When do you estimate a fix for this issue being released? We are planning on publishing credentials for about 40,000 users in the coming weeks. This means we are expecting a whole bunch of new users logging in during this period and SSO is a requirement for some of the campuses to buy-in to the idea of Google-hosted services. Can you tell me something I can tell my boss about the expectations for this to be resolved soon?
Regards, Carlos On Dec 19, 2:20 am, "Megha (Google)" <[EMAIL PROTECTED]> wrote: > Hi Carlos, > > Can you try using on the "Sign In" link on the top right corner of the > your start page? > The "Sign In" link on the Email Gadget has the issue which results in > cycles that you described. > > Thanks, > Megha > > On Dec 18, 8:33 am, Cuso <[EMAIL PROTECTED]> wrote: > > > Sorry about the delay.... I was fighting some fires... > > > I tried your suggestion and it didn't work. Here is the form submitted > > to the acs after the change: > > > ********* SAMLResponseServlet ********* > > > <!-- > > Copyright (C) 2006 Google Inc. > > > Licensed under the Apache License, Version 2.0 (the "License"); > > you may not use this file except in compliance with the License. > > You may obtain a copy of the License at > > > http://www.apache.org/licenses/LICENSE-2.0 > > > Unless required by applicable law or agreed to in writing, > > software > > distributed under the License is distributed on an "AS IS" BASIS, > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or > > implied. > > See the License for the specific language governing permissions > > and > > limitations under the License. > > --> > > > <html> > > <head> > > <meta http-equiv="Content-Type" content="text/html; > > charset=iso-8859-1"> > > <title>Portal de Servicios Electrónicos - Universidad de Puerto > > Rico</title> > > <meta content="noindex,nofollow" name="robots"> > > <style type="text/css"><!-- > > body {background-color: #ffffff} > > body,td,div,p,a,font,span {font-family: arial,sans-serif} > > body {margin-top:2} > > > .c {width: 4; height: 4} > > > .bubble {background-color:#C3D9FF} > > > .tl {padding: 0; width: 4; text-align: left; vertical-align: top} > > .tr {padding: 0; width: 4; text-align: right; vertical-align: top} > > .bl {padding: 0; width: 4; text-align: left; vertical-align: bottom} > > .br {padding: 0; width: 4; text-align: right; vertical-align: bottom} > > > .x {background-color: #ddf8cc; border: solid 1px #80c65a; padding: > > 15px; margin: 0 15px 0 0; text-align: center;} > > .x, .x td {font-size: 80%} > > .x table {margin: 0px; text-align: left;} > > .x p {text-align: left;} > > .x h2 {margin:0 0 0 0;font-weight: bold; font-size: 120%;} > > > .errormsg {color: #cc0000} > > --> </style> </head> > > > <body onload="document.acsForm.submit();"> > > > <form name="acsForm" action="https://www.google.com/a/upr.edu/ > > acs" method="post" > <!-- target="_blank"> --> > > <div style="display: none"> > > <textarea rows=10 cols=80 name="SAMLResponse"><?xml > > version="1.0" encoding="UTF-8"?> > > <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > ID="miejagpgfkfkfaalngfhcldineplaggifakimbfo" > > IssueInstant="2007-12-18T12:22:17Z" Version="2.0"> <Signature > > xmlns="http://www.w3.org/2000/09/ > > xmldsig#"><SignedInfo><CanonicalizationMethod > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"; > > /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa- > > > sha1" /><Reference URI=""><Transforms><Transform > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /></ > > Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/ > > xmldsig#sha1" /><DigestValue>jtECoVUTnvwf1TqVBsu8o6tOdtY=</ > > DigestValue></Reference></ > > SignedInfo><SignatureValue>BMT0itItryVF0FqlGi3MMzVwAu2YVm0Y294m27M1tE03CQWx0IdOrA==</ > > SignatureValue><KeyInfo><KeyValue><DSAKeyValue><P>r5Swl0VTgqkZSKUQoeILhNyEZs9Ot8hQgiNuJeI6cFro > > +5/jBP8KDCByq5MkIzqZZxqGZPKc1GZC > > 9QTxMqPYOXiShREalv45a4kb6sRGTluh8YpSfskPRMWT77yp7KqGKZbSqHlw > > +FKXraAgzjV7RXCn > > OU14Uun5Ac9R7QSPIls=</P><Q>p3nhx7XegMkLDaySZ3VhakAsEqk=</ > > Q><G>QFJ1EaupSqYDMPz4vzknUFZziiYGGZN7+R2ZqTsooVmNxVf+A39v > > +8aFnh6Ny6w9rveOSXjYYAAL > > oejZTqDCPRtnHnW7g4Rp2DktGA47T8ou/ > > LOt7MOhtFJSjYUrejxaQLFK35A35sv9pbjF5tCWICe8 > > rgawabXh6AvzvOa4/Z8=</G><Y>UTQsust9OOU26ypSLU9/ > > sljpyZ9IBrJXVrfgfDMICpxf4hAFVt5CswvJ/CBgy91YjhXMOCdcveJ2 > > D2NnevIBRxlU6zLwQB035ec0M2Ctnm9llyVK7Gea3KdYwtgfLyMVFMwXIg6fxjAoimUA4OlOfFpY > > 65fD6fbwPtGoN0pTeYw=</Y></DSAKeyValue></KeyValue></KeyInfo></ > > Signature><samlp:Status> <samlp:StatusCode > > Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> > > <Assertion ID="ehknpfnbhhcmjabjnlokajjinhobcangjgpiiili" > > IssueInstant="2003-04-17T00:46:02Z" Version="2.0"> > > <Issuer>https://www.opensaml.org/IDP </Issuer> <Subject> > > <NameID > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"> > > cuenta.depruebasso3 </NameID> > > <SubjectConfirmation > > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> </Subject> > > <Conditions NotBefore="2003-04-17T00:46:02Z" > > NotOnOrAfter="2008-04-17T00:51:02Z"> </Conditions> > > <AuthnStatement > > AuthnInstant="2007-12-18T12:22:17Z"> <AuthnContext> > > <AuthnContextClassRef> > > urn:oasis:names:tc:SAML: > > 2.0:ac:classes:Password </AuthnContextClassRef> > > </AuthnContext> > > </AuthnStatement> </Assertion></samlp:Response> > > </textarea> > > <textarea rows=10 cols=80 > > name="RelayState">https://www.google.com/a/upr.edu/ServiceLogin?service=ig&passive=fals......