The page you requested is invalid.

[Pasquale Fedele]

From the past Friday trying to access our Google Apps Educational services we have the following error:

"Google Account - The page you requested is invalid." at the URL reported below.

The problem is not presente with Google Chrome .... Only with other browsers.

We use SSO authentication.

Url of the page error:

https://www.google.com/accounts/MergeSession?uberauth=APh-3Fyxo9pJ_-SV4uUA9Mt44D6QB2Rmf_4trlr7kp7zYzHgqIWUE0QH5WBwDktGx-E0XNiMnAjKp1__7U72xgC8zw92tehhGn527s9oW9uPqnBMjWgcAiNyfRtk4aqn6T1F_6OH67ByWoNWKpoQA5BdMnkc7V_fNT5sLobtO79P8Zke77n189relG13rPfI8N0Uu1gaVcNc5HcNvBe7ruQlqZOClSLgQEsqz-QlfPDpotshbkAnK4tTEXwwQExhbiuNvrgoSakg9_otluaKkCCKrBZ2m_Wyyjr1IUGqoyBbN0oeg7iAXSRjlPJOsiy5XORB1O8kdIhUOvEHvexCSSM8jMWMnMpg8GK1AuuiKrJEQorn3nqRL3xuqAwijAr8bIR6BSBsFUjPGOJtNlZgjowePwmBSHggPLSheZyHXBfj64bSzijYiO_rcr4zMjgKVjRdTh-bRLyZ&service=mail&continue=http%3A%2F%2Fmail.google.com%2Fa%2Funisi.it%2F%3Cmpl%3Ddefault%3Cmplcache%3D2

[Claudio Cherubino]

Hi Pasquale,

If you only have this problem with Internet Explorer, then it may be due to IE misinterpreting the RelayState parameter:

http://code.google.com/googleapps/faq.html#xmlescape

Also, IE has a maximum allowed length of 2083 characters for URLs, so please check the length of the URLs.

If none of those suggestions matches your problem, try capturing the HTTP traffic with a Firefox extension called LiveHTTPHeaders and share it here (feel free to remove sensitive data) so that we can troubleshoot the issue.

Thanks

Claudio

--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-saml-sso/-/742CDpqKFiQJ.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-saml...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.

[Pasquale Fedele]

Hi Claudio,

please find attached the headers captured.

Please consider that the problem is not only with Explorer but also with Firefox for Windows (not for Linux), Chrome for Linux (not for Win) and Safari for Mac.

Hope this could help .... it is urgent for us to find a solution.

Thank for your help.

Pasquale

[Pasquale Fedele]

If I add the attachement the server gime me an error, I sent you it by email.

Regards

Pasquale

[Stafford Marquardt]

Hi Pasquale,

Thanks for your patience about this.  Looking at the final URL that you listed above, it looks like your SSO system is altering the parameters &ltmpl and &ltmplcache in the RelayState in a way that is affecting the "continue" parameter and causing it to reference an invalid URL. Namely, the &lt portion of the &ltmpl parameter is being parsed into a < character by your system. In total, "&ltmpl" becomes "<mpl". Because this removes the & character from the RelayState, the "<mpl" text (or %3Cmpl when it's URL-encoded) gets appended to the end of the "continue" parameter, corrupting the URL that it contains (and sending users to a bogus URL when they attempt to log in). If you reconfigure your SSO system to parse the RelayState properly, it should not have a problem with such parameters.  Hope that helps!

Cheers,

Stafford

[Nick Hood]

We were having the same exact issue Pasquale.  It is FIXED now!!!

Working off of what you said Stafford, we concluded the RelayState character needed to be changed from %3C to &%3C for other browsers to understand properly.  I am not sure why this stopped suddenly, anyone have any ideas?

Thanks again Stafford!

[Liquidweb Admin]

Another way, the one we used to solve the problem, is to use the HTTPS url instead of HTTP: https://mail.google.com/a/unisi.it

Regards,

Pasquale

[crisdeo...@unochapeco.edu.br]

Hi Pasquale,

here solved. We change our page that receive data from SAMLRequest (params RelayState and SAMLResponse) and put data using htmlspecialchars() function, php language.

This is a stupid error =/, but we solved :D

[Nedyalko Zhekov]

Thanks guys. We had the very same behavior and our solution was also to use htmlspecialchars() (in PHP) before sending the request to ACS. You helped me alot! Thank you once again!
Ned