Hi Carlos, Right now it looks like RelayState is hard-coded as http://inicio.upr.edu
But instead, it should be taken from the RelayState parameter which you get from Google and included in the HTML forms, taking care to escape special XML characters, e.g.: https://gaemail.upr.edu/GAESSOWS/identity_provider.jsp ?SAMLRequest=... &RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fupr.edu%2FServiceLogin %3Fservice%3Dig%26passive%3Dtrue%26continue%3Dhttp%3A%2F %2Fpartnerpage.google.com%2Fupr.edu%2Fdefault%2Fpostlogin%253Fpid %253Dupr.edu%2526url%253Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu %26followup%3Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu%2Fdefault %2Fpostlogin%253Fpid%253Dupr.edu%2526url%253Dhttp%3A%2F %2Fpartnerpage.google.com%2Fupr.edu%26cd%3DUS%26hl%3Den%26nui %3D1%26ltmpl%3Ddefault%26go%3Dtrue%26passive_sso%3Dtrue First form: <input type="hidden" name="RelayState" value="https://www.google.com/a/ upr.edu/ServiceLogin?service=ig&passive=true&continue=http:// partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url %3Dhttp://partnerpage.google.com/upr.edu&followup=http:// partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url %3Dhttp://partnerpage.google.com/ upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true"/ > Second form: <textarea rows=10 cols=80 name="RelayState">https://www.google.com/a/ upr.edu/ServiceLogin?service=ig&passive=true&continue=http:// partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url %3Dhttp://partnerpage.google.com/upr.edu&followup=http:// partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url %3Dhttp://partnerpage.google.com/ upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true</ textarea> -alex On Nov 17, 10:39 am, Cuso <[EMAIL PROTECTED]> wrote: > Just in case, I'm waiting on the clarification for the inclusion of > the RelayState parameter in the request. Do you mean it needs to be > placed differently? > > Thanks, > Carlos > > On Nov 15, 10:32 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > I can see the RelayState parameter in the second form as: > > > <textarea rows=10 cols=80 name="RelayState">http:// > > inicio.upr.edu</textarea> > > > Do you mean it should appear in a different way? > > > I wonder why it would happen for one domain and not for the other. If > > this was the cause of the problem I would expect to see the behavior > > with both domains. Anyways, I can make any change you suggest and try > > it out. > > > Thanks, > > Carlos > > On Nov 15, 5:35 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > > Hi, > > > > Thanks for including the HTML pages. It really helps to illustrate > > > where the potential problems are. > > > > It looks like the RelayState parameter, which is part of the first > > > URL: > > > >https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...&;...... > > > > is not being included in the subsequent requests. > > > > The RelayState which accompanies the SAMLRequest should ultimately be > > > submitted back to the ACS URL along with the SAMLResponse. > > > > The sample code doesn't do a good job of showing this, but that's how > > > the RelayState parameter is meant to be used. > > > > Can you make that change and retry? > > > > -alex > > > > On Nov 13, 11:22 am, Cuso <[EMAIL PROTECTED]> wrote: > > > > > We are encountering an issue where the browser gets redirected back > > > > and forth between the acs URL and our IdP site when logging-in a user > > > > for the first time using the SSO API on our domain (upr.edu). We have > > > > verified proper operation of the IdP site for the same scenario on our > > > > test domain (ws.uprm.edu). The site also works fine with the upr.edu > > > > domain when the user has logged in previously. The expected behavior > > > > is for the user to see the initial page where the terms of use