I can see the RelayState parameter in the second form as:
<textarea rows=10 cols=80 name="RelayState">http://
inicio.upr.edu</textarea>
Do you mean it should appear in a different way?
I wonder why it would happen for one domain and not for the other. If
this was the cause of the problem I would expect to see the behavior
with both domains. Anyways, I can make any change you suggest and try
it out.
Thanks,
Carlos
On Nov 15, 5:35 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Thanks for including the HTML pages. It really helps to illustrate
> where the potential problems are.
>
> It looks like the RelayState parameter, which is part of the first
> URL:
>
> https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...&;......
>
> is not being included in the subsequent requests.
>
> The RelayState which accompanies the SAMLRequest should ultimately be
> submitted back to the ACS URL along with the SAMLResponse.
>
> The sample code doesn't do a good job of showing this, but that's how
> the RelayState parameter is meant to be used.
>
> Can you make that change and retry?
>
> -alex
>
> On Nov 13, 11:22 am, Cuso <[EMAIL PROTECTED]> wrote:
>
> > We are encountering an issue where the browser gets redirected back
> > and forth between the acs URL and our IdP site when logging-in a user
> > for the first time using the SSO API on our domain (upr.edu). We have
> > verified proper operation of the IdP site for the same scenario on our
> > test domain (ws.uprm.edu). The site also works fine with the upr.edu
> > domain when the user has logged in previously. The expected behavior
> > is for the user to see the initial page where the terms of use are
> > accepted and the account is "created". Instead, the browser
> > alternates through the following three pages in order and then starts
> > over with the first. This continues indefinitely. I'm using a
> > heavily modified version of the SAML library provided by Google,
> > although the pages look alike. The first two pages are part of our
> > IdP and it works pretty much like the Gogle SSO library, with changes
> > made to increase security and robustness. The third page is what we
> > get from the acs when our IdP sends the SAMLResponse.
>
> > I suspect the acs is not redirecting the user correctly to the "Terms
> > Acceptance" page, and as such has not finished granting her access to
> > the account, but it redirects her to the start page, which will in
> > turn send a SAMLRequest back to the IdP. And the cycle goes on... Of
> > course, I might be missing something too.
>
> > *************
> > https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...
>
> > <title>Portal de Servicios Electrónicos - Universidad de Puerto
> > Rico</title>
> > <meta content="noindex,nofollow" name="robots">
> > <style type="text/css"><!--
> > body {background-color: #ffffff}
> > body,td,div,p,a,font,span {font-family: arial,sans-serif}
> > body {margin-top:2}
>
> > .c {width: 4; height: 4}
>
> > .bubble {background-color:#C3D9FF}
>
> > .tl {padding: 0; width: 4; text-align: left; vertical-align: top}
> > .tr {padding: 0; width: 4; text-align: right; vertical-align: top}
> > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom}
> > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom}
>
> > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding:
> > 15px; margin: 0 15px 0 0; text-align: center;}
> > .x, .x td {font-size: 80%}
> > .x table {margin: 0px; text-align: left;}
> > .x p {text-align: left;}
> > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;}
>
> > .errormsg {color: #cc0000}
> > --> </style> </head>
>
> > <body onload="document.ValidSessionForm.submit();">
>
> > <!-- <h1> 119262075F459A384D6C1AC55735DFAC </h1> -->
>
> > <form name="ValidSessionForm" action="SAMLResponseServlet"
> > method="post">
> > <input type="hidden" name="SAMLRequest" value="fVLJTsMwEL0j8Q
> > +W79mKEMhqUoUiRCWWqA0cuLnOJLUS28Fjt/
> > D3pCkVcKDX8VvHM519qI5swaI0OqVJGFMCWphK6ialL
> > +VdcE1n2fnZFLnqepZ7t9FLePeAjgxMjWx8SKm3mhmOEpnmCpA5wVb54wObhDHrrXFGmI6SxW1KW1EJ0ai11m3bbuoO1gOj0UZLxXuoVNvzpuZqQ8nrMdZkH2uB6GGh0XHthlEcXwVJEiQXZXzFkgt2Gb9RUnw73Uh9aHAq1voAQnZflkVQPK/
> > KUWArK7BPAzqljTFNB6EwipIcEawb4syNRq/
> > ArsBupYCX5UNKN871yKJot9uFP6SIR763IVQ
> > +4gL3DQqOKLeDsrMeaDZulY3F7K91no7Nj0Fo9mM1jX5JZd+/tS
> > +xuC1MJ8UnybvO7OYWuDvakztjFXf/
> > uyVhMk5kFdQjlHmNPQhZS6goibKD69+zGI7lCw=="/>
> > <input type="hidden" name="RelayState" value="http://
> > inicio.upr.edu"/>
> > <input type="hidden" name="returnPage"
> > value="identity_provider.jsp"/>
> > <input type="hidden" name="samlAction" value="Generate SAML
> > Response"/>
> > <input type="hidden" name="username" value="usuario.deprueba4"/
>
> > </form>
> > </body>
>
> > </html>
>
> > **************** https://gaemail.upr.edu/GAESSO/SAMLResponseServlet
>
> > <!--
> > Copyright (C) 2006 Google Inc.
>
> > Licensed under the Apache License, Version 2.0 (the "License");
> > you may not use this file except in compliance with the License.
> > You may obtain a copy of the License at
>
> > http://www.apache.org/licenses/LICENSE-2.0
>
> > Unless required by applicable law or agreed to in writing,
> > software
> > distributed under the License is distributed on an "AS IS" BASIS,
> > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > implied.
