Hi Conrad, I've disabled the check for dev.mip.sunrise.ch
I recommend you to do the change as soon as possible, as Alex mention before it's just few lines of code. http://code.google.com/apis/apps/faq.html#recipient I will check what is the time frame for this, I recommend you to keep attention on the group. Cheers, Julian. On Jul 2, 2:43 pm, Conrad Peyer <[EMAIL PROTECTED]> wrote: > Hello Alex > > Our test apps domain dev.mip.sunrise.ch shows the described problem. > Could you please disable the recipient check for it. How long will the > old SAMLResponse be supported in that way? We can update our > application soonest in September. > > Cheers > - Conrad > > On Jun 21, 2:30 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > For new SSO domains: > > > Yesterday we added an extra check on the SAMLResponse for new domains. > > This check enforces the Recipient value to be equal to the ACS URL. > > For example, if your domain is "domain.com" and your ACS URL is > > "https://www.google.com/a/domain.com/acs";, then the Recipient > > attribute in the SAMLResponse would be: > > > <samlp:Response ...> > > <saml:Assertion ...> > > <saml:Subject> > > <saml:NameID ...>[EMAIL PROTECTED]</saml:NameID> > > <saml:SubjectConfirmation ...> > > <saml:SubjectConfirmationData > > Recipient="https://www.google.com/a/domain.com/acs"; .../> > > </saml:SubjectConfirmation> > > </saml:Subject> > > </saml:Assertion> > > </samlp:Response> > > > For existing SSO domains: > > > Existing domains do not have this extra check, however we can > > coordinate with domains administrators to add this attribute to the > > SAMLResponse. > > > If you are using a commercial or open source IdP, this attribute > > should already be there. But if you are using the SSO sample code, the > > SAMLResponse is missing this attribute. The SSO sample code has been > > updated: > > >http://code.google.com/apis/apps/libraries_and_samples.html#sso > > > We identified existing SSO domains as those domains which have had any > > users authenticate in the last couple weeks, but we missed a few > > domains. > > > If you discover that you can't sign in, please let us know and we'll > > turn off the check for your domain. Either post your domain name here > > or submit a support request (instructions are in the control panel). > > > The part of the SAML specification which describes this requirement is > > section 4.1.4.2 of: > > >http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf > > > Let us know if you have any questions. > > > -alex --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
