I am using FireFox to test, but I'll check....
On Nov 26, 9:56 pm, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
> Hi Carlos,
>
> Does this happen on Internet Explorer only? It might be an issue with
> the RelayState not having XML special characters escaped:
>
> & -> &
> < -> <> -> >
>
> ' -> '
> " -> "
>
> -alex
>
> On Nov 26, 5:51 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > Alex,
>
> > Some extra information on this issue:
>
> > The user gets logged on, actually. If I stop the cycle (by
> > clicking on the browser stop button) and then
> > tryhttp://www.google.com/a/upr.edu
> > I get the dashboard as the user I was trying to log on if it is an
> > administrator, otherwise I get the Google apps logon page telling me I
> > need to be an admin to get to the dashboard. So the acs is creating
> > the session, but is not redirecting the browser correctly or the start
> > page is not recognizing the session.
>
> > Thought it might help you...
>
> > Thanks,
> > Carlos
> > On Nov 26, 9:37 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > Hello Alex,
>
> > > We get the cycle by accessinghttp://inicio.upr.edu, which is our
> > > start page fqdn. Your SP code redirects the user to the IdP without
> > > showing the start page. The three pages in the cycle show up just
> > > after the submit button is pressed on our IdP sign-in page.
>
> > > Thanks,
> > > Carlos
>
> > > Alex (Google) wrote:
> > > > Hi Carlos,
>
> > > > Did you get the infinite loop using the Gmail gadget Sign in link?
> > > > That Sign in link is broken (we're working on a fix).
>
> > > > Can you try the Sign in link in the upper right corner of the start
> > > > page?
>
> > > > -alex
>
> > > > On Nov 20, 5:59 am, Cuso <[EMAIL PROTECTED]> wrote:
> > > > > Well, I thought it was solved, but I'm still getting the cycle...
> > > > > Here is the acs page:
>
> > > > > <html><body><script>
> > > > > var url = 'https://www.google.com/a/upr.edu/ServiceLogin?service\075ig
> > > > > \046passive\075false\046continue\075http://partnerpage.google.com/
> > > > > upr.edu\046followup\075http://partnerpage.google.com/upr.edu\046cd
> > > > > \075US\046hl\075en\046nui\0751\046ltmpl\075default';
> > > > > var parts = (window.location+'').split('#');
> > > > > if (parts.length == 2 && parts[1].length > 0) {
> > > > > url += '#' + parts[1];}
>
> > > > > window.setTimeout(function() {
> > > > > window.location = url;}, 0);
>
> > > > > </script></body></html>
>
> > > > > I had not tested the fix correctly before. Any ideas?
>
> > > > > Thanks,
> > > > > Carlos
> > > > > On Nov 18, 6:37 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > Thank you! This solved the issue.
>
> > > > > > On Nov 18, 2:36 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
>
> > > > > > > Hi Carlos,
>
> > > > > > > Right now it looks like RelayState is hard-coded
> > > > > > > ashttp://inicio.upr.edu
>
> > > > > > > But instead, it should be taken from the RelayState parameter
> > > > > > > which
> > > > > > > you get from Google and included in the HTML forms, taking care to
> > > > > > > escape special XML characters, e.g.:
>
> > > > > > >https://gaemail.upr.edu/GAESSOWS/identity_provider.jsp
> > > > > > > ?SAMLRequest=...
> > > > > > > &RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fupr.edu%2FServiceLogin
> > > > > > > %3Fservice%3Dig%26passive%3Dtrue%26continue%3Dhttp%3A%2F
> > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%2Fdefault%2Fpostlogin%253Fpid
> > > > > > > %253Dupr.edu%2526url%253Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu
> > > > > > > %26followup%3Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu%2Fdefault
> > > > > > > %2Fpostlogin%253Fpid%253Dupr.edu%2526url%253Dhttp%3A%2F
> > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%26cd%3DUS%26hl%3Den%26nui
> > > > > > > %3D1%26ltmpl%3Ddefault%26go%3Dtrue%26passive_sso%3Dtrue
>
> > > > > > > First form:
>
> > > > > > > <input type="hidden" name="RelayState"
> > > > > > > value="https://www.google.com/a/
> > > > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http://
> > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > > > %3Dhttp://partnerpage.google.com/upr.edu&followup=http://
> > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > > > %3Dhttp://partnerpage.google.com/
> > > > > > > upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true"/
>
> > > > > > > Second form:
>
> > > > > > > <textarea rows=10 cols=80
> > > > > > > name="RelayState">https://www.google.com/a/
> > > > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http://
> > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > > > %3Dhttp://partnerpage.google.com/upr.edu&followup=http://
> > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > > > %3Dhttp://partnerpage.google.com/
> > > > > > > upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true</
> > > > > > > textarea>
>
> > > > > > > -alex
>
> > > > > > > On Nov 17, 10:39 am, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > Just in case, I'm waiting on the clarification for the
> > > > > > > > inclusion of
> > > > > > > > the RelayState parameter in the request. Do you mean it needs
> > > > > > > > to be
> > > > > > > > placed differently?
>
> > > > > > > > Thanks,
> > > > > > > > Carlos
>
> > > > > > > > On Nov 15, 10:32 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > > I can see the RelayState parameter in the second form as:
>
> > > > > > > > > <textarea rows=10 cols=80
> > > > > > > > > name="RelayState">http://
> > > > > > > > > inicio.upr.edu</textarea>
>
> > > > > > > > > Do you mean it should appear in a different way?
