Alex,
Some extra information on this issue:
The user gets logged on, actually. If I stop the cycle (by
clicking on the browser stop button) and then try
http://www.google.com/a/upr.edu
I get the dashboard as the user I was trying to log on if it is an
administrator, otherwise I get the Google apps logon page telling me I
need to be an admin to get to the dashboard. So the acs is creating
the session, but is not redirecting the browser correctly or the start
page is not recognizing the session.
Thought it might help you...
Thanks,
Carlos
On Nov 26, 9:37 pm, Cuso <[EMAIL PROTECTED]> wrote:
> Hello Alex,
>
> We get the cycle by accessinghttp://inicio.upr.edu, which is our
> start page fqdn. Your SP code redirects the user to the IdP without
> showing the start page. The three pages in the cycle show up just
> after the submit button is pressed on our IdP sign-in page.
>
> Thanks,
> Carlos
>
> Alex (Google) wrote:
> > Hi Carlos,
>
> > Did you get the infinite loop using the Gmail gadget Sign in link?
> > That Sign in link is broken (we're working on a fix).
>
> > Can you try the Sign in link in the upper right corner of the start
> > page?
>
> > -alex
>
> > On Nov 20, 5:59 am, Cuso <[EMAIL PROTECTED]> wrote:
> > > Well, I thought it was solved, but I'm still getting the cycle...
> > > Here is the acs page:
>
> > > <html><body><script>
> > > var url = 'https://www.google.com/a/upr.edu/ServiceLogin?service\075ig
> > > \046passive\075false\046continue\075http://partnerpage.google.com/
> > > upr.edu\046followup\075http://partnerpage.google.com/upr.edu\046cd
> > > \075US\046hl\075en\046nui\0751\046ltmpl\075default';
> > > var parts = (window.location+'').split('#');
> > > if (parts.length == 2 && parts[1].length > 0) {
> > > url += '#' + parts[1];}
>
> > > window.setTimeout(function() {
> > > window.location = url;}, 0);
>
> > > </script></body></html>
>
> > > I had not tested the fix correctly before. Any ideas?
>
> > > Thanks,
> > > Carlos
> > > On Nov 18, 6:37 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > Thank you! This solved the issue.
>
> > > > On Nov 18, 2:36 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
>
> > > > > Hi Carlos,
>
> > > > > Right now it looks like RelayState is hard-coded
> > > > > ashttp://inicio.upr.edu
>
> > > > > But instead, it should be taken from the RelayState parameter which
> > > > > you get from Google and included in the HTML forms, taking care to
> > > > > escape special XML characters, e.g.:
>
> > > > >https://gaemail.upr.edu/GAESSOWS/identity_provider.jsp
> > > > > ?SAMLRequest=...
> > > > > &RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fupr.edu%2FServiceLogin
> > > > > %3Fservice%3Dig%26passive%3Dtrue%26continue%3Dhttp%3A%2F
> > > > > %2Fpartnerpage.google.com%2Fupr.edu%2Fdefault%2Fpostlogin%253Fpid
> > > > > %253Dupr.edu%2526url%253Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu
> > > > > %26followup%3Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu%2Fdefault
> > > > > %2Fpostlogin%253Fpid%253Dupr.edu%2526url%253Dhttp%3A%2F
> > > > > %2Fpartnerpage.google.com%2Fupr.edu%26cd%3DUS%26hl%3Den%26nui
> > > > > %3D1%26ltmpl%3Ddefault%26go%3Dtrue%26passive_sso%3Dtrue
>
> > > > > First form:
>
> > > > > <input type="hidden" name="RelayState"
> > > > > value="https://www.google.com/a/
> > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http://
> > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > %3Dhttp://partnerpage.google.com/upr.edu&followup=http://
> > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > %3Dhttp://partnerpage.google.com/
> > > > > upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true"/
>
> > > > > Second form:
>
> > > > > <textarea rows=10 cols=80 name="RelayState">https://www.google.com/a/
> > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http://
> > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > %3Dhttp://partnerpage.google.com/upr.edu&followup=http://
> > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > %3Dhttp://partnerpage.google.com/
> > > > > upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true</
> > > > > textarea>
>
> > > > > -alex
>
> > > > > On Nov 17, 10:39 am, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > Just in case, I'm waiting on the clarification for the inclusion of
> > > > > > the RelayState parameter in the request. Do you mean it needs to be
> > > > > > placed differently?
