Thank you! This solved the issue.
On Nov 18, 2:36 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
> Hi Carlos,
>
> Right now it looks like RelayState is hard-coded ashttp://inicio.upr.edu
>
> But instead, it should be taken from the RelayState parameter which
> you get from Google and included in the HTML forms, taking care to
> escape special XML characters, e.g.:
>
> https://gaemail.upr.edu/GAESSOWS/identity_provider.jsp
> ?SAMLRequest=...
> &RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fupr.edu%2FServiceLogin
> %3Fservice%3Dig%26passive%3Dtrue%26continue%3Dhttp%3A%2F
> %2Fpartnerpage.google.com%2Fupr.edu%2Fdefault%2Fpostlogin%253Fpid
> %253Dupr.edu%2526url%253Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu
> %26followup%3Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu%2Fdefault
> %2Fpostlogin%253Fpid%253Dupr.edu%2526url%253Dhttp%3A%2F
> %2Fpartnerpage.google.com%2Fupr.edu%26cd%3DUS%26hl%3Den%26nui
> %3D1%26ltmpl%3Ddefault%26go%3Dtrue%26passive_sso%3Dtrue
>
> First form:
>
> <input type="hidden" name="RelayState" value="https://www.google.com/a/
> upr.edu/ServiceLogin?service=ig&passive=true&continue=http://
> partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> %3Dhttp://partnerpage.google.com/upr.edu&followup=http://
> partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> %3Dhttp://partnerpage.google.com/
> upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true"/
>
>
>
> Second form:
>
> <textarea rows=10 cols=80 name="RelayState">https://www.google.com/a/
> upr.edu/ServiceLogin?service=ig&passive=true&continue=http://
> partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> %3Dhttp://partnerpage.google.com/upr.edu&followup=http://
> partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> %3Dhttp://partnerpage.google.com/
> upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true</
> textarea>
>
> -alex
>
> On Nov 17, 10:39 am, Cuso <[EMAIL PROTECTED]> wrote:
>
> > Just in case, I'm waiting on the clarification for the inclusion of
> > the RelayState parameter in the request. Do you mean it needs to be
> > placed differently?
>
> > Thanks,
> > Carlos
>
> > On Nov 15, 10:32 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > I can see the RelayState parameter in the second form as:
>
> > > <textarea rows=10 cols=80 name="RelayState">http://
> > > inicio.upr.edu</textarea>
>
> > > Do you mean it should appear in a different way?
>
> > > I wonder why it would happen for one domain and not for the other. If
> > > this was the cause of the problem I would expect to see the behavior
> > > with both domains. Anyways, I can make any change you suggest and try
> > > it out.
>
> > > Thanks,
> > > Carlos
> > > On Nov 15, 5:35 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
>
> > > > Hi,
>
> > > > Thanks for including the HTML pages. It really helps to illustrate
> > > > where the potential problems are.
>
> > > > It looks like the RelayState parameter, which is part of the first
> > > > URL:
>
> > > >https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...&;......
>
> > > > is not being included in the subsequent requests.
>
> > > > The RelayState which accompanies the SAMLRequest should ultimately be
> > > > submitted back to the ACS URL along with the SAMLResponse.
>
> > > > The sample code doesn't do a good job of showing this, but that's how
> > > > the RelayState parameter is meant to be used.
>
> > > > Can you make that change and retry?
>
> > > > -alex
>
> > > > On Nov 13, 11:22 am, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > We are encountering an issue where the browser gets redirected back
> > > > > and forth between the acs URL and our IdP site when logging-in a user
> > > > > for the first time using the SSO API on our domain (upr.edu). We have
> > > > > verified proper operation of the IdP site for the same scenario on our
> > > > > test domain (ws.uprm.edu). The site also works fine with the upr.edu
> > > > > domain when the user has logged in previously. The expected behavior
> > > > > is for the user to see the initial page where the terms of use are
> > > > > accepted and the account is "created". Instead, the browser
> > > > > alternates through the following three pages in order and then starts
> > > > > over with the first. This continues indefinitely. I'm using a
> > > > > heavily modified version of the SAML library provided by Google,
> > > > > although the pages look alike. The first two pages are part of our
> > > > > IdP and it works pretty much like the Gogle SSO library, with changes
> > > > > made to increase security and robustness. The third page is what we
> > > > > get from the acs when our IdP sends the SAMLResponse.
>
> > > > > I suspect the acs is not redirecting the user correctly to the "Terms
> > > > > Acceptance" page, and as such has not finished granting her access to
> > > > > the account, but it redirects her to the start page, which will in
> > > > > turn send a SAMLRequest back to the IdP. And the cycle goes on... Of
> > > > > course, I might be missing something too.
>
> > > > > *************
> > > > > https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...
