SAML--ProcessResponseServlet relayStateURL is null
andreroy55
got it talking to Active Directory, I even have it talking to
Google! :) but I have this strange one.
When I authenticate, I get redirected to the log-in screen for the
administrative interface. If I click on the "I am not an
administrator" link, I go to our start page
(start.community.nipissingu.ca) and I'm logged in. If I am an
administrative user, though, I wind up straight in the admin
interface. Handy for me, not so for <mumble>-thousand students ....
Tracking this down, in the ProcessResponseServlet, the doPost method,
the variable relayStateURL comes out as a null. If I use a BFH and
force the value to "http://partnerpage.google.com/
community.nipissingu.ca", things work perfectly. Or at least I wind up
at our start page. That's not really the way it's supposed to work, is
it?
I know I have a lot to learn about Java, and it's the first time I've
ever heard of SAML, but what "calls" doPost? and where would the
parameter "RelayState" (which is extracted to set relayStateURL) be
set? It would be nice to let people go to not only the start page, but
directly to mail or the calendar or whatever their little hearts
desired.
Thanks!
Ryan Shelley
doPost and doGet are called by the Servlet container (Tomcat, WebLogic, WebSphere, etc). So if a user is on an HTML form, any form, and the action parameter points to your servlet, and the user clicks "Submit" they are sending a POST to your servlet. When received by the Servlet container, it detects that the user sent data to your servlet via a "POST" and then calls the "doPost" method within your servlet to allow you to interact with the data that was posted in the form. So, "doPost" is a handler to take action on POST event made to your servlet.
Once you've authenticated the user, you're going to send them back to Google by way of the RelayState URL you define (this is going to be specific to your domain). To do this, you're probably going to need to generate some HTML and JavaScript code from the doPost method that, when rendered in the user's browser, will post them back to the address of the RelayState with specific signed SAML data. Google will validate the signed SAML data, then redirect the user into the google app.
Gordy French
The doPost method, which is called by the HTTP servlet upon receiving
a POST request, receives the RelayState parameter from the POST your
browser sends when you authenticate to your own server. You might
check that the login form you are submitting contains a RelayState
hidden input field. If it doesn't, RelayState will be set to null in
doPost since the parameter would not exist. In turn, the RelayState
in your login form should be coming from the GET request that your
browser is directed to after attempting to log into a protected Google
resource (which is handled by the doGet method.)
Hope this helps,
Gordy
Ryan Shelley
andreroy55
> Hi,
>
> The doPost method, which is called by the HTTP servlet upon receiving
> a POST request, receives the RelayState parameter from the POST your
> browser sends when you authenticate to your own server. You might
> check that the login form you are submitting contains a RelayState
> hidden input field. If it doesn't, RelayState will be set to null in
> doPost since the parameter would not exist. In turn, the RelayState
> in your login form should be coming from the GET request that your
> browser is directed to after attempting to log into a protected Google
> resource (which is handled by the doGet method.)
>
> Hope this helps,
Yup. It does. I seem to have missed supplying some information,
though :(
When I enter http://start.community.nipissingu.ca or
http://partnerpage.google.com/community.nipissingu.ca into by browser,
I wind up being redirected to http://dns3.nipissingu.ca:8080/login.jsp?SAMLRequest=<BunchOfEncodedStuff>
which is As It Should Be. But that <BunchOfEncodedStuff> doesn't seem
to have the RelayState parameter set. At least as far as I can figure
out. Same happens if I initially enter http://mail.community.nipissingu.ca.
Both of those used to go to the 'right place' at google before SSO,
now they redirect to the right place here, but then don't go back?
So, am I mistaken in thinking that the post request from Google should
contain the URL where I wanted to go in the first place?
Mike Jones
RelayState). It is not encoded in the SamlRequest param.
-mikej
andreroy55
> Actually the RelayState is passed in another parameter (called
> RelayState). It is not encoded in the SamlRequest param.
>
curve.
Anyway, what I'm using is the demo code and changing bits here and
there to make it fit our situation. Not a whole lot of change is
needed in -ProcessResponseServlet. If you check in the doPost method,
the first thing it does is get a bunch of parameters:
String samlAction = request.getParameter("samlAction" );
String SAMLRequest = request.getParameter("SAMLRequest");
String returnPage = request.getParameter("returnPage" );
String username = request.getParameter("username" );
String password = request.getParameter("password" );
String relayStateURL = request.getParameter("RelayState" );
And that's where relayStateURL winds up null.
Also turns out that if I use the BFH and force it to
http://partnerpage.google.com/community.nipissingu.ca, it works fine,
except for people logging in for the first time. They have to do the
challenge/response. And that gets foozled by forcing the URL. :
( And they're ALL going to be logging in for the first time. If I
don't force the URL, they can do the challenge/response, but then wind
up at the administrative login screen. There, if they click on "I am
not an administrator" they get to their inbox. But these are
university students. Probably won't look past where it asks for a user
name and password.
Gordy French
directed to your SSO sign-on screen, or are you browsing directly to
your SSO sign-on screen?
