Hi Brian, Patricia, Can you change your hard-coded RelayState from:
http://mail.google.com/... to the actual RelayState which comes with the SAMLRequest? To see what this value is, go to the service URL (without signing in first): http://mail.google.com/a/yourdomain.com You'll be redirected to your SSO Sigin-in URL with the SAMLRequest and RelayState parameters. Take the RelayState parameter, URL-decode it, and replace your current RelayState in the ACS URL form with this value. Let me know if you still have this problem. Thanks. -alex On Oct 20, 5:30 am, "Julian (Google)" <[EMAIL PROTECTED]> wrote: > Hi, > > Thanks again for bringing this up, we keep track of this requests to > improve our products. Unfortunately there isn't a solution for a user > walking away with the session/browser open, at the moment the best is > to advise users to close the session/browser. > > Julian > > On Oct 17, 1:57 pm, "Patricia Goldweic" <[EMAIL PROTECTED]> > wrote: > > > Everybody is experiencing the same issue, and I second your request to > > Google for some upgrade to their end that includes a 'logout' of some kind > > (clearing cookies as you suggest) before the redirection to the partner SSO > > happens. This would really help, and not just with respect to security. For > > example, in our case, our Google Apps integration allows users to log in > > consecutively to different accounts to share information with different > > university courses, so we have the same kind of problem as you have. > > -Patricia > > > Patricia Goldweic > > [EMAIL PROTECTED] > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Brian > > > Sent: Thursday, October 16, 2008 9:25 PM > > > To: Google Apps APIs > > > Subject: [google-apps-apis] SSO and security > > > > Hi. > > > > We're experiencing the same issue as noted here > > >http://groups.google.com/group/google-apps-apis/msg/2a010bc76c > > > 267588?pli=1. > > > > Simply stated, if a user browses away from their SSO > > > authenticated mail session and walks away from the computer, > > > the next person to sign on will get the previous users' email. > > > > The responses I've seen so far haven't really addresses the > > > issue, since most require the user to click the sign out link > > > in some way. > > > It's inevitable that some will forget and we need something > > > to mitigate the resulting security problems. > > > > Would it be possible for Google to add a bit of code on their > > > end, perhaps checking a parameter requesting a session clear? > > > Something likehttp://www.google.com/a/abc.com/?clearstate > > > and kill the session cookies before issuing a redirect to our > > > SSO? page. > > > > TIA > > > > -brian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
