Hi Carlos, Does this happen on Internet Explorer only? It might be an issue with the RelayState not having XML special characters escaped:
& -> & < -> < > -> > ' -> ' " -> " -alex On Nov 26, 5:51 pm, Cuso <[EMAIL PROTECTED]> wrote: > Alex, > > Some extra information on this issue: > > The user gets logged on, actually. If I stop the cycle (by > clicking on the browser stop button) and then > tryhttp://www.google.com/a/upr.edu > I get the dashboard as the user I was trying to log on if it is an > administrator, otherwise I get the Google apps logon page telling me I > need to be an admin to get to the dashboard. So the acs is creating > the session, but is not redirecting the browser correctly or the start > page is not recognizing the session. > > Thought it might help you... > > Thanks, > Carlos > On Nov 26, 9:37 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > Hello Alex, > > > We get the cycle by accessinghttp://inicio.upr.edu, which is our > > start page fqdn. Your SP code redirects the user to the IdP without > > showing the start page. The three pages in the cycle show up just > > after the submit button is pressed on our IdP sign-in page. > > > Thanks, > > Carlos > > > Alex (Google) wrote: > > > Hi Carlos, > > > > Did you get the infinite loop using the Gmail gadget Sign in link? > > > That Sign in link is broken (we're working on a fix). > > > > Can you try the Sign in link in the upper right corner of the start > > > page? > > > > -alex > > > > On Nov 20, 5:59 am, Cuso <[EMAIL PROTECTED]> wrote: > > > > Well, I thought it was solved, but I'm still getting the cycle... > > > > Here is the acs page: > > > > > <html><body><script> > > > > var url = 'https://www.google.com/a/upr.edu/ServiceLogin?service\075ig > > > > \046passive\075false\046continue\075http://partnerpage.google.com/ > > > > upr.edu\046followup\075http://partnerpage.google.com/upr.edu\046cd > > > > \075US\046hl\075en\046nui\0751\046ltmpl\075default'; > > > > var parts = (window.location+'').split('#'); > > > > if (parts.length == 2 && parts[1].length > 0) { > > > > url += '#' + parts[1];} > > > > > window.setTimeout(function() { > > > > window.location = url;}, 0); > > > > > </script></body></html> > > > > > I had not tested the fix correctly before. Any ideas? > > > > > Thanks, > > > > Carlos > > > > On Nov 18, 6:37 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > Thank you! This solved the issue. > > > > > > On Nov 18, 2:36 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > > > > > Hi Carlos, > > > > > > > Right now it looks like RelayState is hard-coded > > > > > > ashttp://inicio.upr.edu > > > > > > > But instead, it should be taken from the RelayState parameter which > > > > > > you get from Google and included in the HTML forms, taking care to > > > > > > escape special XML characters, e.g.: > > > > > > >https://gaemail.upr.edu/GAESSOWS/identity_provider.jsp > > > > > > ?SAMLRequest=... > > > > > > &RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fupr.edu%2FServiceLogin > > > > > > %3Fservice%3Dig%26passive%3Dtrue%26continue%3Dhttp%3A%2F > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%2Fdefault%2Fpostlogin%253Fpid > > > > > > %253Dupr.edu%2526url%253Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu > > > > > > %26followup%3Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu%2Fdefault > > > > > > %2Fpostlogin%253Fpid%253Dupr.edu%2526url%253Dhttp%3A%2F > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%26cd%3DUS%26hl%3Den%26nui > > > > > > %3D1%26ltmpl%3Ddefault%26go%3Dtrue%26passive_sso%3Dtrue > > > > > > > First form: > > > > > > > <input type="hidden" name="RelayState" > > > > > > value="https://www.google.com/a/ > > > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http:// > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url > > > > > > %3Dhttp://partnerpage.google.com/upr.edu&followup=http:// > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url > > > > > > %3Dhttp://partnerpage.google.com/ > > > > > > upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true"/ > > > > > > > Second form: > > > > > > > <textarea rows=10 cols=80 > > > > > > name="RelayState">https://www.google.com/a/ > > > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http:// > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url > > > > > > %3Dhttp://partnerpage.google.com/upr.edu&followup=http:// > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url > > > > > > %3Dhttp://partnerpage.google.com/ > > > > > > upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true</ > > > > > > textarea> > > > > > > > -alex > > > > > > > On Nov 17, 10:39 am, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > > > Just in case, I'm waiting on the clarification for the inclusion > > > > > > > of > > > > > > > the RelayState parameter in the request. Do you mean it needs to > > > > > > > be > > > > > > > placed differently? > > > > > > > > Thanks, > > > > > > > Carlos > > > > > > > > On Nov 15, 10:32 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > > > > I can see the RelayState parameter in the second form as: > > > > > > > > > <textarea rows=10 cols=80 name="RelayState">http:// > > > > > > > > inicio.upr.edu</textarea> > > > > > > > > > Do you mean it should appear in a different way? > > > > > > > > > I wonder why it would happen for one domain and not for the > > > > > > > > other. If > > > > > > > > this was the cause of the problem I would expect to see the > > > > > > > > behavior > > > > > > > > with both domains. Anyways, I can make any change you suggest > > > > > > > > and try > > > > > > > > it out. > > > > > > > > > Thanks, > > > > > > > > Carlos > > > > > > > > On Nov 15, 5:35 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Hi, > > > > > > > > > > Thanks for including the HTML pages. It really helps to > > > > > > > > > illustrate > > > > > > > > > where the potential problems are. > > > > > > > > > > It looks like the RelayState parameter, which is part of the > > > > > > > > > first > > > > > > > > > URL: > > > > > > > > > >https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...