are > > > > accepted and the account is "created". Instead, the browser > > > > alternates through the following three pages in order and then starts > > > > over with the first. This continues indefinitely. I'm using a > > > > heavily modified version of the SAML library provided by Google, > > > > although the pages look alike. The first two pages are part of our > > > > IdP and it works pretty much like the Gogle SSO library, with changes > > > > made to increase security and robustness. The third page is what we > > > > get from the acs when our IdP sends the SAMLResponse. > > > > > I suspect the acs is not redirecting the user correctly to the "Terms > > > > Acceptance" page, and as such has not finished granting her access to > > > > the account, but it redirects her to the start page, which will in > > > > turn send a SAMLRequest back to the IdP. And the cycle goes on... Of > > > > course, I might be missing something too. > > > > > ************* > > > > https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=... > > > > > <title>Portal de Servicios Electrónicos - Universidad de Puerto > > > > Rico</title> > > > > <meta content="noindex,nofollow" name="robots"> > > > > <style type="text/css"><!-- > > > > body {background-color: #ffffff} > > > > body,td,div,p,a,font,span {font-family: arial,sans-serif} > > > > body {margin-top:2} > > > > > .c {width: 4; height: 4} > > > > > .bubble {background-color:#C3D9FF} > > > > > .tl {padding: 0; width: 4; text-align: left; vertical-align: top} > > > > .tr {padding: 0; width: 4; text-align: right; vertical-align: top} > > > > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom} > > > > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom} > > > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding: > > > > 15px; margin: 0 15px 0 0; text-align: center;} > > > > .x, .x td {font-size: 80%} > > > > .x table {margin: 0px; text-align: left;} > > > > .x p {text-align: left;} > > > > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;} > > > > > .errormsg {color: #cc0000} > > > > --> </style> </head> > > > > > <body onload="document.ValidSessionForm.submit();"> > > > > > <!-- <h1> 119262075F459A384D6C1AC55735DFAC </h1> --> > > > > > <form name="ValidSessionForm" action="SAMLResponseServlet" > > > > method="post"> > > > > <input type="hidden" name="SAMLRequest" value="fVLJTsMwEL0j8Q > > > > +W79mKEMhqUoUiRCWWqA0cuLnOJLUS28Fjt/ > > > > D3pCkVcKDX8VvHM519qI5swaI0OqVJGFMCWphK6ialL > > > > +VdcE1n2fnZFLnqepZ7t9FLePeAjgxMjWx8SKm3mhmOEpnmCpA5wVb54wObhDHrrXFGmI6SxW1KW1EJ0ai11m3bbuoO1gOj0UZLxXuoVNvzpuZqQ8nrMdZkH2uB6GGh0XHthlEcXwVJEiQXZXzFkgt2Gb9RUnw73Uh9aHAq1voAQnZflkVQPK/ > > > > KUWArK7BPAzqljTFNB6EwipIcEawb4syNRq/ > > > > ArsBupYCX5UNKN871yKJot9uFP6SIR763IVQ > > > > +4gL3DQqOKLeDsrMeaDZulY3F7K91no7Nj0Fo9mM1jX5JZd+/tS > > > > +xuC1MJ8UnybvO7OYWuDvakztjFXf/ > > > > uyVhMk5kFdQjlHmNPQhZS6goibKD69+zGI7lCw=="/> > > > > <input type="hidden" name="RelayState" value="http:// > > > > inicio.upr.edu"/> > > > > <input type="hidden" name="returnPage" > > > > value="identity_provider.jsp"/> > > > > <input type="hidden" name="samlAction" value="Generate SAML > > > > Response"/> > > > > <input type="hidden" name="username" value="usuario.deprueba4"/ > > > > > </form> > > > > </body> > > > > > </html> > > > > > **************** https://gaemail.upr.edu/GAESSO/SAMLResponseServlet > > > > > <!