Thanks for your help. I was thinking about deploying different urls...
Does it mean that I have to create different files
"process_response.php" for each domain and just to direct to them on
login form?
I'll try your quick fix right now..
On Jul 2, 8:21 pm, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> The sample code doesn't support sign in for multiple Google Apps
> domains, so you would need to deploy a different URL with different
> keys for each domain. Do you know if that's the case?
>
> It looks like some session code was added, which may be causing the
> other domain to be remembered incorrectly. One quick fix might be to
> include the domain in the NameID, i.e. change:
>
> $responseXmlString = createSamlResponse($login, $notBefore,
>
> to:
>
> $responseXmlString = createSamlResponse("[EMAIL PROTECTED]", $notBefore,
>
> -alex
>
> On Jul 2, 10:01 am, yar <[EMAIL PROTECTED]> wrote:
>
> > I have really very strange problem and need help
>
> > We have for example 2 domains: ny.com and la.com. In google they are
> > seperate accounts. In our db they are stored like [EMAIL PROTECTED],
> > [EMAIL PROTECTED] etc
>
> > We are using php sample for sso (not the latest version.
>
> > Problem Case: User have 2 valid mailboxes in both domains:
> > [EMAIL PROTECTED] and [EMAIL PROTECTED] All users logins to both domains
> > from one web form
>
> > 1. User logins to [EMAIL PROTECTED] and goes to its mailbox
> > 2. User doesn't press signout button and returns back to login page
> > 3. User logins to [EMAIL PROTECTED] and goes to its mailbox
> > 4. User again doesn't press signout button and returns back to login
> > page
> > 5. (!!!) And now user try to login to somebody else's mailbox
> > [EMAIL PROTECTED] with any password and he logins successfuly to the
> > mailbox he doesn't own!
>
> > I can imagine that here are problems with saml requests and sessions.
> > Our programmer is several months is a former programmer and I don't
> > have enouph php knowledge to fix it quickly.
>
> > Can anybody suggets what goes wrong? Belong my process_response.php
> > code (modified by former programmer slightly)
>
> > Sorry code is too long for reading :) but I hope that a professional
> > can find what is wrong quickly...
>
> > <?php
> > session_set_cookie_params (0, '/', '.mydomain.com');
> > if (session_id() == "") {
> > session_start();
> > # setcookie('PHPSESSID', session_id(), 0, '/');
>
> > }
>
> > require_once 'saml_util.php';
>
> > $domains = array(
> > 'ny.com' => 'ny.com',
> > 'la.com' => 'la.com',
> > );
>
> > $services = array (
> > 'mail' => 'mail',
> > 'calendar' => 'calendar',
> > 'docs' => 'docs'
> > );
>
> > /**
> > * The login method should either return null if the user is not
> > * successfully authenticated, or the user's username if the user is
> > * successfully authenticated.
> > * @param string $username
> > * @param string $password
> > * @return string
> > */
> > function login($username, $password, $domain) {
> > // Stage II: Update this method to call your authentication
> > mechanism.
> > // Return username for successful authentication. Return null
> > // for failed authentication.
> > $link = @mysql_connect('111.111.111.111', 'xxx', 'xxxxxxxxx');
> > mysql_select_db('namedb', $link);
> > $query = sprintf("SELECT Account FROM UserSession WHERE
> > Account='%s' AND Password='%s'",
> > mysql_real_escape_string("[EMAIL PROTECTED]"),
> > mysql_real_escape_string($password));
> > $result = mysql_query($query, $link);
> > if (!$result) {
> > return '';
> > }
> > $rows = mysql_num_rows($result);
> > if ($rows == 1) {
> > return $username;
> > } else {
> > return '';
> > }
>
> > }
>
> > /**
> > * Returns a SAML response with various elements filled in.
> > * @param string $authenticatedUser The Google Apps username of the
> > authenticated user
> > * @param string $notBefore The ISO 8601 formatted date before which
> > the
> > response is invalid
> > * @param string $notOnOrAfter The ISO 8601 formatted data after which
> > the
> > response is invalid
> > * @param string $rsadsa 'rsa' if the response will be signed with RSA
> > keys,
> > 'dsa' for DSA keys
> > * @param string $requestID The ID of the request we're responding to
> > * @param string $destination The ACS URL that the response is
> > submitted to
> > * @return string XML SAML response.
