SSO for startpage
1,677 views
Skip to first unread message
Dummy
Jan 1, 2009, 9:03:20 AM1/1/09
to Google Apps APIs
I could sucessfully build sso tool to mail,calendar,etc, but it does
not work to startpage( like http://partnerpage.google.com/xxxyyy)
I investigate and figure out someone says that passive/nopassive
parameter must be changed.
But my sample java code does not have passive/nopassive setting.
Someone tell me how should I change the response from for other tools
to for startpage?
Thanks.
not work to startpage( like http://partnerpage.google.com/xxxyyy)
I investigate and figure out someone says that passive/nopassive
parameter must be changed.
But my sample java code does not have passive/nopassive setting.
Someone tell me how should I change the response from for other tools
to for startpage?
Thanks.
Tony (Google)
Jan 4, 2009, 6:04:24 PM1/4/09
to Google Apps APIs
Hi,
What kind of behavior do you want with the startpage? Do you want
users to be redirected to the login page or allow them to go there
without authentication? Please let me know so that we can further
help you troubleshoot.
Thanks,
--Tony
On Jan 1, 6:03 am, Dummy <ayato...@gmail.com> wrote:
> I could sucessfully build sso tool to mail,calendar,etc, but it does
> not work to startpage( likehttp://partnerpage.google.com/xxxyyy)
What kind of behavior do you want with the startpage? Do you want
users to be redirected to the login page or allow them to go there
without authentication? Please let me know so that we can further
help you troubleshoot.
Thanks,
--Tony
On Jan 1, 6:03 am, Dummy <ayato...@gmail.com> wrote:
> I could sucessfully build sso tool to mail,calendar,etc, but it does
吉積礼敏
Jan 4, 2009, 11:42:56 PM1/4/09
to google-a...@googlegroups.com
Thank you Tony.
--
Ayatoshi Yoshidumi
I could users to be redirected to the SSO tool login page,and then authenticate with the tool and
want them to go to the startpage(this cannot be realized.).
I could do that for other mail/calendar page but not for startpage.
--
Ayatoshi Yoshidumi
Tony (Google)
Jan 5, 2009, 5:39:53 PM1/5/09
to Google Apps APIs
Hi Ayatoshi,
The SAML request generated for users visiting the Start page has the
"IsPassive" attribute set to "true" in the <AuthnRequest> tag. The
reason behind that is to allow anonymous view to the Start page. We
also had an earlier discussion on the IsPassive flag:
http://groups.google.com/group/google-apps-apis/browse_thread/thread/bece7802c60e8407
Unfortunately, there is currently no logic in the Java sample code to
handle SAML requests with IsPassive=true and users are always
redirected to the login page (identity_provider.jsp).
Also, the SAML response StatusCode is currently hardcoded in the
SamlResponseTemplate.xml to:
urn:oasis:names:tc:SAML:2.0:status:Success
In order to display the Start page without authentication, you should
modify your code to return a SAML response with the following
StatusCode without redirecting the user to the login page:
urn:oasis:names:tc:SAML:2.0:status:NoPassive
so that we (Google) know it is ok to display the startpage without
authentication.
In summary, below is a high level guideline what you should update in
your code:
1. In the ProcessResponseServlet, add the necessary logic (probably in
the doGet method) to process SAML requests with IsPassive=true. Once
you identify that it is a IsPassive=true request, you need to reply
with a SAML response with the correct StatusCode (described above)
instead of redirecting the user to the login page.
2. Modify the SamlResponseTemplate.xml to allow it to take different
StatusCode. You can do so by modifying the following line in
SamlResponseTemplate.xml:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
to
<samlp:StatusCode Value="<STATUS_CODE>"/>
And in the ProcessResponseServlet, you need to pass in the statusCode
and add a line like below in the createSamlResponse method:
samlResponse = samlResponse.replace("<STATUS_CODE>", statusCode);
Finally, I strongly encourage you to thoroughly test your changes as
it is very easy to compromise your security if the modification is not
done properly. I suggest you also to look into using other existing
open source SSO implementations:
http://code.google.com/apis/apps/open_source_projects.html#sso
Best wishes,
--Tony
The SAML request generated for users visiting the Start page has the
"IsPassive" attribute set to "true" in the <AuthnRequest> tag. The
reason behind that is to allow anonymous view to the Start page. We
also had an earlier discussion on the IsPassive flag:
http://groups.google.com/group/google-apps-apis/browse_thread/thread/bece7802c60e8407
Unfortunately, there is currently no logic in the Java sample code to
handle SAML requests with IsPassive=true and users are always
redirected to the login page (identity_provider.jsp).
Also, the SAML response StatusCode is currently hardcoded in the
SamlResponseTemplate.xml to:
urn:oasis:names:tc:SAML:2.0:status:Success
In order to display the Start page without authentication, you should
modify your code to return a SAML response with the following
StatusCode without redirecting the user to the login page:
urn:oasis:names:tc:SAML:2.0:status:NoPassive
so that we (Google) know it is ok to display the startpage without
authentication.
In summary, below is a high level guideline what you should update in
your code:
1. In the ProcessResponseServlet, add the necessary logic (probably in
the doGet method) to process SAML requests with IsPassive=true. Once
you identify that it is a IsPassive=true request, you need to reply
with a SAML response with the correct StatusCode (described above)
instead of redirecting the user to the login page.
2. Modify the SamlResponseTemplate.xml to allow it to take different
StatusCode. You can do so by modifying the following line in
SamlResponseTemplate.xml:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
to
<samlp:StatusCode Value="<STATUS_CODE>"/>
And in the ProcessResponseServlet, you need to pass in the statusCode
and add a line like below in the createSamlResponse method:
samlResponse = samlResponse.replace("<STATUS_CODE>", statusCode);
Finally, I strongly encourage you to thoroughly test your changes as
it is very easy to compromise your security if the modification is not
done properly. I suggest you also to look into using other existing
open source SSO implementations:
http://code.google.com/apis/apps/open_source_projects.html#sso
Best wishes,
--Tony
Reply all
Reply to author
Forward
0 new messages