-- > > > > Copyright (C) 2006 Google Inc. > > > > > Licensed under the Apache License, Version 2.0 (the "License"); > > > > you may not use this file except in compliance with the License. > > > > You may obtain a copy of the License at > > > > > http://www.apache.org/licenses/LICENSE-2.0 > > > > > Unless required by applicable law or agreed to in writing, > > > > software > > > > distributed under the License is distributed on an "AS IS" BASIS, > > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or > > > > implied. > > > > See the License for the specific language governing permissions > > > > and > > > > limitations under the License. > > > > --> > > > > > <html> > > > > <head> > > > > <meta http-equiv="Content-Type" content="text/html; > > > > charset=iso-8859-1"> > > > > <title>Portal de Servicios Electrónicos - Universidad de Puerto > > > > Rico</title> > > > > <meta content="noindex,nofollow" name="robots"> > > > > <style type="text/css"><!-- > > > > body {background-color: #ffffff} > > > > body,td,div,p,a,font,span {font-family: arial,sans-serif} > > > > body {margin-top:2} > > > > > .c {width: 4; height: 4} > > > > > .bubble {background-color:#C3D9FF} > > > > > .tl {padding: 0; width: 4; text-align: left; vertical-align: top} > > > > .tr {padding: 0; width: 4; text-align: right; vertical-align: top} > > > > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom} > > > > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom} > > > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding: > > > > 15px; margin: 0 15px 0 0; text-align: center;} > > > > .x, .x td {font-size: 80%} > > > > .x table {margin: 0px; text-align: left;} > > > > .x p {text-align: left;} > > > > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;} > > > > > .errormsg {color: #cc0000} > > > > --> </style> </head> > > > > > <body onload="document.acsForm.submit();"> > > > > > <form name="acsForm" action="https://www.google.com/a/upr.edu/ > > > > acs" method="post" > <!-- target="_blank"> --> > > > > <div style="display: none"> > > > > <textarea rows=10 cols=80 name="SAMLResponse"><?xml > > > > version="1.0" encoding="UTF-8"?> > > > > <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > > > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > > > ID="cnmgjabfkgohhpglmnlidfhghhobccfgjehfkeid" > > > > IssueInstant="2007-11-13T03:11:13Z" Version="2.0"> <Signature > > > > xmlns="http://www.w3.org/2000/09/ > > > > xmldsig#"><SignedInfo><CanonicalizationMethod > > > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"; > > > > /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa- > > > > > sha1" /><Reference URI=""><Transforms><Transform > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /></ > > > > Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/ > > > > xmldsig#sha1" /><DigestValue>jYEMJxhv//WsosloT2Fw1romdAM=</ > > > > DigestValue></Reference></SignedInfo><SignatureValue>eAnvq46Mf > > > > +DBxfnSzibiqZVX78gGQ3kEL8aOAS8DhV9fyGbohcI+0g==</ > > > > SignatureValue><KeyInfo><KeyValue><DSAKeyValue><P>r5Swl0VTgqkZSKUQoeILhNyEZs9Ot8hQgiNuJeI6cFro > > > > +5/jBP8KDCByq5MkIzqZZxqGZPKc1GZC > > > > 9QTxMqPYOXiShREalv45a4kb6sRGTluh8YpSfskPRMWT77yp7KqGKZbSqHlw > > > > +FKXraAgzjV7RXCn > > > > OU14Uun5Ac9R7QSPIls=</P><Q>p3nhx7XegMkLDaySZ3VhakAsEqk=</ > > > > Q><G>QFJ1EaupSqYDMPz4vzknUFZziiYGGZN7+R2ZqTsooVmNxVf+A39v > > > > +8aFnh6Ny6w9rveOSXjYYAAL > > > > oejZTqDCPRtnHnW7g4Rp2DktGA47T8ou/ > > > > LOt7MOhtFJSjYUrejxaQLFK35A35sv9pbjF5tCWICe8 > > > > rgawabXh6AvzvOa4/Z8=</G><Y>UTQsust9OOU26ypSLU9/ > > > > sljpyZ9IBrJXVrfgfDMICpxf4hAFVt5CswvJ/CBgy91YjhXMOCdcveJ2 > > > > D2NnevIBRxlU6zLwQB035ec0M2Ctnm9llyVK7Gea3KdYwtgfLyMVFMwXIg6fxjAoimUA4OlOfFpY > > > > 65fD6fbwPtGoN0pTeYw=</Y></DSAKeyValue></KeyValue></KeyInfo></ > > > > Signature><samlp:Status> <samlp:StatusCode > > > > Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> > > > > </samlp:Status> > > > > <Assertion ID="cllkbjpgcloebgnlfgofbiimaaifblmpaolenkki" > > > > IssueInstant="2003-04-17T00:46:02Z" Version="2.0"> > > > > <Issuer>https://www.opensaml.org/IDP </Issuer> > > > > <Subject> <NameID > > > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"> > > > > usuario.deprueba4 </NameID> > > > > <SubjectConfirmation > > ... > > read more >> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