If it is the former, the RelayState should be set in the URL that
Google directs your browser to. It will be set such that after
authentication, you should be signed into the resource that you
attempted to access in the first place (the start page, mail, etc.)
This makes the entire process fairly seamless (attempt to log into
mail without authentication, reach the SSO sign-on page, submit your
username/password, and then you're logged into mail).
If it is the latter, then there will be no RelayState variable. In
this case, you may want to check for a null string and hard-code a
"default" RelayState, since it seems to be defaulting to the admin
page, which is undesirable.
-- Gordy
On Mar 30, 10:47 am, "andreroy55" <andrero...@gmail.com> wrote:
> On Mar 30, 12:17 pm, "Mike Jones" <drak...@gmail.com> wrote:> Actually the RelayState is passed in another parameter (called
> > RelayState). It is not encoded in the SamlRequest param.
>
> Ah, yeah. Shows how little I know about this. Pretty steep learning
> curve.
>
> Anyway, what I'm using is the demo code and changing bits here and
> there to make it fit our situation. Not a whole lot of change is
> needed in -ProcessResponseServlet. If you check in the doPost method,
> the first thing it does is get a bunch of parameters:
>
> String samlAction = request.getParameter("samlAction" );
> String SAMLRequest = request.getParameter("SAMLRequest");
> String returnPage = request.getParameter("returnPage" );
> String username = request.getParameter("username" );
> String password = request.getParameter("password" );
> String relayStateURL = request.getParameter("RelayState" );
>
> And that's where relayStateURL winds up null.
>
> Also turns out that if I use the BFH and force it tohttp://partnerpage.google.com/community.nipissingu.ca, it works fine,
andreroy55
, which is a protected resource, is it not? I can go there either with
that big long URL or with http://start.community.nipissingu.ca. I'm
also trying mail.community.nipissingu.ca which, though dns, resolves
to ghs.google.com (as does start.community.nipissingu.ca) and then is
taken care of by google.
That's the whole thing, my limited understanding tells me that it
should be setting a URL, but it doesn't seem to be :(
The doPost method starts off:
public void doPost(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException
{
String samlAction = request.getParameter("samlAction" );
String SAMLRequest = request.getParameter("SAMLRequest");
String returnPage = request.getParameter("returnPage" );
String username = request.getParameter("username" );
String password = request.getParameter("password" );
String relayStateURL = request.getParameter("RelayState" );
And should be setting it right off. I've basically taken this code
straight from the demo code.
If I go straight to this login page, I've got things in there much
like the demo code that tell the user to go away and not come back
until they get it right :/
This is the stuff that worked when I was redirecting myself to
psosamldemo.net email. Now, of course, the CreateRequestServlet isn't
needed anymore, its job coming from Sunnyvale....
Gordy French
login page, that was my mistake... it would have no SAML request to
reply to.
The partner page is a protected resource, and it should redirect you
to a big URL, which includes the SAML request, and the RelayState.
This is where it should be "set" initially, and you should retain it
through the login process by including it in hidden fields. (As Ryan
mentioned, you can also provide one yourself if you want people to
always be sent to the same page after logging in.) The demo code does
this to some extent, but falls a bit short since it's designed to
always log into the psosamldemo.net's email.
Here are some things you might check:
1) After being redirected by Google to your login page, view the
source and see whether the form contains a RelayState hidden field.
It should match the one in the URL (after &RelayState=...).
In the demo code, the ProcessResponseServlet's doGet method retrieves
the RelayState and saves it in an attribute called relayStateURL, and
identity_provder.jsp gets that attribute and inserts it into the form:
<input type="hidden" name="RelayState" value="<%=relayState%>"/>
2) After logging in, the servlet will give you a form that will POST
to Google. Check that this includes the same RelayState field as the
one above. If not, it's being lost by the servlet or the form.
The demo code has ProcessResponseServlet retrieving the RelayState
from the form submitted in step 1, and saves it in the same
relayStateURL attribute, but this attribute is never used in the POST
form which submits the response to Google. This is something you'd
want to change in a production environment, but it sounds like your
issue is being caused by something earlier in the process.
That is essentially the life story of a RelayState, so hopefully you
can determine where the process is getting derailed...
Let me know if any of this helps,
Gordy
On Apr 2, 10:01 am, "andreroy55" <andrero...@gmail.com> wrote:
> I'm browsing tohttp://partnerpage.google.com/community.nipissingu.ca
> , which is a protected resource, is it not? I can go there either with
> that big long URL or withhttp://start.community.nipissingu.ca. I'm
andreroy55
Anyway, this helped. Stepping through it allowed me to find where it
wasn't, if you know what I mean.
Turns out that in what was identity_provier.jsp where it said
<%
String relayState = (String)
request.getAttribute("relayStateURL");
%>
that doesn't retrieve the relay state, but
<%
String relayState = (String)
request.getParameter("relayStateURL");
%>
does work. So, changed that line and away I go.
I want to thank everyone for their help and contribution. You've been
great!
Next step, provisioning API, once I put out assorted fires here :
( You'll be hearing form me! :)