Hi Ayatoshi, The SAML request generated for users visiting the Start page has the "IsPassive" attribute set to "true" in the <AuthnRequest> tag. The reason behind that is to allow anonymous view to the Start page. We also had an earlier discussion on the IsPassive flag:
http://groups.google.com/group/google-apps-apis/browse_thread/thread/bece7802c60e8407 Unfortunately, there is currently no logic in the Java sample code to handle SAML requests with IsPassive=true and users are always redirected to the login page (identity_provider.jsp). Also, the SAML response StatusCode is currently hardcoded in the SamlResponseTemplate.xml to: urn:oasis:names:tc:SAML:2.0:status:Success In order to display the Start page without authentication, you should modify your code to return a SAML response with the following StatusCode without redirecting the user to the login page: urn:oasis:names:tc:SAML:2.0:status:NoPassive so that we (Google) know it is ok to display the startpage without authentication. In summary, below is a high level guideline what you should update in your code: 1. In the ProcessResponseServlet, add the necessary logic (probably in the doGet method) to process SAML requests with IsPassive=true. Once you identify that it is a IsPassive=true request, you need to reply with a SAML response with the correct StatusCode (described above) instead of redirecting the user to the login page. 2. Modify the SamlResponseTemplate.xml to allow it to take different StatusCode. You can do so by modifying the following line in SamlResponseTemplate.xml: <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> to <samlp:StatusCode Value="<STATUS_CODE>"/> And in the ProcessResponseServlet, you need to pass in the statusCode and add a line like below in the createSamlResponse method: samlResponse = samlResponse.replace("<STATUS_CODE>", statusCode); Finally, I strongly encourage you to thoroughly test your changes as it is very easy to compromise your security if the modification is not done properly. I suggest you also to look into using other existing open source SSO implementations: http://code.google.com/apis/apps/open_source_projects.html#sso Best wishes, --Tony On Jan 4, 8:42 pm, "吉積礼敏" <[email protected]> wrote: > Thank you Tony. > I could users to be redirected to the SSO tool login page,and then > authenticate with the tool and > want them to go to the startpage(this cannot be realized.). > I could do that for other mail/calendar page but not for startpage. > > Thanks. > > 2009/1/5 Tony (Google) <[email protected]> > > > > > > > Hi, > > > What kind of behavior do you want with the startpage? Do you want > > users to be redirected to the login page or allow them to go there > > without authentication? Please let me know so that we can further > > help you troubleshoot. > > > Thanks, > > > --Tony > > > On Jan 1, 6:03 am, Dummy <[email protected]> wrote: > > > I could sucessfully build sso tool to mail,calendar,etc, but it does > > > not work to startpage( likehttp://partnerpage.google.com/xxxyyy) > > > I investigate and figure out someone says that passive/nopassive > > > parameter must be changed. > > > But my sample java code does not have passive/nopassive setting. > > > Someone tell me how should I change the response from for other tools > > > to for startpage? > > > > Thanks. > > -- > Ayatoshi Yoshidumi --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
