Hi Ayatoshi,
The SAML request generated for users visiting the Start page has the
"IsPassive" attribute set to "true" in the <AuthnRequest> tag. The
reason behind that is to allow anonymous view to the Start page. We
also had an earlier discussion on the IsPassive flag:
http://groups.google.com/group/google-apps-apis/browse_thread/thread/bece7802c60e8407
Unfortunately, there is currently no logic in the Java sample code to
handle SAML requests with IsPassive=true and users are always
redirected to the login page (identity_provider.jsp).
Also, the SAML response StatusCode is currently hardcoded in the
SamlResponseTemplate.xml to:
urn:oasis:names:tc:SAML:2.0:status:Success
In order to display the Start page without authentication, you should
modify your code to return a SAML response with the following
StatusCode without redirecting the user to the login page:
urn:oasis:names:tc:SAML:2.0:status:NoPassive
so that we (Google) know it is ok to display the startpage without
authentication.
In summary, below is a high level guideline what you should update in
your code:
1. In the ProcessResponseServlet, add the necessary logic (probably in
the doGet method) to process SAML requests with IsPassive=true. Once
you identify that it is a IsPassive=true request, you need to reply
with a SAML response with the correct StatusCode (described above)
instead of redirecting the user to the login page.
2. Modify the SamlResponseTemplate.xml to allow it to take different
StatusCode. You can do so by modifying the following line in
SamlResponseTemplate.xml:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
to
<samlp:StatusCode Value="<STATUS_CODE>"/>
And in the ProcessResponseServlet, you need to pass in the statusCode
and add a line like below in the createSamlResponse method:
samlResponse = samlResponse.replace("<STATUS_CODE>", statusCode);
Finally, I strongly encourage you to thoroughly test your changes as
it is very easy to compromise your security if the modification is not
done properly. I suggest you also to look into using other existing
open source SSO implementations:
http://code.google.com/apis/apps/open_source_projects.html#sso
Best wishes,
--Tony