Sorry about the delay.... I was fighting some fires...
I tried your suggestion and it didn't work. Here is the form submitted
to the acs after the change:
********* SAMLResponseServlet *********
<!--
Copyright (C) 2006 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
See the License for the specific language governing permissions
and
limitations under the License.
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<title>Portal de Servicios Electrónicos - Universidad de Puerto
Rico</title>
<meta content="noindex,nofollow" name="robots">
<style type="text/css"><!--
body {background-color: #ffffff}
body,td,div,p,a,font,span {font-family: arial,sans-serif}
body {margin-top:2}
.c {width: 4; height: 4}
.bubble {background-color:#C3D9FF}
.tl {padding: 0; width: 4; text-align: left; vertical-align: top}
.tr {padding: 0; width: 4; text-align: right; vertical-align: top}
.bl {padding: 0; width: 4; text-align: left; vertical-align: bottom}
.br {padding: 0; width: 4; text-align: right; vertical-align: bottom}
.x {background-color: #ddf8cc; border: solid 1px #80c65a; padding:
15px; margin: 0 15px 0 0; text-align: center;}
.x, .x td {font-size: 80%}
.x table {margin: 0px; text-align: left;}
.x p {text-align: left;}
.x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;}
.errormsg {color: #cc0000}
--> </style> </head>
<body onload="document.acsForm.submit();">
<form name="acsForm" action="https://www.google.com/a/upr.edu/
acs" method="post" > <!-- target="_blank"> -->
<div style="display: none">
<textarea rows=10 cols=80 name="SAMLResponse"><?xml
version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://
www.w3.org/2001/04/xmlenc#"
ID="miejagpgfkfkfaalngfhcldineplaggifakimbfo"
IssueInstant="2007-12-18T12:22:17Z" Version="2.0"> <Signature
xmlns="http://www.w3.org/2000/09/
xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://
www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" /
><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-
sha1" /><Reference URI=""><Transforms><Transform Algorithm="http://
www.w3.org/2000/09/xmldsig#enveloped-signature" /></
Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1" /><DigestValue>jtECoVUTnvwf1TqVBsu8o6tOdtY=</
DigestValue></Reference></
SignedInfo><SignatureValue>BMT0itItryVF0FqlGi3MMzVwAu2YVm0Y294m27M1tE03CQWx0IdOrA==</
SignatureValue><KeyInfo><KeyValue><DSAKeyValue><P>r5Swl0VTgqkZSKUQoeILhNyEZs9Ot8hQgiNuJeI6cFro
+5/jBP8KDCByq5MkIzqZZxqGZPKc1GZC
9QTxMqPYOXiShREalv45a4kb6sRGTluh8YpSfskPRMWT77yp7KqGKZbSqHlw
+FKXraAgzjV7RXCn
OU14Uun5Ac9R7QSPIls=</P><Q>p3nhx7XegMkLDaySZ3VhakAsEqk=</
Q><G>QFJ1EaupSqYDMPz4vzknUFZziiYGGZN7+R2ZqTsooVmNxVf+A39v
+8aFnh6Ny6w9rveOSXjYYAAL
oejZTqDCPRtnHnW7g4Rp2DktGA47T8ou/
LOt7MOhtFJSjYUrejxaQLFK35A35sv9pbjF5tCWICe8
rgawabXh6AvzvOa4/Z8=</G><Y>UTQsust9OOU26ypSLU9/
sljpyZ9IBrJXVrfgfDMICpxf4hAFVt5CswvJ/CBgy91YjhXMOCdcveJ2
D2NnevIBRxlU6zLwQB035ec0M2Ctnm9llyVK7Gea3KdYwtgfLyMVFMwXIg6fxjAoimUA4OlOfFpY
65fD6fbwPtGoN0pTeYw=</Y></DSAKeyValue></KeyValue></KeyInfo></
Signature><samlp:Status> <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
<Assertion ID="ehknpfnbhhcmjabjnlokajjinhobcangjgpiiili"
IssueInstant="2003-04-17T00:46:02Z" Version="2.0"> <Issuer>https://
www.opensaml.org/IDP </Issuer> <Subject>
<NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">
cuenta.depruebasso3 </NameID>
<SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> </Subject>
<Conditions NotBefore="2003-04-17T00:46:02Z"
NotOnOrAfter="2008-04-17T00:51:02Z"> </Conditions>
<AuthnStatement
AuthnInstant="2007-12-18T12:22:17Z"> <AuthnContext>
<AuthnContextClassRef> urn:oasis:names:tc:SAML:
2.0:ac:classes:Password </AuthnContextClassRef>
</AuthnContext>
</AuthnStatement> </Assertion></samlp:Response>
</textarea>
<textarea rows=10 cols=80 name="RelayState">https://
www.google.com/a/upr.edu/ServiceLogin?service=ig&passive=false&continue=http://partnerpage.google.com/upr.edu&followup=http://partnerpage.google.com/upr.edu&cd=US&hl=en&nui=1&ltmpl=default</textarea>
</div>
</form>
</body>
</html>
On Nov 29, 12:07 pm, Cuso <[EMAIL PROTECTED]> wrote:
> I am using FireFox to test, but I'll check....
