Good to hear. You should also look into the changes that Sam
suggested.
-alex
On Jul 2, 12:51 pm, yar <[EMAIL PROTECTED]> wrote:
> For the first look this quick fix helped. Thanks Alex! Now I asked
> people to test it properly... will write if it works now
>
> On Jul 2, 9:23 pm, yar <[EMAIL PROTECTED]> wrote:
>
> > Thanks for your help. I was thinking about deploying different urls...
> > Does it mean that I have to create different files
> > "process_response.php" for each domain and just to direct to them on
> > login form?
>
> > I'll try your quick fix right now..
>
> > On Jul 2, 8:21 pm, "Alex (Google)" <[EMAIL PROTECTED]> wrote:
>
> > > Hi,
>
> > > The sample code doesn't support sign in for multiple Google Apps
> > > domains, so you would need to deploy a different URL with different
> > > keys for each domain. Do you know if that's the case?
>
> > > It looks like some session code was added, which may be causing the
> > > other domain to be remembered incorrectly. One quick fix might be to
> > > include the domain in the NameID, i.e. change:
>
> > > $responseXmlString = createSamlResponse($login, $notBefore,
>
> > > to:
>
> > > $responseXmlString = createSamlResponse("[EMAIL PROTECTED]", $notBefore,
>
> > > -alex
>
> > > On Jul 2, 10:01 am, yar <[EMAIL PROTECTED]> wrote:
>
> > > > I have really very strange problem and need help
>
> > > > We have for example 2 domains: ny.com and la.com. In google they are
> > > > seperate accounts. In our db they are stored like [EMAIL PROTECTED],
> > > > [EMAIL PROTECTED] etc
>
> > > > We are using php sample for sso (not the latest version.
>
> > > > Problem Case: User have 2 valid mailboxes in both domains:
> > > > [EMAIL PROTECTED] and [EMAIL PROTECTED] All users logins to both domains
> > > > from one web form
>
> > > > 1. User logins to [EMAIL PROTECTED] and goes to its mailbox
> > > > 2. User doesn't press signout button and returns back to login page
> > > > 3. User logins to [EMAIL PROTECTED] and goes to its mailbox
> > > > 4. User again doesn't press signout button and returns back to login
> > > > page
> > > > 5. (!!!) And now user try to login to somebody else's mailbox
> > > > [EMAIL PROTECTED] with any password and he logins successfuly to the
> > > > mailbox he doesn't own!
>
> > > > I can imagine that here are problems with saml requests and sessions.
> > > > Our programmer is several months is a former programmer and I don't
> > > > have enouph php knowledge to fix it quickly.
>
> > > > Can anybody suggets what goes wrong? Belong my process_response.php
> > > > code (modified by former programmer slightly)
>
> > > > Sorry code is too long for reading :) but I hope that a professional
> > > > can find what is wrong quickly...
>
> > > > <?php
> > > > session_set_cookie_params (0, '/', '.mydomain.com');
> > > > if (session_id() == "") {
> > > > session_start();
> > > > # setcookie('PHPSESSID', session_id(), 0, '/');
>
> > > > }
>
> > > > require_once 'saml_util.php';
>
> > > > $domains = array(
> > > > 'ny.com' => 'ny.com',
> > > > 'la.com' => 'la.com',
> > > > );
>
> > > > $services = array (
> > > > 'mail' => 'mail',
> > > > 'calendar' => 'calendar',
> > > > 'docs' => 'docs'
> > > > );
>
> > > > /**
> > > > * The login method should either return null if the user is not
> > > > * successfully authenticated, or the user's username if the user is
> > > > * successfully authenticated.
> > > > * @param string $username
> > > > * @param string $password
> > > > * @return string
> > > > */
> > > > function login($username, $password, $domain) {
> > > > // Stage II: Update this method to call your authentication
> > > > mechanism.
> > > > // Return username for successful authentication. Return null
> > > > // for failed authentication.
> > > > $link = @mysql_connect('111.111.111.111', 'xxx', 'xxxxxxxxx');
> > > > mysql_select_db('namedb', $link);
> > > > $query = sprintf("SELECT Account FROM UserSession WHERE
> > > > Account='%s' AND Password='%s'",
> > > > mysql_real_escape_string("[EMAIL PROTECTED]"),
> > > > mysql_real_escape_string($password));
> > > > $result = mysql_query($query, $link);
> > > > if (!$result) {
> > > > return '';
> > > > }
> > > > $rows = mysql_num_rows($result);
> > > > if ($rows == 1) {
> > > > return $username;
> > > > } else {
> > > > return '';
> > > > }
>
> > > > }
>
> > > > /**
> > > > * Returns a SAML response with various elements filled in.
> > > > * @param string $authenticatedUser The Google Apps username of the
> > > > authenticated user
> > > > * @param string $notBefore The ISO 8601 formatted date before which
> > > > the
> > > > response is invalid
> > > > * @param string $notOnOrAfter The ISO 8601 formatted data after which
> > > > the
> > > > response is invalid
> > > > * @param string $rsadsa 'rsa' if the response will be signed with RSA
> > > > keys,
> > > > 'dsa' for DSA keys
> > > > * @param string $requestID The ID of the request we're responding to
> > > > * @param string $destination The ACS URL that the response is
> > > > submitted to
> > > > * @return string XML SAML response.
