Hi Alex, Thanks for your prompt response. At last, I released a new version of my software(GHeimdall-0.9.3.4) [1]. This new version makes a SAMLResponse with Recipient attribute correctly.
1. http://code.google.com/p/gheimdall/ Thanks again. Regards, -- Takashi On Tue, Jun 24, 2008 at 3:38 PM, Alex (Google) <[EMAIL PROTECTED]> wrote: > > Hi Takashi, > > The Recipient check is enabled for test.shehas.net. Thanks for > updating your software. > > -alex > > On Jun 23, 11:33 pm, "Takashi Matsuo" <[EMAIL PROTECTED]> > wrote: >> Hi Alex, >> >> I'm developping open sourced SAML IDP for google apps. I'd like to implement >> a new capability of setting recipient value in the SAMLResponse for my >> software. >> >> So, could you please enable the Recipient check for the domain >> 'test.shehas.net'? >> >> Regards, >> >> -- Takashi >> >> On Sat, Jun 21, 2008 at 9:30 AM, Alex (Google) <[EMAIL PROTECTED]> wrote: >> >> > For new SSO domains: >> >> > Yesterday we added an extra check on the SAMLResponse for new domains. >> > This check enforces the Recipient value to be equal to the ACS URL. >> > For example, if your domain is "domain.com" and your ACS URL is >> > "https://www.google.com/a/domain.com/acs";, then the Recipient >> > attribute in the SAMLResponse would be: >> >> > <samlp:Response ...> >> > <saml:Assertion ...> >> > <saml:Subject> >> > <saml:NameID ...>[EMAIL PROTECTED]</saml:NameID> >> > <saml:SubjectConfirmation ...> >> > <saml:SubjectConfirmationData Recipient="https:// >> >www.google.com/a/domain.com/acs" .../> >> > </saml:SubjectConfirmation> >> > </saml:Subject> >> > </saml:Assertion> >> > </samlp:Response> >> >> > For existing SSO domains: >> >> > Existing domains do not have this extra check, however we can >> > coordinate with domains administrators to add this attribute to the >> > SAMLResponse. >> >> > If you are using a commercial or open source IdP, this attribute >> > should already be there. But if you are using the SSO sample code, the >> > SAMLResponse is missing this attribute. The SSO sample code has been >> > updated: >> >> >http://code.google.com/apis/apps/libraries_and_samples.html#sso >> >> > We identified existing SSO domains as those domains which have had any >> > users authenticate in the last couple weeks, but we missed a few >> > domains. >> >> > If you discover that you can't sign in, please let us know and we'll >> > turn off the check for your domain. Either post your domain name here >> > or submit a support request (instructions are in the control panel). >> >> > The part of the SAML specification which describes this requirement is >> > section 4.1.4.2 of: >> >> >http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf >> >> > Let us know if you have any questions. >> >> > -alex > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