&;...... > > > > > > > > > > is not being included in the subsequent requests. > > > > > > > > > > The RelayState which accompanies the SAMLRequest should > > > > > > > > > ultimately be > > > > > > > > > submitted back to the ACS URL along with the SAMLResponse. > > > > > > > > > > The sample code doesn't do a good job of showing this, but > > > > > > > > > that's how > > > > > > > > > the RelayState parameter is meant to be used. > > > > > > > > > > Can you make that change and retry? > > > > > > > > > > -alex > > > > > > > > > > On Nov 13, 11:22 am, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > We are encountering an issue where the browser gets > > > > > > > > > > redirected back > > > > > > > > > > and forth between the acs URL and our IdP site when > > > > > > > > > > logging-in a user > > > > > > > > > > for the first time using the SSO API on our domain > > > > > > > > > > (upr.edu). We have > > > > > > > > > > verified proper operation of the IdP site for the same > > > > > > > > > > scenario on our > > > > > > > > > > test domain (ws.uprm.edu). The site also works fine with > > > > > > > > > > the upr.edu > > > > > > > > > > domain when the user has logged in previously. The > > > > > > > > > > expected behavior > > > > > > > > > > is for the user to see the initial page where the terms of > > > > > > > > > > use are > > > > > > > > > > accepted and the account is "created". Instead, the browser > > > > > > > > > > alternates through the following three pages in order and > > > > > > > > > > then starts > > > > > > > > > > over with the first. This continues indefinitely. I'm > > > > > > > > > > using a > > > > > > > > > > heavily modified version of the SAML library provided by > > > > > > > > > > Google, > > > > > > > > > > although the pages look alike. The first two pages are > > > > > > > > > > part of our > > > > > > > > > > IdP and it works pretty much like the Gogle SSO library, > > > > > > > > > > with changes > > > > > > > > > > made to increase security and robustness. The third page > > > > > > > > > > is what we > > > > > > > > > > get from the acs when our IdP sends the SAMLResponse. > > > > > > > > > > > I suspect the acs is not redirecting the user correctly to > > > > > > > > > > the "Terms > > > > > > > > > > Acceptance" page, and as such has not finished granting her > > > > > > > > > > access to > > > > > > > > > > the account, but it redirects her to the start page, which > > > > > > > > > > will in > > > > > > > > > > turn send a SAMLRequest back to the IdP. And the cycle > > > > > > > > > > goes on... Of > > > > > > > > > > course, I might be missing something too. > > > > > > > > > > > ************* > > > > > > > > > > https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=... > > > > > > > > > > > <title>Portal de Servicios Electrónicos - > > > > > > > > > > Universidad de Puerto > > > > > > > > > > Rico</title> > > > > > > > > > > <meta content="noindex,nofollow" name="robots"> > > > > > > > > > > <style type="text/css"><!-- > > > > > > > > > > body {background-color: #ffffff} > > > > > > > > > > body,td,div,p,a,font,span {font-family: arial,sans-serif} > > > > > > > > > > body {margin-top:2} > > > > > > > > > > > .c {width: 4; height: 4} > > > > > > > > > > > .bubble {background-color:#C3D9FF} > > > > > > > > > > > .tl {padding: 0; width: 4; text-align: left; > > > > > > > > > > vertical-align: top} > > > > > > > > > > .tr {padding: 0; width: 4; text-align: right; > > > > > > > > > > vertical-align: top} > > > > > > > > > > .bl {padding: 0; width: 4; text-align: left; > > > > > > > > > > vertical-align: bottom} > > > > > > > > > > .br {padding: 0; width: 4; text-align: right; > > > > > > > > > > vertical-align: bottom} > > > > > > > > > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a; > > > > > > > > > > padding: > > > > > > > > > > 15px; margin: 0 15px 0 0; text-align: center;} > > > > > > > > > > .x, .x td {font-size: 80%} > > > > > > > > > > .x table {margin: 0px; text-align: left;} > > > > > > > > > > .x p {text-align: left;} > > > > > > > > > > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;} > > > > > > > > > > > .errormsg {color: #cc0000} > > > > > > > > > > --> </style> </head> > > > > > > > > > > > <body onload="document.ValidSessionForm.submit();"> > > > > > > > > > > > <!-- <h1> 119262075F459A384D6C1AC55735DFAC </h1> --> > > > > > > > > > > > <form name="ValidSessionForm" > > > > > > > > > > action="SAMLResponseServlet" > > > > > > > > > > method="post"> > > > > > > > > > > <input type="hidden" name="SAMLRequest" > > > > > > > > > > value="fVLJTsMwEL0j8Q > > > > > > > > > > +W79mKEMhqUoUiRCWWqA0cuLnOJLUS28Fjt/ > > ... > > read more >> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