> > */
> > function createSamlResponse($authenticatedUser, $notBefore,
> > $notOnOrAfter,
> > $rsadsa, $requestID, $destination) {
> > global $domainName;
>
> > $samlResponse = file_get_contents('templates/
> > SamlResponseTemplate.xml');
> > $samlResponse = str_replace('<USERNAME_STRING>',
> > $authenticatedUser,
> > $samlResponse);
> > $samlResponse = str_replace('<RESPONSE_ID>', samlCreateId(),
> > $samlResponse);
> > $samlResponse = str_replace('<ISSUE_INSTANT>',
> > samlGetDateTime(time()),
> > $samlResponse);
> > $samlResponse = str_replace('<AUTHN_INSTANT>',
> > samlGetDateTime(time()),
> > $samlResponse);
> > $samlResponse = str_replace('<NOT_BEFORE>', $notBefore,
> > $samlResponse);
> > $samlResponse = str_replace('<NOT_ON_OR_AFTER>', $notOnOrAfter,
> > $samlResponse);
> > $samlResponse = str_replace('<ASSERTION_ID>', samlCreateId(),
> > $samlResponse);
> > $samlResponse = str_replace('<RSADSA>', strtolower($rsadsa),
> > $samlResponse);
> > $samlResponse = str_replace('<REQUEST_ID>', $requestID,
> > $samlResponse);
> > $samlResponse = str_replace('<DESTINATION>', $destination,
> > $samlResponse);
> > $samlResponse = str_replace('<ISSUER_DOMAIN>', $domainName,
> > $samlResponse);
>
> > return $samlResponse;
>
> > }
>
> > /**
> > * Signs a SAML response with the given private key, and embeds the
> > public key.
> > * @param string $responseXmlString
> > * @param string $pubKey
> > * @param string $privKey
> > * @return string
> > */
> > function signResponse($responseXmlString, $pubKey, $privKey) {
> > // NOTE: You may want to point this function to a directory on your
> > // web server that is suitable for temporary files and is not in
> > your
> > // web server path.
> > global $error;
>
> > // generate unique temporary filename
> > $tempFileName = '/tmp/saml-response-' . samlCreateId() . '.xml';
> > while (file_exists($tempFileName))
> > $tempFileName = 'saml-response-' . samlCreateId() . '.xml';
>
> > if (!$handle = fopen($tempFileName, 'w')) {
> > echo 'Cannot open temporary file (' . $tempFileName . ')';
> > exit;
> > }
>
> > if (fwrite($handle, $responseXmlString) === FALSE) {
> > echo 'Cannot write to temporary file (' . $tempFileName . ')';
> > exit;
> > }
>
> > fclose($handle);
>
> > // The path to xmlsec/xmlsec1 may need to be adjusted here.
> > // xmlsec supports many key types, which can be selected
> > // by using other command-line parameters.
> > $cmd = '/usr/local/bin/xmlsec1 --sign --privkey-pem ' . $privKey .
> > ' --pubkey-der ' . $pubKey . ' --output ' . $tempFileName .
> > '.out ' . $tempFileName;
> > exec($cmd, $resp);
> > unlink($tempFileName);
>
> > $xmlResult = @file_get_contents($tempFileName . '.out');
> > if (!$xmlResult) {
> > $error = 'Unable to sign XML response. Please ensure that xmlsec
> > is ' .
> > 'installed, and check your keys.';
> > return false;
> > } else {
> > unlink($tempFileName . '.out');
> > return $xmlResult;
> > }
>
> > }
>
> > if ($_POST['username']) {
> > $user = $_POST['username'];
> > $pass = $_POST['password'];
> > $domain = $_POST['domain'];
> > $service = $_POST['service'];
> > if (!isset($service) || $service == '') {
> > $service = 'mail';
> > }
> > $_SESSION['username'] = $user;
> > $_SESSION['password'] = $pass;
> > $_SESSION['domain'] = $domain;
> > $_SESSION['service'] = $service;
> > session_write_close();
> > header("Location: http://$service.google.com/a/"; .
> > $domains[$domain]);
> > exit();} else if($_GET['SAMLRequest'] != '') {
>
> > $SAMLRequest =$_GET['SAMLRequest'];
> > $username = $_SESSION['username'];
> > $password = $_SESSION['password'];
> > $domain = $_SESSION['domain'];
> > $service = $_SESSION['service'];
> > $relayStateURL = "http://$service.google.com/a/"; .
> > $domains[$domain];
> > if ($SAMLRequest == '') {
> > $error = 'Error: Unspecified SAML parameters.';
> > } else {
> > $requestXmlString = samlDecodeMessage($SAMLRequest);
> > if (($requestXmlString == '')||($requestXmlString === FALSE)) {
> > $error = 'Unable to decode SAML Request.';
> > } else {
> > $samlAttr = getRequestAttributes($requestXmlString);
> > $issueInstant = $samlAttr['issueInstant'];
> > $acsURL = $samlAttr['acsURL'];
> > $providerName = $samlAttr['providerName'];
> > $requestID = $samlAttr['requestID'];
>
> > $login = login($username, $password, $domain);
> > if ($login == '') {
> > $error = 'Login Failed: Invalid user.';
> > } else {
> > // Acquire public and private DSA keys
>
> > /*
> > * Stage III: Update the DSA filenames to identify the
> > locations of
> > * the DSA/RSA keys that digitally sign SAML responses for your
> > * domain. The keys included in the reference implementation
> > sign SAML
> > * responses for the psosamldemo.net domain.
> > */
>
> > $pubKey = 'keys/dsapubkey.der';
> > $privKey = 'keys/dsaprivkey.pem';
> > $keyType = 'dsa';
>
> > // generate NotBefore and NotOnOrAfter dates
> > $notBefore = samlGetDateTime(strtotime('-5 minutes'));
> > $notOnOrAfter = samlGetDateTime(strtotime('+10 minutes'));
>
> > // Sign
>
> ...
>
> read more »
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
