P>r5Swl0VTgqkZSKUQoeILhNyEZs9Ot8hQgiNuJeI6cFro +5/jBP8KDCByq5MkIzqZZxqGZPKc1GZC 9QTxMqPYOXiShREalv45a4kb6sRGTluh8YpSfskPRMWT77yp7KqGKZbSqHlw +FKXraAgzjV7RXCn OU14Uun5Ac9R7QSPIls=</P><Q>p3nhx7XegMkLDaySZ3VhakAsEqk=</ Q><G>QFJ1EaupSqYDMPz4vzknUFZziiYGGZN7+R2ZqTsooVmNxVf+A39v +8aFnh6Ny6w9rveOSXjYYAAL oejZTqDCPRtnHnW7g4Rp2DktGA47T8ou/ LOt7MOhtFJSjYUrejxaQLFK35A35sv9pbjF5tCWICe8 rgawabXh6AvzvOa4/Z8=</G><Y>UTQsust9OOU26ypSLU9/ sljpyZ9IBrJXVrfgfDMICpxf4hAFVt5CswvJ/CBgy91YjhXMOCdcveJ2 D2NnevIBRxlU6zLwQB035ec0M2Ctnm9llyVK7Gea3KdYwtgfLyMVFMwXIg6fxjAoimUA4OlOfFpY 65fD6fbwPtGoN0pTeYw=</Y></DSAKeyValue></KeyValue></KeyInfo></ Signature><samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="cllkbjpgcloebgnlfgofbiimaaifblmpaolenkki" IssueInstant="2003-04-17T00:46:02Z" Version="2.0"> <Issuer>https:// www.opensaml.org/IDP </Issuer> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"> usuario.deprueba4 </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> </Subject> <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2008-04-17T00:51:02Z"> </Conditions> <AuthnStatement AuthnInstant="2007-11-13T03:11:13Z"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML: 2.0:ac:classes:Password </AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion></samlp:Response> </textarea> <textarea rows=10 cols=80 name="RelayState">http:// inicio.upr.edu</textarea> </div> </form> </body> </html> ************ https://www.google.com/a/upr.edu/acs <html><body><script> var url = 'http://inicio.upr.edu'; var parts = (window.location+'').split('#'); if (parts.length == 2 && parts[1].length > 0) { url += '#' + parts[1]; } window.setTimeout(function() { window.location = url; }, 0); </script></body></html> ********* End of included pages *********** --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
