Hello Alex Our test apps domain dev.mip.sunrise.ch shows the described problem. Could you please disable the recipient check for it. How long will the old SAMLResponse be supported in that way? We can update our application soonest in September.
Cheers - Conrad On Jun 21, 2:30 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > For new SSO domains: > > Yesterday we added an extra check on the SAMLResponse for new domains. > This check enforces the Recipient value to be equal to the ACS URL. > For example, if your domain is "domain.com" and your ACS URL is > "https://www.google.com/a/domain.com/acs";, then the Recipient > attribute in the SAMLResponse would be: > > <samlp:Response ...> > <saml:Assertion ...> > <saml:Subject> > <saml:NameID ...>[EMAIL PROTECTED]</saml:NameID> > <saml:SubjectConfirmation ...> > <saml:SubjectConfirmationData > Recipient="https://www.google.com/a/domain.com/acs"; .../> > </saml:SubjectConfirmation> > </saml:Subject> > </saml:Assertion> > </samlp:Response> > > For existing SSO domains: > > Existing domains do not have this extra check, however we can > coordinate with domains administrators to add this attribute to the > SAMLResponse. > > If you are using a commercial or open source IdP, this attribute > should already be there. But if you are using the SSO sample code, the > SAMLResponse is missing this attribute. The SSO sample code has been > updated: > > http://code.google.com/apis/apps/libraries_and_samples.html#sso > > We identified existing SSO domains as those domains which have had any > users authenticate in the last couple weeks, but we missed a few > domains. > > If you discover that you can't sign in, please let us know and we'll > turn off the check for your domain. Either post your domain name here > or submit a support request (instructions are in the control panel). > > The part of the SAML specification which describes this requirement is > section 4.1.4.2 of: > > http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf > > Let us know if you have any questions. > > -alex --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
