Just in case, I'm waiting on the clarification for the inclusion of the RelayState parameter in the request. Do you mean it needs to be placed differently?
Thanks, Carlos On Nov 15, 10:32 pm, Cuso <[EMAIL PROTECTED]> wrote: > I can see the RelayState parameter in the second form as: > > <textarea rows=10 cols=80 name="RelayState">http:// > inicio.upr.edu</textarea> > > Do you mean it should appear in a different way? > > I wonder why it would happen for one domain and not for the other. If > this was the cause of the problem I would expect to see the behavior > with both domains. Anyways, I can make any change you suggest and try > it out. > > Thanks, > Carlos > On Nov 15, 5:35 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > Hi, > > > Thanks for including the HTML pages. It really helps to illustrate > > where the potential problems are. > > > It looks like the RelayState parameter, which is part of the first > > URL: > > >https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...&;...... > > > is not being included in the subsequent requests. > > > The RelayState which accompanies the SAMLRequest should ultimately be > > submitted back to the ACS URL along with the SAMLResponse. > > > The sample code doesn't do a good job of showing this, but that's how > > the RelayState parameter is meant to be used. > > > Can you make that change and retry? > > > -alex > > > On Nov 13, 11:22 am, Cuso <[EMAIL PROTECTED]> wrote: > > > > We are encountering an issue where the browser gets redirected back > > > and forth between the acs URL and our IdP site when logging-in a user > > > for the first time using the SSO API on our domain (upr.edu). We have > > > verified proper operation of the IdP site for the same scenario on our > > > test domain (ws.uprm.edu). The site also works fine with the upr.edu > > > domain when the user has logged in previously. The expected behavior > > > is for the user to see the initial page where the terms of use are > > > accepted and the account is "created". Instead, the browser > > > alternates through the following three pages in order and then starts > > > over with the first. This continues indefinitely. I'm using a > > > heavily modified version of the SAML library provided by Google, > > > although the pages look alike. The first two pages are part of our > > > IdP and it works pretty much like the Gogle SSO library, with changes > > > made to increase security and robustness. The third page is what we > > > get from the acs when our IdP sends the SAMLResponse. > > > > I suspect the acs is not redirecting the user correctly to the "Terms > > > Acceptance" page, and as such has not finished granting her access to > > > the account, but it redirects her to the start page, which will in > > > turn send a SAMLRequest back to the IdP. And the cycle goes on... Of > > > course, I might be missing something too. > > > > ************* > > > https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=... > > > > <title>Portal de Servicios Electrónicos - Universidad de Puerto > > > Rico</title> > > > <meta content="noindex,nofollow" name="robots"> > > > <style type="text/css"><!-- > > > body {background-color: #ffffff} > > > body,td,div,p,a,font,span {font-family: arial,sans-serif} > > > body {margin-top:2} > > > > .c {width: 4; height: 4} > > > > .bubble {background-color:#C3D9FF} > > > > .tl {padding: 0; width: 4; text-align: left; vertical-align: top} > > > .tr {padding: 0; width: 4; text-align: right; vertical-align: top} > > > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom} > > > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom} > > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding: > > > 15px; margin: 0 15px 0 0; text-align: center;} > > > .x, .x td {font-size: 80%} > > > .x table {margin: 0px; text-align: left;} > > > .x p {text-align: left;} > > > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;} > > > > .errormsg {color: #cc0000} > > > --> </style> </head> > > > > <body onload="document.ValidSessionForm.submit();"> > > > > <!-- <h1> 119262075F459A384D6C1AC55735DFAC </h1> --> > > > > <form name="ValidSessionForm" action="SAMLResponseServlet" > > > method="post"> > > > <input type="hidden" name="SAMLRequest" value="fVLJTsMwEL0j8Q > > > +W79mKEMhqUoUiRCWWqA0cuLnOJLUS28Fjt/ > > > D3pCkVcKDX8VvHM519qI5swaI0OqVJGFMCWphK6ialL > > > +VdcE1n2fnZFLnqepZ7t9FLePeAjgxMjWx8SKm3mhmOEpnmCpA5wVb54wObhDHrrXFGmI6SxW1KW1EJ0ai11m3bbuoO1gOj0UZLxXuoVNvzpuZqQ8nrMdZkH2uB6GGh0XHthlEcXwVJEiQXZXzFkgt2Gb9RUnw73Uh9aHAq1voAQnZflkVQPK/ > > > KUWArK7BPAzqljTFNB6EwipIcEawb4syNRq/ > > > ArsBupYCX5UNKN871yKJot9uFP6SIR763IVQ > > > +4gL3DQqOKLeDsrMeaDZulY3F7K91no7Nj0Fo9mM1jX5JZd+/tS > > > +xuC1MJ8UnybvO7OYWuDvakztjFXf/ > > > uyVhMk5kFdQjlHmNPQhZS6goibKD69+zGI7lCw=="/> > > > <input type="hidden" name="RelayState" value="http:// > > > inicio.upr.edu"/> > > > <input type="hidden" name="returnPage" > > > value="identity_provider.jsp"/> > > > <input type="hidden" name="samlAction" value="Generate SAML > > > Response"/> > > > <input type="hidden" name="username" value="usuario.deprueba4"/ > > > > </form> > > > </body> > > > > </html> > > > > **************** https://gaemail.upr.edu/GAESSO/SAMLResponseServlet > > > > <!