Hi Carlos, Can you try using on the "Sign In" link on the top right corner of the your start page? The "Sign In" link on the Email Gadget has the issue which results in cycles that you described.
Thanks, Megha On Dec 18, 8:33 am, Cuso <[EMAIL PROTECTED]> wrote: > Sorry about the delay.... I was fighting some fires... > > I tried your suggestion and it didn't work. Here is the form submitted > to the acs after the change: > > ********* SAMLResponseServlet ********* > > <!-- > Copyright (C) 2006 Google Inc. > > Licensed under the Apache License, Version 2.0 (the "License"); > you may not use this file except in compliance with the License. > You may obtain a copy of the License at > > http://www.apache.org/licenses/LICENSE-2.0 > > Unless required by applicable law or agreed to in writing, > software > distributed under the License is distributed on an "AS IS" BASIS, > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or > implied. > See the License for the specific language governing permissions > and > limitations under the License. > --> > > <html> > <head> > <meta http-equiv="Content-Type" content="text/html; > charset=iso-8859-1"> > <title>Portal de Servicios Electrónicos - Universidad de Puerto > Rico</title> > <meta content="noindex,nofollow" name="robots"> > <style type="text/css"><!-- > body {background-color: #ffffff} > body,td,div,p,a,font,span {font-family: arial,sans-serif} > body {margin-top:2} > > .c {width: 4; height: 4} > > .bubble {background-color:#C3D9FF} > > .tl {padding: 0; width: 4; text-align: left; vertical-align: top} > .tr {padding: 0; width: 4; text-align: right; vertical-align: top} > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom} > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom} > > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding: > 15px; margin: 0 15px 0 0; text-align: center;} > .x, .x td {font-size: 80%} > .x table {margin: 0px; text-align: left;} > .x p {text-align: left;} > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;} > > .errormsg {color: #cc0000} > --> </style> </head> > > <body onload="document.acsForm.submit();"> > > <form name="acsForm" action="https://www.google.com/a/upr.edu/ > acs" method="post" > <!-- target="_blank"> --> > <div style="display: none"> > <textarea rows=10 cols=80 name="SAMLResponse"><?xml > version="1.0" encoding="UTF-8"?> > <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > ID="miejagpgfkfkfaalngfhcldineplaggifakimbfo" > IssueInstant="2007-12-18T12:22:17Z" Version="2.0"> <Signature > xmlns="http://www.w3.org/2000/09/ > xmldsig#"><SignedInfo><CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"; > /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa- > > sha1" /><Reference URI=""><Transforms><Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /></ > Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/ > xmldsig#sha1" /><DigestValue>jtECoVUTnvwf1TqVBsu8o6tOdtY=</ > DigestValue></Reference></ > SignedInfo><SignatureValue>BMT0itItryVF0FqlGi3MMzVwAu2YVm0Y294m27M1tE03CQWx0IdOrA==</ > SignatureValue><KeyInfo><KeyValue><DSAKeyValue><P>r5Swl0VTgqkZSKUQoeILhNyEZs9Ot8hQgiNuJeI6cFro > +5/jBP8KDCByq5MkIzqZZxqGZPKc1GZC > 9QTxMqPYOXiShREalv45a4kb6sRGTluh8YpSfskPRMWT77yp7KqGKZbSqHlw > +FKXraAgzjV7RXCn > OU14Uun5Ac9R7QSPIls=</P><Q>p3nhx7XegMkLDaySZ3VhakAsEqk=</ > Q><G>QFJ1EaupSqYDMPz4vzknUFZziiYGGZN7+R2ZqTsooVmNxVf+A39v > +8aFnh6Ny6w9rveOSXjYYAAL > oejZTqDCPRtnHnW7g4Rp2DktGA47T8ou/ > LOt7MOhtFJSjYUrejxaQLFK35A35sv9pbjF5tCWICe8 > rgawabXh6AvzvOa4/Z8=</G><Y>UTQsust9OOU26ypSLU9/ > sljpyZ9IBrJXVrfgfDMICpxf4hAFVt5CswvJ/CBgy91YjhXMOCdcveJ2 > D2NnevIBRxlU6zLwQB035ec0M2Ctnm9llyVK7Gea3KdYwtgfLyMVFMwXIg6fxjAoimUA4OlOfFpY > 65fD6fbwPtGoN0pTeYw=</Y></DSAKeyValue></KeyValue></KeyInfo></ > Signature><samlp:Status> <samlp:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> > <Assertion ID="ehknpfnbhhcmjabjnlokajjinhobcangjgpiiili" > IssueInstant="2003-04-17T00:46:02Z" Version="2.0"> > <Issuer>https://www.opensaml.org/IDP </Issuer> <Subject> > <NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"> > cuenta.depruebasso3 </NameID> > <SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> </Subject> > <Conditions NotBefore="2003-04-17T00:46:02Z" > NotOnOrAfter="2008-04-17T00:51:02Z"> </Conditions> > <AuthnStatement > AuthnInstant="2007-12-18T12:22:17Z"> <AuthnContext> > <AuthnContextClassRef> > urn:oasis:names:tc:SAML: > 2.0:ac:classes:Password </AuthnContextClassRef> > </AuthnContext> > </AuthnStatement> </Assertion></samlp:Response> > </textarea> > <textarea rows=10 cols=80 > name="RelayState">https://www.google.com/a/upr.edu/ServiceLogin?service=ig&passive=false&am...