SSO for startpage

Skip to first unread message


Jan 1, 2009, 9:03:20 AM1/1/09
to Google Apps APIs
I could sucessfully build sso tool to mail,calendar,etc, but it does
not work to startpage( like
I investigate and figure out someone says that passive/nopassive
parameter must be changed.
But my sample java code does not have passive/nopassive setting.
Someone tell me how should I change the response from for other tools
to for startpage?


Tony (Google)

Jan 4, 2009, 6:04:24 PM1/4/09
to Google Apps APIs

What kind of behavior do you want with the startpage? Do you want
users to be redirected to the login page or allow them to go there
without authentication? Please let me know so that we can further
help you troubleshoot.



On Jan 1, 6:03 am, Dummy <> wrote:
> I could sucessfully build sso tool to mail,calendar,etc, but it does
> not work to startpage( like


Jan 4, 2009, 11:42:56 PM1/4/09
Thank you Tony.

I could users to be redirected to the SSO tool login page,and then authenticate with the tool and 
want them to go to the startpage(this cannot be realized.).
I could do that for other mail/calendar page but not for startpage.


2009/1/5 Tony (Google) <>

Ayatoshi Yoshidumi

Tony (Google)

Jan 5, 2009, 5:39:53 PM1/5/09
to Google Apps APIs
Hi Ayatoshi,

The SAML request generated for users visiting the Start page has the
"IsPassive" attribute set to "true" in the <AuthnRequest> tag. The
reason behind that is to allow anonymous view to the Start page. We
also had an earlier discussion on the IsPassive flag:

Unfortunately, there is currently no logic in the Java sample code to
handle SAML requests with IsPassive=true and users are always
redirected to the login page (identity_provider.jsp).

Also, the SAML response StatusCode is currently hardcoded in the
SamlResponseTemplate.xml to:


In order to display the Start page without authentication, you should
modify your code to return a SAML response with the following
StatusCode without redirecting the user to the login page:


so that we (Google) know it is ok to display the startpage without

In summary, below is a high level guideline what you should update in
your code:

1. In the ProcessResponseServlet, add the necessary logic (probably in
the doGet method) to process SAML requests with IsPassive=true. Once
you identify that it is a IsPassive=true request, you need to reply
with a SAML response with the correct StatusCode (described above)
instead of redirecting the user to the login page.
2. Modify the SamlResponseTemplate.xml to allow it to take different
StatusCode. You can do so by modifying the following line in

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>


<samlp:StatusCode Value="<STATUS_CODE>"/>

And in the ProcessResponseServlet, you need to pass in the statusCode
and add a line like below in the createSamlResponse method:

samlResponse = samlResponse.replace("<STATUS_CODE>", statusCode);

Finally, I strongly encourage you to thoroughly test your changes as
it is very easy to compromise your security if the modification is not
done properly. I suggest you also to look into using other existing
open source SSO implementations:

Best wishes,

Reply all
Reply to author
0 new messages