> > > > */
> > > > function createSamlResponse($authenticatedUser, $notBefore,
> > > > $notOnOrAfter,
> > > > $rsadsa, $requestID, $destination) {
> > > > global $domainName;
>
> > > > $samlResponse = file_get_contents('templates/
> > > > SamlResponseTemplate.xml');
> > > > $samlResponse = str_replace('<USERNAME_STRING>',
> > > > $authenticatedUser,
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<RESPONSE_ID>', samlCreateId(),
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<ISSUE_INSTANT>',
> > > > samlGetDateTime(time()),
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<AUTHN_INSTANT>',
> > > > samlGetDateTime(time()),
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<NOT_BEFORE>', $notBefore,
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<NOT_ON_OR_AFTER>', $notOnOrAfter,
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<ASSERTION_ID>', samlCreateId(),
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<RSADSA>', strtolower($rsadsa),
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<REQUEST_ID>', $requestID,
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<DESTINATION>', $destination,
> > > > $samlResponse);
> > > > $samlResponse = str_replace('<ISSUER_DOMAIN>', $domainName,
> > > > $samlResponse);
>
> > > > return $samlResponse;
>
> > > > }
>
> > > > /**
> > > > * Signs a SAML response with the given private key, and embeds the
> > > > public key.
> > > > * @param string $responseXmlString
> > > > * @param string $pubKey
> > > > * @param string $privKey
> > > > * @return string
> > > > */
> > > > function signResponse($responseXmlString, $pubKey, $privKey) {
> > > > // NOTE: You may want to point this function to a directory on your
> > > > // web server that is suitable for temporary files and is not in
> > > > your
> > > > // web server path.
> > > > global $error;
>
> > > > // generate unique temporary filename
> > > > $tempFileName = '/tmp/saml-response-' . samlCreateId() . '.xml';
> > > > while (file_exists($tempFileName))
> > > > $tempFileName = 'saml-response-' . samlCreateId() . '.xml';
>
> > > > if (!$handle = fopen($tempFileName, 'w')) {
> > > > echo 'Cannot open temporary file (' . $tempFileName . ')';
> > > > exit;
> > > > }
>
> > > > if (fwrite($handle, $responseXmlString) === FALSE) {
> > > > echo 'Cannot write to temporary file (' . $tempFileName . ')';
> > > > exit;
> > > > }
>
> > > > fclose($handle);
>
> > > > // The path to xmlsec/xmlsec1 may need to be adjusted here.
> > > > // xmlsec supports many key types, which can be selected
> > > > // by using other command-line parameters.
> > > > $cmd = '/usr/local/bin/xmlsec1 --sign --privkey-pem ' . $privKey .
> > > > ' --pubkey-der ' . $pubKey . ' --output ' . $tempFileName .
> > > > '.out ' . $tempFileName;
> > > > exec($cmd, $resp);
> > > > unlink($tempFileName);
>
> > > > $xmlResult = @file_get_contents($tempFileName . '.out');
> > > > if (!$xmlResult) {
> > > > $error = 'Unable to sign XML response. Please ensure that xmlsec
> > > > is ' .
> > > > 'installed, and check your keys.';
> > > > return false;
> > > > } else {
> > > > unlink($tempFileName . '.out');
> > > > return $xmlResult;
> > > > }
>
> > > > }
>
> > > > if ($_POST['username']) {
> > > > $user = $_POST['username'];
> > > > $pass = $_POST['password'];
> > > > $domain = $_POST['domain'];
> > > > $service = $_POST['service'];
> > > > if (!isset($service) || $service == '') {
> > > > $service = 'mail';
> > > > }
> > > > $_SESSION['username'] = $user;
> > > > $_SESSION['password'] = $pass;
> > > > $_SESSION['domain'] = $domain;
> > > > $_SESSION['service'] = $service;
> > > > session_write_close();
> > > > header("Location: http://$service.google.com/a/"; .
> > > > $domains[$domain]);
> > > > exit();} else if($_GET['SAMLRequest'] != '') {
>
> > > > $SAMLRequest =$_GET['SAMLRequest'];
> > > > $username = $_SESSION['username'];
> > > > $password = $_SESSION['password'];
> > > > $domain = $_SESSION['domain'];
> > > > $service = $_SESSION['service'];
> > > > $relayStateURL = "http://$service.google.com/a/"; .
> > > > $domains[$domain];
> > > > if ($SAMLRequest == '') {
> > > > $error = 'Error: Unspecified SAML parameters.';
> > > > } else {
> > > > $requestXmlString = samlDecodeMessage($SAMLRequest);
> > > >
>
> ...
>
> read more »
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Apps APIs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/google-apps-apis?hl=en
-~----------~----~----~----~------~----~------~--~---