</textarea> > </div> > </form> > </body> > > </html> > > On Nov 29, 12:07 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > > I am using FireFox to test, but I'll check.... > > > On Nov 26, 9:56 pm, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > > Hi Carlos, > > > > Does this happen on Internet Explorer only? It might be an issue with > > > the RelayState not having XML special characters escaped: > > > > & -> & > > > < -> <> -> > > > > > ' -> ' > > > " -> " > > > > -alex > > > > On Nov 26, 5:51 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > > Alex, > > > > > Some extra information on this issue: > > > > > The user gets logged on, actually. If I stop the cycle (by > > > > clicking on the browser stop button) and then > > > > tryhttp://www.google.com/a/upr.edu > > > > I get the dashboard as the user I was trying to log on if it is an > > > > administrator, otherwise I get the Google apps logon page telling me I > > > > need to be an admin to get to the dashboard. So the acs is creating > > > > the session, but is not redirecting the browser correctly or the start > > > > page is not recognizing the session. > > > > > Thought it might help you... > > > > > Thanks, > > > > Carlos > > > > On Nov 26, 9:37 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > Hello Alex, > > > > > > We get the cycle by accessinghttp://inicio.upr.edu, which is our > > > > > start page fqdn. Your SP code redirects the user to the IdP without > > > > > showing the start page. The three pages in the cycle show up just > > > > > after the submit button is pressed on our IdP sign-in page. > > > > > > Thanks, > > > > > Carlos > > > > > > Alex (Google) wrote: > > > > > > Hi Carlos, > > > > > > > Did you get theinfiniteloop using the Gmail gadget Sign in link? > > > > > > That Sign in link is broken (we're working on a fix). > > > > > > > Can you try the Sign in link in the upper right corner of the start > > > > > > page? > > > > > > > -alex > > > > > > > On Nov 20, 5:59 am, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > > Well, I thought it was solved, but I'm still getting the cycle... > > > > > > > Here is the acs page: > > > > > > > > <html><body><script> > > > > > > > var url = > > > > > > > 'https://www.google.com/a/upr.edu/ServiceLogin?service\075ig > > > > > > > \046passive\075false\046continue\075http://partnerpage.google.com/ > > > > > > > upr.edu\046followup\075http://partnerpage.google.com/upr.edu\046cd > > > > > > > \075US\046hl\075en\046nui\0751\046ltmpl\075default'; > > > > > > > var parts = (window.location+'').split('#'); > > > > > > > if (parts.length == 2 && parts[1].length > 0) { > > > > > > > url += '#' + parts[1];} > > > > > > > > window.setTimeout(function() { > > > > > > > window.location = url;}, 0); > > > > > > > > </script></body></html> > > > > > > > > I had not tested the fix correctly before. Any ideas? > > > > > > > > Thanks, > > > > > > > Carlos > > > > > > > On Nov 18, 6:37 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > > > > Thank you! This solved the issue. > > > > > > > > > On Nov 18, 2:36 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Hi Carlos, > > > > > > > > > > Right now it looks like RelayState is hard-coded > > > > > > > > > ashttp://inicio.upr.edu > > > > > > > > > > But instead, it should be taken from the RelayState parameter > > > > > > > > > which > > > > > > > > > you get from Google and included in the HTML forms, taking > > > > > > > > > care to > > > > > > > > > escape special XML characters, e.g.: > > > > > > > > > >https://gaemail.upr.edu/GAESSOWS/identity_provider.jsp > > > > > > > > > ?SAMLRequest=... > > > > > > > > > &RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fupr.edu%2FServiceLogin > > > > > > > > > %3Fservice%3Dig%26passive%3Dtrue%26continue%3Dhttp%3A%2F > > > > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%2Fdefault%2Fpostlogin%253Fpid > > > > > > > > > %253Dupr.edu%2526url%253Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu > > > > > > > > > %26followup%3Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu%2Fdefault > > > > > > > > > %2Fpostlogin%253Fpid%253Dupr.edu%2526url%253Dhttp%3A%2F > > > > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%26cd%3DUS%26hl%3Den%26nui > > > > > > > > > %3D1%26ltmpl%3Ddefault%26go%3Dtrue%26passive_sso%3Dtrue > > > > > > > > > > First form: > > > > > > > > > > <input type="hidden" name="RelayState" > > > > > > > > > value="https://www.google.com/a/ > > > > > > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http:// > > > > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url > > > > > > > > > %3Dhttp://partnerpage.google.com/upr.edu&followup=http:// > > > > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url > > > > > > > > > %3Dhttp://partnerpage.google.com/ > > > > > > > > > upr.edu&cd=US&hl=en&nui=1&ltmpl=default&go=true&passive_sso=true"/ > > > > > > > > > > Second form: > > > > > > > > > > <textarea rows=10 cols=80 > > > > > > > > > name="RelayState">https://www.google.com/a/ > > > > > > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http:// > > > > > > > > > partnerpage.google.com/upr.edu/default/postlogin%3Fpid%3Dupr.edu%26url > > ... > > read more >> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