</textarea> > > </div> > > </form> > > </body> > > > </html> > > > On Nov 29, 12:07 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > I am using FireFox to test, but I'll check.... > > > > On Nov 26, 9:56 pm, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > > > Hi Carlos, > > > > > Does this happen on Internet Explorer only? It might be an issue with > > > > the RelayState not having XML special characters escaped: > > > > > & -> & > > > > < -> <> -> > > > > > > ' -> ' > > > > " -> " > > > > > -alex > > > > > On Nov 26, 5:51 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > Alex, > > > > > > Some extra information on this issue: > > > > > > The user gets logged on, actually. If I stop the cycle (by > > > > > clicking on the browser stop button) and then > > > > > tryhttp://www.google.com/a/upr.edu > > > > > I get the dashboard as the user I was trying to log on if it is an > > > > > administrator, otherwise I get the Google apps logon page telling me I > > > > > need to be an admin to get to the dashboard. So the acs is creating > > > > > the session, but is not redirecting the browser correctly or the start > > > > > page is not recognizing the session. > > > > > > Thought it might help you... > > > > > > Thanks, > > > > > Carlos > > > > > On Nov 26, 9:37 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > > Hello Alex, > > > > > > > We get the cycle by accessinghttp://inicio.upr.edu, which is our > > > > > > start page fqdn. Your SP code redirects the user to the IdP without > > > > > > showing the start page. The three pages in the cycle show up just > > > > > > after the submit button is pressed on our IdP sign-in page. > > > > > > > Thanks, > > > > > > Carlos > > > > > > > Alex (Google) wrote: > > > > > > > Hi Carlos, > > > > > > > > Did you get theinfiniteloop using the Gmail gadget Sign in link? > > > > > > > That Sign in link is broken (we're working on a fix). > > > > > > > > Can you try the Sign in link in the upper right corner of the > > > > > > > start > > > > > > > page? > > > > > > > > -alex > > > > > > > > On Nov 20, 5:59 am, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > > > Well, I thought it was solved, but I'm still getting the > > > > > > > > cycle... > > > > > > > > Here is the acs page: > > > > > > > > > <html><body><script> > > > > > > > > var url = > > > > > > > > 'https://www.google.com/a/upr.edu/ServiceLogin?service\075ig > > > > > > > > \046passive\075false\046continue\075http://partnerpage.google.com/ > > > > > > > > upr.edu\046followup\075http://partnerpage.google.com/upr.edu\046cd > > > > > > > > \075US\046hl\075en\046nui\0751\046ltmpl\075default'; > > > > > > > > var parts = (window.location+'').split('#'); > > > > > > > > if (parts.length == 2 && parts[1].length > 0) { > > > > > > > > url += '#' + parts[1];} > > > > > > > > > window.setTimeout(function() { > > > > > > > > window.location = url;}, 0); > > > > > > > > > </script></body></html> > > > > > > > > > I had not tested the fix correctly before. Any ideas? > > > > > > > > > Thanks, > > > > > > > > Carlos > > > > > > > > On Nov 18, 6:37 pm, Cuso <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Thank you! This solved the issue. > > > > > > > > > > On Nov 18, 2:36 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Hi Carlos, > > > > > > > > > > > Right now it looks like RelayState is hard-coded > > > > > > > > > > ashttp://inicio.upr.edu > > > > > > > > > > > But instead, it should be taken from the RelayState > > > > > > > > > > parameter which > > > > > > > > > > you get from Google and included in the HTML forms, taking > > > > > > > > > > care to > > > > > > > > > > escape special XML characters, e.g.: > > > > > > > > > > >https://gaemail.upr.edu/GAESSOWS/identity_provider.jsp > > > > > > > > > > ?SAMLRequest=... > > > > > > > > > > &RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fupr.edu%2FServiceLogin > > > > > > > > > > %3Fservice%3Dig%26passive%3Dtrue%26continue%3Dhttp%3A%2F > > > > > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%2Fdefault%2Fpostlogin%253Fpid > > > > > > > > > > %253Dupr.edu%2526url%253Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu > > > > > > > > > > %26followup%3Dhttp%3A%2F%2Fpartnerpage.google.com%2Fupr.edu%2Fdefault > > > > > > > > > > %2Fpostlogin%253Fpid%253Dupr.edu%2526url%253Dhttp%3A%2F > > > > > > > > > > %2Fpartnerpage.google.com%2Fupr.edu%26cd%3DUS%26hl%3Den%26nui > > > > > > > > > > %3D1%26ltmpl%3Ddefault%26go%3Dtrue%26passive_sso%3Dtrue > > > > > > > > > > > First form: > > > > > > > > > > > <input type="hidden" name="RelayState" > > > > > > > > > > value="https://www.google.com/a/ > > > > > > > > > > upr.edu/ServiceLogin?service=ig&passive=true&continue=http:// > > ... > > read more >> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
