Hi Carlos, Thanks for the detailed description. The problem is most likely due to too many authentication attempts from your server IP address. Both unsuccessful attempts and successful attempts can contribute to the likelihood of triggering a CAPTCHA challenge, which requires that someone answer the challenge from the same IP address in order to regain access to the authentication service (UserService uses ClientLogin). ClientLogin was not designed for the scenario you described. The CAPTCHA logic safeguards against abuse of the ClientLogin service for guessing user passwords.
In order to avoid CAPTCHA errors, you would need to modify your application so that it does not authenticate so frequently. As a short term solution perhaps you could meter the ClientLogin requests so that the frequency does not trigger CAPTCHA errors. The longer term solution might be to have your SSO site re-establish a user's identity through secondary means (e.g. something only the user would know) in order to set the SSO password. This is just an idea, and not necessarily a good suggestion, depending on what your business and security requirements are. Transitioning from Google Apps sign in to SSO sign in is not a common use case that I have seen. Maybe someone else in the group has gone through it before and can share their ideas. For more about CAPTCHA errors, see the Provisioning API FAQ: http://code.google.com/support/bin/topic.py?topic=11282 -alex On Mar 22, 8:46 am, Cuso <[EMAIL PROTECTED]> wrote: > Hello: > > We are getting an AuthenticationException thrown by the > setUserCredentials method of the UserService object when attempting to > login a user to Google from the SSO site. This only happens for some > users. We think it might be related to having multiple users login to > the system from the same computers, which might cause the server to > generate a captcha challenge or something similar. We double-checked > that we are using the right credentials. When we try to log the user > in throughhttps://www.google.com/a/upr.eduwe get a captcha and after > responding to it the user gets presented with the agreement pagefrom > Google. We have searched the groups for some clue as to how to > respond to this exception, but have had no luck so far. We need help > with this pretty soon, since students are being required by the > institution to use the account to look at their finantial aid records > and some of them are not being able to log in. > > The reason we need to have this operation working in our SSO site > is so that we can do credentials migration from Google to the LDAP > directory which the SSO site refers to when authenticating users. > Since passwords were managed by Google from the start, and we didn't > want to force users to reset their passwords when the SSO system came > on-line, we deviced a strategy to migrate the same credentials from > Google as they logged in. We try to authenticate them using the > UserService if the credentials have not been migrated to our directory > yet. If they are authenticated successfully, we save those > credentials in our directory and mark them migrated so the next time > around we don't have to go through Google. > > We need to know what could be causing this exception to be > thrown. If we can avoid it in the first place we would try to do so. > We also need to know how to deal with it so that the user gets to > login at some point after resolving the challenge, if that is what is > causing it. > > Regards, > Carlos --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