>
> > > > > > > > > I wonder why it would happen for one domain and not for the
> > > > > > > > > other. If
> > > > > > > > > this was the cause of the problem I would expect to see the
> > > > > > > > > behavior
> > > > > > > > > with both domains. Anyways, I can make any change you
> > > > > > > > > suggest and try
> > > > > > > > > it out.
>
> > > > > > > > > Thanks,
> > > > > > > > > Carlos
> > > > > > > > > On Nov 15, 5:35 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > > > Hi,
>
> > > > > > > > > > Thanks for including the HTML pages. It really helps to
> > > > > > > > > > illustrate
> > > > > > > > > > where the potential problems are.
>
> > > > > > > > > > It looks like the RelayState parameter, which is part of
> > > > > > > > > > the first
> > > > > > > > > > URL:
>
> > > > > > > > > >https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...&;......
>
> > > > > > > > > > is not being included in the subsequent requests.
>
> > > > > > > > > > The RelayState which accompanies the SAMLRequest should
> > > > > > > > > > ultimately be
> > > > > > > > > > submitted back to the ACS URL along with the SAMLResponse.
>
> > > > > > > > > > The sample code doesn't do a good job of showing this, but
> > > > > > > > > > that's how
> > > > > > > > > > the RelayState parameter is meant to be used.
>
> > > > > > > > > > Can you make that change and retry?
>
> > > > > > > > > > -alex
>
> > > > > > > > > > On Nov 13, 11:22 am, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > > > > We are encountering an issue where the browser gets
> > > > > > > > > > > redirected back
> > > > > > > > > > > and forth between the acs URL and our IdP site when
> > > > > > > > > > > logging-in a user
> > > > > > > > > > > for the first time using the SSO API on our domain
> > > > > > > > > > > (upr.edu). We have
> > > > > > > > > > > verified proper operation of the IdP site for the same
> > > > > > > > > > > scenario on our
> > > > > > > > > > > test domain (ws.uprm.edu). The site also works fine with
> > > > > > > > > > > the upr.edu
> > > > > > > > > > > domain when the user has logged in previously. The
> > > > > > > > > > > expected behavior
> > > > > > > > > > > is for the user to see the initial page where the terms
> > > > > > > > > > > of use are
> > > > > > > > > > > accepted and the account is "created". Instead, the
> > > > > > > > > > > browser
> > > > > > > > > > > alternates through the following three pages in order and
> > > > > > > > > > > then starts
> > > > > > > > > > > over with the first. This continues indefinitely. I'm
> > > > > > > > > > > using a
> > > > > > > > > > > heavily modified version of the SAML library provided by
> > > > > > > > > > > Google,
> > > > > > > > > > > although the pages look alike. The first two pages are
> > > > > > > > > > > part of our
> > > > > > > > > > > IdP and it works pretty much like the Gogle SSO library,
> > > > > > > > > > > with changes
> > > > > > > > > > > made to increase security and robustness. The third page
> > > > > > > > > > > is what we
> > > > > > > > > > > get from the acs when our IdP sends the SAMLResponse.
>
> > > > > > > > > > > I suspect the acs is not redirecting the user correctly
> > > > > > > > > > > to the "Terms
> > > > > > > > > > > Acceptance" page, and as such has not finished granting
> > > > > > > > > > > her access to
> > > > > > > > > > > the account, but it redirects her to the start page,
> > > > > > > > > > > which will in
> > > > > > > > > > > turn send a SAMLRequest back to the IdP. And the cycle
> > > > > > > > > > > goes on... Of
> > > > > > > > > > > course, I might be missing something too.
>
> > > > > > > > > > > *************
> > > > > > > > > > > https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...
>
> > > > > > > > > > > <title>Portal de Servicios Electrónicos -
> > > > > > > > > > > Universidad de Puerto
> > > > > > > > > > > Rico</title>
> > > > > > > > > > > <meta content="noindex,nofollow" name="robots">
> > > > > > > > > > > <style type="text/css"><!--
> > > > > > > > > > > body {background-color: #ffffff}
> > > > > > > > > > > body,td,div,p,a,font,span {font-family: arial,sans-serif}
> > > > > > > > > > > body {margin-top:2}
>
> > > > > > > > > > > .c {width: 4; height: 4}
>
> > > > > > > > > > > .bubble {background-color:#C3D9FF}
>
> > > > > > > > > > > .tl {padding: 0; width: 4; text-align: left;
> > > > > > > > > > > vertical-align: top}
> > > > > > > > > > > .tr {padding: 0; width: 4; text-align: right;
> > > > > > > > > > > vertical-align: top}
> > > > > > > > > > > .bl {padding: 0; width: 4; text-align: left;
> > > > > > > > > > > vertical-align: bottom}
> > > > > > > > > > > .br {padding: 0; width: 4; text-align: right;
> > > > > > > > > > > vertical-align: bottom}
>
> > > > > > > > > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a;
> > > > > > > > > > > padding:
> > > > > > > > > > > 15px; margin: 0 15px 0 0; text-align: center;}
> > > > > > > > > > > .x, .x td {font-size: 80%}
> > > > > > > > > > > .x table {margin: 0px; text-align: left;}
> > > > > > > > > > > .x p {text-align: left;}
>
> ...
>
> read more >>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