>
> > > > > > Thanks,
> > > > > > Carlos
>
> > > > > > On Nov 15, 10:32 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > > I can see the RelayState parameter in the second form as:
>
> > > > > > > <textarea rows=10 cols=80 name="RelayState">http://
> > > > > > > inicio.upr.edu</textarea>
>
> > > > > > > Do you mean it should appear in a different way?
>
> > > > > > > I wonder why it would happen for one domain and not for the
> > > > > > > other. If
> > > > > > > this was the cause of the problem I would expect to see the
> > > > > > > behavior
> > > > > > > with both domains. Anyways, I can make any change you suggest
> > > > > > > and try
> > > > > > > it out.
>
> > > > > > > Thanks,
> > > > > > > Carlos
> > > > > > > On Nov 15, 5:35 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > Hi,
>
> > > > > > > > Thanks for including the HTML pages. It really helps to
> > > > > > > > illustrate
> > > > > > > > where the potential problems are.
>
> > > > > > > > It looks like the RelayState parameter, which is part of the
> > > > > > > > first
> > > > > > > > URL:
>
> > > > > > > >https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...&;......
>
> > > > > > > > is not being included in the subsequent requests.
>
> > > > > > > > The RelayState which accompanies the SAMLRequest should
> > > > > > > > ultimately be
> > > > > > > > submitted back to the ACS URL along with the SAMLResponse.
>
> > > > > > > > The sample code doesn't do a good job of showing this, but
> > > > > > > > that's how
> > > > > > > > the RelayState parameter is meant to be used.
>
> > > > > > > > Can you make that change and retry?
>
> > > > > > > > -alex
>
> > > > > > > > On Nov 13, 11:22 am, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > > We are encountering an issue where the browser gets
> > > > > > > > > redirected back
> > > > > > > > > and forth between the acs URL and our IdP site when
> > > > > > > > > logging-in a user
> > > > > > > > > for the first time using the SSO API on our domain (upr.edu).
> > > > > > > > > We have
> > > > > > > > > verified proper operation of the IdP site for the same
> > > > > > > > > scenario on our
> > > > > > > > > test domain (ws.uprm.edu). The site also works fine with the
> > > > > > > > > upr.edu
> > > > > > > > > domain when the user has logged in previously. The expected
> > > > > > > > > behavior
> > > > > > > > > is for the user to see the initial page where the terms of
> > > > > > > > > use are
> > > > > > > > > accepted and the account is "created". Instead, the browser
> > > > > > > > > alternates through the following three pages in order and
> > > > > > > > > then starts
> > > > > > > > > over with the first. This continues indefinitely. I'm using
> > > > > > > > > a
> > > > > > > > > heavily modified version of the SAML library provided by
> > > > > > > > > Google,
> > > > > > > > > although the pages look alike. The first two pages are part
> > > > > > > > > of our
> > > > > > > > > IdP and it works pretty much like the Gogle SSO library, with
> > > > > > > > > changes
> > > > > > > > > made to increase security and robustness. The third page is
> > > > > > > > > what we
> > > > > > > > > get from the acs when our IdP sends the SAMLResponse.
>
> > > > > > > > > I suspect the acs is not redirecting the user correctly to
> > > > > > > > > the "Terms
> > > > > > > > > Acceptance" page, and as such has not finished granting her
> > > > > > > > > access to
> > > > > > > > > the account, but it redirects her to the start page, which
> > > > > > > > > will in
> > > > > > > > > turn send a SAMLRequest back to the IdP. And the cycle goes
> > > > > > > > > on... Of
> > > > > > > > > course, I might be missing something too.
