[google-apps-apis] change in SSO SAMLResponse requirements

Fri, 20 Jun 2008 17:31:16 -0700 

For new SSO domains:

Yesterday we added an extra check on the SAMLResponse for new domains.
This check enforces the Recipient value to be equal to the ACS URL.
For example, if your domain is "domain.com" and your ACS URL is
"https://www.google.com/a/domain.com/acs";, then the Recipient
attribute in the SAMLResponse would be:

<samlp:Response ...>
  <saml:Assertion ...>
    <saml:Subject>
      <saml:NameID ...>[EMAIL PROTECTED]</saml:NameID>
      <saml:SubjectConfirmation ...>
        <saml:SubjectConfirmationData Recipient="https://
www.google.com/a/domain.com/acs" .../>
      </saml:SubjectConfirmation>
    </saml:Subject>
  </saml:Assertion>
</samlp:Response>

For existing SSO domains:

Existing domains do not have this extra check, however we can
coordinate with domains administrators to add this attribute to the
SAMLResponse.

If you are using a commercial or open source IdP, this attribute
should already be there. But if you are using the SSO sample code, the
SAMLResponse is missing this attribute.  The SSO sample code has been
updated:

http://code.google.com/apis/apps/libraries_and_samples.html#sso

We identified existing SSO domains as those domains which have had any
users authenticate in the last couple weeks, but we missed a few
domains.

If you discover that you can't sign in, please let us know and we'll
turn off the check for your domain.  Either post your domain name here
or submit a support request (instructions are in the control panel).

The part of the SAML specification which describes this requirement is
section 4.1.4.2 of:

http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf

Let us know if you have any questions.

-alex
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to