>
> > > > > <title>Portal de Servicios Electrónicos - Universidad de Puerto
> > > > > Rico</title>
> > > > > <meta content="noindex,nofollow" name="robots">
> > > > > <style type="text/css"><!--
> > > > > body {background-color: #ffffff}
> > > > > body,td,div,p,a,font,span {font-family: arial,sans-serif}
> > > > > body {margin-top:2}
>
> > > > > .c {width: 4; height: 4}
>
> > > > > .bubble {background-color:#C3D9FF}
>
> > > > > .tl {padding: 0; width: 4; text-align: left; vertical-align: top}
> > > > > .tr {padding: 0; width: 4; text-align: right; vertical-align: top}
> > > > > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom}
> > > > > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom}
>
> > > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding:
> > > > > 15px; margin: 0 15px 0 0; text-align: center;}
> > > > > .x, .x td {font-size: 80%}
> > > > > .x table {margin: 0px; text-align: left;}
> > > > > .x p {text-align: left;}
> > > > > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;}
>
> > > > > .errormsg {color: #cc0000}
> > > > > --> </style> </head>
>
> > > > > <body onload="document.ValidSessionForm.submit();">
>
> > > > > <!-- <h1> 119262075F459A384D6C1AC55735DFAC </h1> -->
>
> > > > > <form name="ValidSessionForm" action="SAMLResponseServlet"
> > > > > method="post">
> > > > > <input type="hidden" name="SAMLRequest" value="fVLJTsMwEL0j8Q
> > > > > +W79mKEMhqUoUiRCWWqA0cuLnOJLUS28Fjt/
> > > > > D3pCkVcKDX8VvHM519qI5swaI0OqVJGFMCWphK6ialL
> > > > > +VdcE1n2fnZFLnqepZ7t9FLePeAjgxMjWx8SKm3mhmOEpnmCpA5wVb54wObhDHrrXFGmI6SxW1KW1EJ0ai11m3bbuoO1gOj0UZLxXuoVNvzpuZqQ8nrMdZkH2uB6GGh0XHthlEcXwVJEiQXZXzFkgt2Gb9RUnw73Uh9aHAq1voAQnZflkVQPK/
> > > > > KUWArK7BPAzqljTFNB6EwipIcEawb4syNRq/
> > > > > ArsBupYCX5UNKN871yKJot9uFP6SIR763IVQ
> > > > > +4gL3DQqOKLeDsrMeaDZulY3F7K91no7Nj0Fo9mM1jX5JZd+/tS
> > > > > +xuC1MJ8UnybvO7OYWuDvakztjFXf/
> > > > > uyVhMk5kFdQjlHmNPQhZS6goibKD69+zGI7lCw=="/>
> > > > > <input type="hidden" name="RelayState" value="http://
> > > > > inicio.upr.edu"/>
> > > > > <input type="hidden" name="returnPage"
> > > > > value="identity_provider.jsp"/>
> > > > > <input type="hidden" name="samlAction" value="Generate SAML
> > > > > Response"/>
> > > > > <input type="hidden" name="username" value="usuario.deprueba4"/
>
> > > > > </form>
> > > > > </body>
>
> > > > > </html>
>
> > > > > **************** https://gaemail.upr.edu/GAESSO/SAMLResponseServlet
>
> > > > > <!--
> > > > > Copyright (C) 2006 Google Inc.
>
> > > > > Licensed under the Apache License, Version 2.0 (the "License");
> > > > > you may not use this file except in compliance with the License.
> > > > > You may obtain a copy of the License at
>
> > > > > http://www.apache.org/licenses/LICENSE-2.0
>
> > > > > Unless required by applicable law or agreed to in writing,
> > > > > software
> > > > > distributed under the License is distributed on an "AS IS" BASIS,
> > > > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> > > > > implied.
> > > > > See the License for the specific language governing permissions
> > > > > and
> > > > > limitations under the License.
> > > > > -->
>
> > > > > <html>
> > > > > <head>
> > > > > <meta http-equiv="Content-Type" content="text/html;
> > > > > charset=iso-8859-1">
> > > > > <title>Portal de Servicios Electrónicos - Universidad de Puerto
> > > > > Rico</title>
> > > > > <meta content="noindex,nofollow" name="robots">
> > > > > <style type="text/css"><!--
> > > > > body {background-color: #ffffff}
> > > > > body,td,div,p,a,font,span {font-family: arial,sans-serif}
> > > > > body {margin-top:2}
>
> > > > > .c {width: 4; height: 4}
>
> > > > > .bubble {background-color:#C3D9FF}
>
> > > > > .tl {padding: 0; width: 4; text-align: left; vertical-align: top}
> > > > > .tr {padding: 0; width: 4; text-align: right; vertical-align: top}
> > > > > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom}
> > > > > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom}
>
> > > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding:
> > > > > 15px; margin: 0 15px 0 0; text-align: center;}
> > > > > .x, .x td {font-size: 80%}
> > > > > .x table {margin: 0px; text-align: left;}
> > > > > .x p {text-align: left;}
> > > > > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;}
>
> > > > > .errormsg {color: #cc0000}
> > > > > --> </style> </head>
>
> > > > > <body onload="document.acsForm.submit();">
>
> > > > > <form name="acsForm" action="https://www.google.com/a/upr.edu/
> > > > > acs" method="post" > <!-- target="_blank"> -->
> > > > > <div style="display: none">
> > > > > <textarea rows=10 cols=80 name="SAMLResponse"><?xml
> > > > > version="1.0" encoding="UTF-8"?>
> > > > > <samlp:Response
>
> ...
>
> read more >>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