>
> > > > > > > > > *************
> > > > > > > > > https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...
>
> > > > > > > > > <title>Portal de Servicios Electrónicos - Universidad
> > > > > > > > > de Puerto
> > > > > > > > > Rico</title>
> > > > > > > > > <meta content="noindex,nofollow" name="robots">
> > > > > > > > > <style type="text/css"><!--
> > > > > > > > > body {background-color: #ffffff}
> > > > > > > > > body,td,div,p,a,font,span {font-family: arial,sans-serif}
> > > > > > > > > body {margin-top:2}
>
> > > > > > > > > .c {width: 4; height: 4}
>
> > > > > > > > > .bubble {background-color:#C3D9FF}
>
> > > > > > > > > .tl {padding: 0; width: 4; text-align: left; vertical-align:
> > > > > > > > > top}
> > > > > > > > > .tr {padding: 0; width: 4; text-align: right; vertical-align:
> > > > > > > > > top}
> > > > > > > > > .bl {padding: 0; width: 4; text-align: left; vertical-align:
> > > > > > > > > bottom}
> > > > > > > > > .br {padding: 0; width: 4; text-align: right; vertical-align:
> > > > > > > > > bottom}
>
> > > > > > > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a;
> > > > > > > > > padding:
> > > > > > > > > 15px; margin: 0 15px 0 0; text-align: center;}
> > > > > > > > > .x, .x td {font-size: 80%}
> > > > > > > > > .x table {margin: 0px; text-align: left;}
> > > > > > > > > .x p {text-align: left;}
> > > > > > > > > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;}
>
> > > > > > > > > .errormsg {color: #cc0000}
> > > > > > > > > --> </style> </head>
>
> > > > > > > > > <body onload="document.ValidSessionForm.submit();">
>
> > > > > > > > > <!-- <h1> 119262075F459A384D6C1AC55735DFAC </h1> -->
>
> > > > > > > > > <form name="ValidSessionForm"
> > > > > > > > > action="SAMLResponseServlet"
> > > > > > > > > method="post">
> > > > > > > > > <input type="hidden" name="SAMLRequest"
> > > > > > > > > value="fVLJTsMwEL0j8Q
> > > > > > > > > +W79mKEMhqUoUiRCWWqA0cuLnOJLUS28Fjt/
> > > > > > > > > D3pCkVcKDX8VvHM519qI5swaI0OqVJGFMCWphK6ialL
> > > > > > > > > +VdcE1n2fnZFLnqepZ7t9FLePeAjgxMjWx8SKm3mhmOEpnmCpA5wVb54wObhDHrrXFGmI6SxW1KW1EJ0ai11m3bbuoO1gOj0UZLxXuoVNvzpuZqQ8nrMdZkH2uB6GGh0XHthlEcXwVJEiQXZXzFkgt2Gb9RUnw73Uh9aHAq1voAQnZflkVQPK/
> > > > > > > > > KUWArK7BPAzqljTFNB6EwipIcEawb4syNRq/
> > > > > > > > > ArsBupYCX5UNKN871yKJot9uFP6SIR763IVQ
> > > > > > > > > +4gL3DQqOKLeDsrMeaDZulY3F7K91no7Nj0Fo9mM1jX5JZd+/tS
> > > > > > > > > +xuC1MJ8UnybvO7OYWuDvakztjFXf/
> > > > > > > > > uyVhMk5kFdQjlHmNPQhZS6goibKD69+zGI7lCw=="/>
> > > > > > > > > <input type="hidden" name="RelayState" value="http://
> > > > > > > > > inicio.upr.edu"/>
> > > > > > > > > <input type="hidden" name="returnPage"
> > > > > > > > > value="identity_provider.jsp"/>
> > > > > > > > > <input type="hidden"
>
> ...
>
> read more >>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
