SSO for startpage

1402 views
Skip to first unread message

Dummy

unread,
Jan 1, 2009, 9:03:20 AM1/1/09
to Google Apps APIs
I could sucessfully build sso tool to mail,calendar,etc, but it does
not work to startpage( like http://partnerpage.google.com/xxxyyy)
I investigate and figure out someone says that passive/nopassive
parameter must be changed.
But my sample java code does not have passive/nopassive setting.
Someone tell me how should I change the response from for other tools
to for startpage?

Thanks.


Tony (Google)

unread,
Jan 4, 2009, 6:04:24 PM1/4/09
to Google Apps APIs
Hi,

What kind of behavior do you want with the startpage? Do you want
users to be redirected to the login page or allow them to go there
without authentication? Please let me know so that we can further
help you troubleshoot.

Thanks,

--Tony

On Jan 1, 6:03 am, Dummy <ayato...@gmail.com> wrote:
> I could sucessfully build sso tool to mail,calendar,etc, but it does
> not work to startpage( likehttp://partnerpage.google.com/xxxyyy)

吉積礼敏

unread,
Jan 4, 2009, 11:42:56 PM1/4/09
to google-a...@googlegroups.com
Thank you Tony.

I could users to be redirected to the SSO tool login page,and then authenticate with the tool and 
want them to go to the startpage(this cannot be realized.).
I could do that for other mail/calendar page but not for startpage.

Thanks.

2009/1/5 Tony (Google) <h...@google.com>



--
Ayatoshi Yoshidumi

Tony (Google)

unread,
Jan 5, 2009, 5:39:53 PM1/5/09
to Google Apps APIs
Hi Ayatoshi,

The SAML request generated for users visiting the Start page has the
"IsPassive" attribute set to "true" in the <AuthnRequest> tag. The
reason behind that is to allow anonymous view to the Start page. We
also had an earlier discussion on the IsPassive flag:

http://groups.google.com/group/google-apps-apis/browse_thread/thread/bece7802c60e8407

Unfortunately, there is currently no logic in the Java sample code to
handle SAML requests with IsPassive=true and users are always
redirected to the login page (identity_provider.jsp).

Also, the SAML response StatusCode is currently hardcoded in the
SamlResponseTemplate.xml to:

urn:oasis:names:tc:SAML:2.0:status:Success

In order to display the Start page without authentication, you should
modify your code to return a SAML response with the following
StatusCode without redirecting the user to the login page:

urn:oasis:names:tc:SAML:2.0:status:NoPassive

so that we (Google) know it is ok to display the startpage without
authentication.

In summary, below is a high level guideline what you should update in
your code:

1. In the ProcessResponseServlet, add the necessary logic (probably in
the doGet method) to process SAML requests with IsPassive=true. Once
you identify that it is a IsPassive=true request, you need to reply
with a SAML response with the correct StatusCode (described above)
instead of redirecting the user to the login page.
2. Modify the SamlResponseTemplate.xml to allow it to take different
StatusCode. You can do so by modifying the following line in
SamlResponseTemplate.xml:

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

to

<samlp:StatusCode Value="<STATUS_CODE>"/>

And in the ProcessResponseServlet, you need to pass in the statusCode
and add a line like below in the createSamlResponse method:

samlResponse = samlResponse.replace("<STATUS_CODE>", statusCode);

Finally, I strongly encourage you to thoroughly test your changes as
it is very easy to compromise your security if the modification is not
done properly. I suggest you also to look into using other existing
open source SSO implementations:

http://code.google.com/apis/apps/open_source_projects.html#sso

Best wishes,

--Tony
Reply all
Reply to author
Forward
0 new messages