> > See the License for the specific language governing permissions
> > and
> > limitations under the License.
> > -->
>
> > <html>
> > <head>
> > <meta http-equiv="Content-Type" content="text/html;
> > charset=iso-8859-1">
> > <title>Portal de Servicios Electrónicos - Universidad de Puerto
> > Rico</title>
> > <meta content="noindex,nofollow" name="robots">
> > <style type="text/css"><!--
> > body {background-color: #ffffff}
> > body,td,div,p,a,font,span {font-family: arial,sans-serif}
> > body {margin-top:2}
>
> > .c {width: 4; height: 4}
>
> > .bubble {background-color:#C3D9FF}
>
> > .tl {padding: 0; width: 4; text-align: left; vertical-align: top}
> > .tr {padding: 0; width: 4; text-align: right; vertical-align: top}
> > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom}
> > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom}
>
> > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding:
> > 15px; margin: 0 15px 0 0; text-align: center;}
> > .x, .x td {font-size: 80%}
> > .x table {margin: 0px; text-align: left;}
> > .x p {text-align: left;}
> > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;}
>
> > .errormsg {color: #cc0000}
> > --> </style> </head>
>
> > <body onload="document.acsForm.submit();">
>
> > <form name="acsForm" action="https://www.google.com/a/upr.edu/
> > acs" method="post" > <!-- target="_blank"> -->
> > <div style="display: none">
> > <textarea rows=10 cols=80 name="SAMLResponse"><?xml
> > version="1.0" encoding="UTF-8"?>
> > <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> > xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> > ID="cnmgjabfkgohhpglmnlidfhghhobccfgjehfkeid"
> > IssueInstant="2007-11-13T03:11:13Z" Version="2.0"> <Signature
> > xmlns="http://www.w3.org/2000/09/
> > xmldsig#"><SignedInfo><CanonicalizationMethod
> > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments";
> > /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-
>
> > sha1" /><Reference URI=""><Transforms><Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /></
> > Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/
> > xmldsig#sha1" /><DigestValue>jYEMJxhv//WsosloT2Fw1romdAM=</
> > DigestValue></Reference></SignedInfo><SignatureValue>eAnvq46Mf
> > +DBxfnSzibiqZVX78gGQ3kEL8aOAS8DhV9fyGbohcI+0g==</
> > SignatureValue><KeyInfo><KeyValue><DSAKeyValue><P>r5Swl0VTgqkZSKUQoeILhNyEZs9Ot8hQgiNuJeI6cFro
> > +5/jBP8KDCByq5MkIzqZZxqGZPKc1GZC
> > 9QTxMqPYOXiShREalv45a4kb6sRGTluh8YpSfskPRMWT77yp7KqGKZbSqHlw
> > +FKXraAgzjV7RXCn
> > OU14Uun5Ac9R7QSPIls=</P><Q>p3nhx7XegMkLDaySZ3VhakAsEqk=</
> > Q><G>QFJ1EaupSqYDMPz4vzknUFZziiYGGZN7+R2ZqTsooVmNxVf+A39v
> > +8aFnh6Ny6w9rveOSXjYYAAL
> > oejZTqDCPRtnHnW7g4Rp2DktGA47T8ou/
> > LOt7MOhtFJSjYUrejxaQLFK35A35sv9pbjF5tCWICe8
> > rgawabXh6AvzvOa4/Z8=</G><Y>UTQsust9OOU26ypSLU9/
> > sljpyZ9IBrJXVrfgfDMICpxf4hAFVt5CswvJ/CBgy91YjhXMOCdcveJ2
> > D2NnevIBRxlU6zLwQB035ec0M2Ctnm9llyVK7Gea3KdYwtgfLyMVFMwXIg6fxjAoimUA4OlOfFpY
> > 65fD6fbwPtGoN0pTeYw=</Y></DSAKeyValue></KeyValue></KeyInfo></
> > Signature><samlp:Status> <samlp:StatusCode
> > Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
> > <Assertion ID="cllkbjpgcloebgnlfgofbiimaaifblmpaolenkki"
> > IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
> > <Issuer>https://www.opensaml.org/IDP </Issuer> <Subject>
> > <NameID
> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">
> > usuario.deprueba4 </NameID>
> > <SubjectConfirmation
> > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> </Subject>
> > <Conditions NotBefore="2003-04-17T00:46:02Z"
> > NotOnOrAfter="2008-04-17T00:51:02Z"> </Conditions>
> > <AuthnStatement
> > AuthnInstant="2007-11-13T03:11:13Z"> <AuthnContext>
> > <AuthnContextClassRef>
> > urn:oasis:names:tc:SAML:
> > 2.0:ac:classes:Password </AuthnContextClassRef>
> > </AuthnContext>
> > </AuthnStatement> </Assertion></samlp:Response>
> > </textarea>
> > <textarea rows=10 cols=80 name="RelayState">http://
> > inicio.upr.edu</textarea>
> > </div>
> > </form>
> > </body>
>
> > </html>
>
> > ************ https://www.google.com/a/upr.edu/acs
>
> > <html><body><script>
> > var url = 'http://inicio.upr.edu';
> > var parts = (window.location+'').split('#');
> > if (parts.length == 2 && parts[1].length > 0) {
> > url += '#' + parts[1];}
>
> > window.setTimeout(function() {
> > window.location = url;}, 0);
>
> > </script></body></html>
>
> > ********* End of included pages ***********
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