>
> On Nov 26, 9:56 pm, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
>
> > Hi Carlos,
>
> > Does this happen on Internet Explorer only? It might be an issue with
> > the RelayState not having XML special characters escaped:
>
> > & -> &
> > < -> <> -> >
>
> > ' -> '
> > " -> "
>
> > -alex
>
> > On Nov 26, 5:51 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > Alex,
>
> > > Some extra information on this issue:
>
> > > The user gets logged on, actually. If I stop the cycle (by
> > > clicking on the browser stop button) and then
> > > tryhttp://www.google.com/a/upr.edu
> > > I get the dashboard as the user I was trying to log on if it is an
> > > administrator, otherwise I get the Google apps logon page telling me I
> > > need to be an admin to get to the dashboard. So the acs is creating
> > > the session, but is not redirecting the browser correctly or the start
> > > page is not recognizing the session.
>
> > > Thought it might help you...
>
> > > Thanks,
> > > Carlos
> > > On Nov 26, 9:37 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > Hello Alex,
>
> > > > We get the cycle by accessinghttp://inicio.upr.edu, which is our
> > > > start page fqdn. Your SP code redirects the user to the IdP without
> > > > showing the start page. The three pages in the cycle show up just
> > > > after the submit button is pressed on our IdP sign-in page.
>
> > > > Thanks,
> > > > Carlos
>
> > > > Alex (Google) wrote:
> > > > > Hi Carlos,
>
> > > > > Did you get theinfiniteloop using the Gmail gadget Sign in link?
> > > > > That Sign in link is broken (we're working on a fix).
>
> > > > > Can you try the Sign in link in the upper right corner of the start
> > > > > page?
>
> > > > > -alex
>
> > > > > On Nov 20, 5:59 am, Cuso <[EMAIL PROTECTED]> wrote:
> > > > > > Well, I thought it was solved, but I'm still getting the cycle...
> > > > > > Here is the acs page:
>
> > > > > > <html><body><script>
> > > > > > var url =
> > > > > > 'https://www.google.com/a/upr.edu/ServiceLogin?service\075ig
> > > > > > \046passive\075false\046continue\075http://partnerpage.google.com/
> > > > > > upr.edu\046followup\075http://partnerpage.google.com/upr.edu\046cd
> > > > > > \075US\046hl\075en\046nui\0751\046ltmpl\075default';
> > > > > > var parts = (window.location+'').split('#');
> > > > > > if (parts.length == 2 && parts[1].length > 0) {
> > > > > > url += '#' + parts[1];}
>
> > > > > > window.setTimeout(function() {
> > > > > > window.location = url;}, 0);
>
> > > > > > </script></body></html>
>
> > > > > > I had not tested the fix correctly before. Any ideas?
>
> > > > > > Thanks,
> > > > > > Carlos
> > > > > > On Nov 18, 6:37 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > > Thank you! This solved the issue.