-- > > > Copyright (C) 2006 Google Inc. > > > > Licensed under the Apache License, Version 2.0 (the "License"); > > > you may not use this file except in compliance with the License. > > > You may obtain a copy of the License at > > > > http://www.apache.org/licenses/LICENSE-2.0 > > > > Unless required by applicable law or agreed to in writing, > > > software > > > distributed under the License is distributed on an "AS IS" BASIS, > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or > > > implied. > > > See the License for the specific language governing permissions > > > and > > > limitations under the License. > > > --> > > > > <html> > > > <head> > > > <meta http-equiv="Content-Type" content="text/html; > > > charset=iso-8859-1"> > > > <title>Portal de Servicios Electrónicos - Universidad de Puerto > > > Rico</title> > > > <meta content="noindex,nofollow" name="robots"> > > > <style type="text/css"><!-- > > > body {background-color: #ffffff} > > > body,td,div,p,a,font,span {font-family: arial,sans-serif} > > > body {margin-top:2} > > > > .c {width: 4; height: 4} > > > > .bubble {background-color:#C3D9FF} > > > > .tl {padding: 0; width: 4; text-align: left; vertical-align: top} > > > .tr {padding: 0; width: 4; text-align: right; vertical-align: top} > > > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom} > > > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom} > > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding: > > > 15px; margin: 0 15px 0 0; text-align: center;} > > > .x, .x td {font-size: 80%} > > > .x table {margin: 0px; text-align: left;} > > > .x p {text-align: left;} > > > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;} > > > > .errormsg {color: #cc0000} > > > --> </style> </head> > > > > <body onload="document.acsForm.submit();"> > > > > <form name="acsForm" action="https://www.google.com/a/upr.edu/ > > > acs" method="post" > <!-- target="_blank"> --> > > > <div style="display: none"> > > > <textarea rows=10 cols=80 name="SAMLResponse"><?xml > > > version="1.0" encoding="UTF-8"?> > > > <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > > ID="cnmgjabfkgohhpglmnlidfhghhobccfgjehfkeid" > > > IssueInstant="2007-11-13T03:11:13Z" Version="2.0"> <Signature > > > xmlns="http://www.w3.org/2000/09/ > > > xmldsig#"><SignedInfo><CanonicalizationMethod > > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"; > > > /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa- > > > > sha1" /><Reference URI=""><Transforms><Transform > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /></ > > > Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/ > > > xmldsig#sha1" /><DigestValue>jYEMJxhv//WsosloT2Fw1romdAM=</ > > > DigestValue></Reference></SignedInfo><SignatureValue>eAnvq46Mf > > > +DBxfnSzibiqZVX78gGQ3kEL8aOAS8DhV9fyGbohcI+0g==</ > > > SignatureValue><KeyInfo><KeyValue><DSAKeyValue><P>r5Swl0VTgqkZSKUQoeILhNyEZs9Ot8hQgiNuJeI6cFro > > > +5/jBP8KDCByq5MkIzqZZxqGZPKc1GZC > > > 9QTxMqPYOXiShREalv45a4kb6sRGTluh8YpSfskPRMWT77yp7KqGKZbSqHlw > > > +FKXraAgzjV7RXCn > > > OU14Uun5Ac9R7QSPIls=</P><Q>p3nhx7XegMkLDaySZ3VhakAsEqk=</ > > > Q><G>QFJ1EaupSqYDMPz4vzknUFZziiYGGZN7+R2ZqTsooVmNxVf+A39v > > > +8aFnh6Ny6w9rveOSXjYYAAL > > > oejZTqDCPRtnHnW7g4Rp2DktGA47T8ou/ > > > LOt7MOhtFJSjYUrejxaQLFK35A35sv9pbjF5tCWICe8 > > > rgawabXh6AvzvOa4/Z8=</G><Y>UTQsust9OOU26ypSLU9/ > > > sljpyZ9IBrJXVrfgfDMICpxf4hAFVt5CswvJ/CBgy91YjhXMOCdcveJ2 > > > D2NnevIBRxlU6zLwQB035ec0M2Ctnm9llyVK7Gea3KdYwtgfLyMVFMwXIg6fxjAoimUA4OlOfFpY > > > 65fD6fbwPtGoN0pTeYw=</Y></DSAKeyValue></KeyValue></KeyInfo></ > > > Signature><samlp:Status> <samlp:StatusCode > > > Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> > > > <Assertion ID="cllkbjpgcloebgnlfgofbiimaaifblmpaolenkki" > > > IssueInstant="2003-04-17T00:46:02Z" Version="2.0"> > > > <Issuer>https://www.opensaml.org/IDP </Issuer> <Subject> > > > <NameID > > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"> > > > usuario.deprueba4 </NameID> > > > <SubjectConfirmation > > > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> </Subject> > > > <Conditions NotBefore="2003-04-17T00:46:02Z" > > > NotOnOrAfter="2008-04-17T00:51:02Z"> </Conditions> > > > <AuthnStatement > > > AuthnInstant="2007-11-13T03:11:13Z"> <AuthnContext> > > > <AuthnContextClassRef> > > > urn:oasis:names:tc:SAML: > > > 2.0:ac:classes:Password </AuthnContextClassRef> > > > </AuthnContext> > > > </AuthnStatement> </Assertion></samlp:Response> > > > </textarea> > > ... > > read more >> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
