Hi Eric, I was just in a middle of a note about that. We contacted administrators of domains that weren't sending the Recipient attribute to ask them to modify their IdP's to do so.
We picked a date to aim for resolving this for all domains, and the end of August seemed like a good target date. But at the same time we know some orgs will need more time than that. A lot of domain admins made the change right away. It turns out it's just a few lines of sample code that needed changing, and for some third-party IdP software it's just a configuration setting for the Recipient field. All, Reminder: If you need to contact support about something specific to your domain (or if you think you should have gotten the email we sent), you can also submit a support request: http://code.google.com/apis/apps/faq.html#contactsupport -alex On Jul 2, 6:59 pm, "Eric Kollmann" <[EMAIL PROTECTED]> wrote: > We got an email recently that said we had until end end of August 2008 > to make the code changes. Not sure if it is a "random" date set to > get people to make the change, or if it is an actual drop dead date. > > On Wed, Jul 2, 2008 at 7:43 PM, Alex (Google) <[EMAIL PROTECTED]> wrote: > > > Hi Conrad, > > > September's fine. We recognize that every organization has different > > processes for managing change. > > > -alex > > > On Jul 2, 6:43 am, Conrad Peyer <[EMAIL PROTECTED]> wrote: > >> Hello Alex > > >> Our test apps domain dev.mip.sunrise.ch shows the described problem. > >> Could you please disable the recipient check for it. How long will the > >> old SAMLResponse be supported in that way? We can update our > >> application soonest in September. > > >> Cheers > >> - Conrad > > >> On Jun 21, 2:30 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > >> > For new SSO domains: > > >> > Yesterday we added an extra check on the SAMLResponse for new domains. > >> > This check enforces the Recipient value to be equal to the ACS URL. > >> > For example, if your domain is "domain.com" and your ACS URL is > >> > "https://www.google.com/a/domain.com/acs";, then the Recipient > >> > attribute in the SAMLResponse would be: > > >> > <samlp:Response ...> > >> > <saml:Assertion ...> > >> > <saml:Subject> > >> > <saml:NameID ...>[EMAIL PROTECTED]</saml:NameID> > >> > <saml:SubjectConfirmation ...> > >> > <saml:SubjectConfirmationData > >> > Recipient="https://www.google.com/a/domain.com/acs"; .../> > >> > </saml:SubjectConfirmation> > >> > </saml:Subject> > >> > </saml:Assertion> > >> > </samlp:Response> > > >> > For existing SSO domains: > > >> > Existing domains do not have this extra check, however we can > >> > coordinate with domains administrators to add this attribute to the > >> > SAMLResponse. > > >> > If you are using a commercial or open source IdP, this attribute > >> > should already be there. But if you are using the SSO sample code, the > >> > SAMLResponse is missing this attribute. The SSO sample code has been > >> > updated: > > >> >http://code.google.com/apis/apps/libraries_and_samples.html#sso > > >> > We identified existing SSO domains as those domains which have had any > >> > users authenticate in the last couple weeks, but we missed a few > >> > domains. > > >> > If you discover that you can't sign in, please let us know and we'll > >> > turn off the check for your domain. Either post your domain name here > >> > or submit a support request (instructions are in the control panel). > > >> > The part of the SAML specification which describes this requirement is > >> > section 4.1.4.2 of: > > >> >http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf > > >> > Let us know if you have any questions. > > >> > -alex --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