>
> > > > > > > On Nov 18, 2:36 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > Hi Carlos,
>
> > > > > > > > Right now it looks like RelayState is hard-coded
> > > > > > > > ashttp://inicio.upr.edu
>
> > > > > > > > But instead, it should be taken from the RelayState parameter
> > > > > > > > which
> > > > > > > > you get from Google and included in the HTML forms, taking care
> > > > > > > > to
> > > > > > > > escape special XML characters, e.g.:
>
> > > > > > > >https://gaemail.upr.edu/GAESSOWS/identity_provider.jsp
> > > > > > > > ?SAMLRequest=...
> > > > > > > > &RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fupr.edu%2FServiceLogin
> > > > > > > > %3Fservice%3Dig%26passive%3Dtrue%26continue%3Dhttp%3A%2F
> > > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%2Fdefault%2Fpostlogin%253Fpid
> > > > > > > > %253Dupr.edu%2526url%253Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu
> > > > > > > > %26followup%3Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu%2Fdefault
> > > > > > > > %2Fpostlogin%253Fpid%253Dupr.edu%2526url%253Dhttp%3A%2F
> > > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%26cd%3DUS%26hl%3Den%26nui
> > > > > > > > %3D1%26ltmpl%3Ddefault%26go%3Dtrue%26passive_sso%3Dtrue
>
> > > > > > > > First form:
>
> > > > > > > > <input type="hidden" name="RelayState"
> > > > > > > > value="https://www.google.com/a/
> > > > > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http://
> > > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > > > > %3Dhttp://partnerpage.google.com/upr.edu&followup=http://
> > > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > > > > %3Dhttp://partnerpage.google.com/
> > > > > > > > upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true"/
>
> > > > > > > > Second form:
>
> > > > > > > > <textarea rows=10 cols=80
> > > > > > > > name="RelayState">https://www.google.com/a/
> > > > > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http://
> > > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > > > > %3Dhttp://partnerpage.google.com/upr.edu&followup=http://
> > > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url
> > > > > > > > %3Dhttp://partnerpage.google.com/
> > > > > > > > upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true</
> > > > > > > > textarea>
>
> > > > > > > > -alex
>
> > > > > > > > On Nov 17, 10:39 am, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > > Just in case, I'm waiting on the clarification for the
> > > > > > > > > inclusion of
> > > > > > > > > the RelayState parameter in the request. Do you mean it
> > > > > > > > > needs to be
> > > > > > > > > placed differently?
>
> > > > > > > > > Thanks,
> > > > > > > > > Carlos
>
> > > > > > > > > On Nov 15, 10:32 pm, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > > > I can see the RelayState parameter in the second form as:
>
> > > > > > > > > > <textarea rows=10 cols=80
> > > > > > > > > > name="RelayState">http://
> > > > > > > > > > inicio.upr.edu</textarea>
>
> > > > > > > > > > Do you mean it should appear in a different way?
>
> > > > > > > > > > I wonder why it would happen for one domain and not for the
> > > > > > > > > > other. If
> > > > > > > > > > this was the cause of the problem I would expect to see the
> > > > > > > > > > behavior
> > > > > > > > > > with both domains. Anyways, I can make any change you
> > > > > > > > > > suggest and try
> > > > > > > > > > it out.
>
> > > > > > > > > > Thanks,
> > > > > > > > > > Carlos
> > > > > > > > > > On Nov 15, 5:35 am, "Alex (Google)" <[EMAIL PROTECTED]>
> > > > > > > > > > wrote:
>
> > > > > > > > > > > Hi,
>
> > > > > > > > > > > Thanks for including the HTML pages. It really helps to
> > > > > > > > > > > illustrate
> > > > > > > > > > > where the potential problems are.
>
> > > > > > > > > > > It looks like the RelayState parameter, which is part of
> > > > > > > > > > > the first
> > > > > > > > > > > URL:
>
> > > > > > > > > > >https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...&;......
>
> > > > > > > > > > > is not being included in the subsequent requests.
>
> > > > > > > > > > > The RelayState which accompanies the SAMLRequest should
> > > > > > > > > > > ultimately be
> > > > > > > > > > > submitted back to the ACS URL along with the SAMLResponse.
>
> > > > > > > > > > > The sample code doesn't do a good job of showing this,
> > > > > > > > > > > but that's how
> > > > > > > > > > > the RelayState parameter is meant to be used.
>
> > > > > > > > > > > Can you make that change and retry?
>
> > > > > > > > > > > -alex
>
> > > > > > > > > > > On Nov 13, 11:22 am, Cuso <[EMAIL PROTECTED]> wrote:
>
> > > > > > > > > > > > We are encountering an issue where the browser gets
> > > > > > > > > > > > redirected back
> > > > > > > > > > > > and forth between the acs URL and our IdP site when
> > > > > > > > > > > > logging-in a user
> > > > > > > > > > > > for the first time using the SSO API on our domain
> > > > > > > > > > > > (upr.edu). We have
> > > > > > > > > > > > verified proper operation of the IdP site for the same
> > > > > > > > > > > > scenario on our
> > > > > > > > > > > > test domain (ws.uprm.edu). The site also works fine
> > > > > > > > > > > > with the upr.edu
> > > > > > > > > > > > domain when the user has logged in previously. The
> > > > > > > > > > > > expected behavior
> > > > > > > > > > > > is for the user to see the initial page where the terms
> > > > > > > > > > > > of use are
> > > > > > > > > > > > accepted and the account is "created". Instead, the
> > > > > > > > > > > > browser
> > > > > > > > > > > > alternates through the following three pages in order
> > > > > > > > > > > > and then starts
> > > > > > > > > > > > over with the first. This continues indefinitely. I'm
> > > > > > > > > > > > using a
> > > > > > > > > > > > heavily modified version of the SAML library provided
> > > > > > > > > > > > by Google,
> > > > > > > > > > > > although the pages look alike. The first two pages are
> > > > > > > > > > > > part of our
> > > > > > > > > > > > IdP and it works pretty much like the Gogle SSO
> > > > > > > > > > > > library, with changes
> > > > > > > > > > > > made to increase security and robustness. The third
> > > > > > > > > > > > page is what we
> > > > > > > > > > > > get from the acs when our IdP sends the SAMLResponse.
>
> > > > > > > > > > > > I suspect the acs is not redirecting the user correctly
> > > > > > > > > > > > to the "Terms
> > > > > > > > > > > > Acceptance" page, and as such has not finished granting
> > > > > > > > > > > > her access to
> > > > > > > > > > > > the account, but it redirects her to the start page,
> > > > > > > > > > > > which will in
> > > > > > > > > > > > turn send a SAMLRequest back to the IdP. And the cycle
> > > > > > > > > > > > goes on... Of
> > > > > > > > > > > > course, I might be missing something too.
>
> > > > > > > > > > > > *************
> > > > > > > > > > > > https://gaemail.upr.edu/GAESSO/identity_provider.jsp?SAMLRequest=...
>
> > > > > > > > > > > > <title>Portal de Servicios Electrónicos -
> > > > > > > > > > > > Universidad de Puerto
> > > > > > > > > > > > Rico</title>
> > > > > > > > > > > > <meta content="noindex,nofollow" name="robots">
> > > > > > > > > > > > <style type="text/css"><!--
> > > > > > > > > > > > body {background-color: #ffffff}
> > > > > > > > > > > > body,td,div,p,a,font,span {font-family:
> > > > > > > > > > > > arial,sans-serif}
> > > > > > > > > > > > body {margin-top:2}
>
> > > > > > > > > > > > .c {width: 4; height: 4}
>
> > > > > > > > > > > > .bubble {background-color:#C3D9FF}
>
> > > > > > > > > > > > .tl {padding: 0; width: 4; text-align: left;
> > > > > > > > > > > > vertical-align: top}
> > > > > > > > > > > > .tr {padding: 0; width: 4; text-align: right;
> > > > > > > > > > > > vertical-align: top}
> > > > > > > > > > > > .bl {padding: 0; width: 4; text-align: left;
>
> ...
>
> read more >>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
