IdP-first flow setup help?
Kostia Grebelsky
Hi,
I would like to setup IdP first flow.
Lets assume my simplesaml installed in kostia.com/simplesaml.
Â
My understanding is that on SP side in metadata saml20-sp-hosted I need to have:
metadata['__DYNAMIC:1__'] = array(
                                  /*
                                   * The hostname of the server (VHOST) that will use this SAML entity.
                                   *
                                   * Can be '__DEFAULT__', to use this entry by default.
                                   */
                                  'host' => '__DEFAULT__',
Â
                                  /* X.509 key and certificate. Relative to the cert directory. */
                                  'privatekey' => 'server.pem',
                                  'certificate' => 'server.crt',
Â
                                  /*
                                   * Authentication source to use. Must be one that is configured in
                                   * 'config/authsources.php'.
                                   */
                                  'auth' => 'example-userpass',
                                  'RelayState' => 'kostia.com/authorized',
                                  );
Â
Where RelayState is the added parameter.
Â
On the IdP side I would need to create entries in metadata sam20-idp-remote.php ?
Â
$metadata['https://samlip.kostia.com'] = array(
         'name' => array('en' => 'Kostia IdP'),
         'description'         => 'Here .',
        'SingleSignOnService' => 'https:// samlip.kostia.com /simplesaml/saml2/idp/SSOService.php?spentityid= kostia.com/simplesaml',
Â
       'SingleLogoutService' => 'https://samlip.kostia.crsinc.local/simplesaml/saml2/idp/SingleLogoutService.php',
       'certFingerprint'     => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
       );
Â
Am I on the right track?
Â
Kostia Grebelsky
I may be on the right track, but when I am getting redirected to SP, I am getting
Â
The authentication source id in the URL does not match the authentication source which sent the request.
Â
Which is true…since requested originated on IdP..
--
You received this message because you are subscribed to the Google Groups
"simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to
simplesamlph...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/simplesamlphp?hl=en.
Olav Morken
> I may be on the right track, but when I am getting redirected to SP, I am
> getting
>
>
>
> The authentication source id in the URL does not match the authentication
> source which sent the request.
>
>
>
Are you able to sign in using SP initiated signon? If not, I suggest
that you configure that first. When that is working, it should be
relatively simple to set up IdP initiated signon.
> From: simple...@googlegroups.com [mailto:simple...@googlegroups.com]
> On Behalf Of Kostia Grebelsky
> Sent: Wednesday, March 24, 2010 3:02 PM
> To: simple...@googlegroups.com
> Subject: IdP-first flow setup help?
>
>
>
> Hi,
>
> I would like to setup IdP first flow.
>
> Lets assume my simplesaml installed in kostia.com/simplesaml.
>
>
>
> My understanding is that on SP side in metadata saml20-sp-hosted I need to
> have:
That file is deprecated. It will still work for a while, but it is not
recommended for new installations.
>
> metadata['__DYNAMIC:1__'] = array(
>
> /*
>
> * The hostname of the server (VHOST)
> that will use this SAML entity.
>
> *
>
> * Can be '__DEFAULT__', to use this
> entry by default.
>
> */
>
> 'host' => '__DEFAULT__',
>
>
>
> /* X.509 key and certificate. Relative to
> the cert directory. */
>
> 'privatekey' => 'server.pem',
>
> 'certificate' => 'server.crt',
>
>
>
> /*
>
> * Authentication source to use. Must be
> one that is configured in
>
> * 'config/authsources.php'.
>
> */
>
> 'auth' => 'example-userpass',
The 'auth'-parameter does not make sense. You seem to be mixing
sp-hosted and idp-hosted metadata.
>
> 'RelayState' => 'kostia.com/authorized',
The RelayState must be a full URL. I.e.: 'http://kostia.com/authorized'
or something like that.
>
> );
>
>
>
> Where RelayState is the added parameter.
>
>
>
> On the IdP side I would need to create entries in metadata
> sam20-idp-remote.php ?
On the SP side you configure saml20-idp-remote. On the IdP you
configure saml20-idp-hosted and saml20-sp-remote.
> $metadata['https://samlip.kostia.com'] = array(
>
> 'name' => array('en' => 'Kostia IdP'),
>
> 'description' => 'Here .',
>
> 'SingleSignOnService' => 'https:// samlip.kostia.com
> /simplesaml/saml2/idp/SSOService.php?spentityid= kostia.com/simplesaml',
The SingleSignOnService isn't used when doing IdP initiated
authentication. You should therefore not add "?spentityid=..." to the
URL.
>
>
>
> 'SingleLogoutService' =>
> 'https://samlip.kostia.crsinc.local/simplesaml/saml2/idp/SingleLogoutService
> .php',
>
> 'certFingerprint' => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
>
> );
--
Olav Morken
UNINETT / Feide
Kostia Grebelsky
else.
I have a client who has asked us if we can support SSO. We said yes and now
I need to make sure that if they say they need it I am able to provide it
for them. We are to support SAML2. I am expecting initial request to come
from them (IdP). I assume they will do their idp configuration that once the
user clicks on a link provided somewhere on their intra net they would get
redirected to us with a reply message from IdP which I would have to use on
my SP as authorization response. Basically no matter how it is implemented I
assume it will be an IdP-first scenario.
Here is how I have things configured and if you say that something is wrong,
please tell me how it should be.
On IDP side in saml2-sp-remote. This will be configured by the client, so
the only reason I need to set this up is to make sure that I can get it to
work.
$metadata['https://idp.kostia.com/simplesaml/module.php/saml/sp/metadata.php
/default-sp'] = array (
'AssertionConsumerService' =>
'https://sp.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php',
'SingleLogoutService' =>
'https://sp.kostia.com/simplesaml/module.php/saml/sp/saml2-logout.php/defaul
t-sp',
);
This however contradicts
https://idp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=sp.ex
ample.org
as suggested on 10 A. IdP-first setup on
http://simplesamlphp.org/docs/1.5/simplesamlphp-idp#section_10 is this still
valid?
Or am I missing something?
I get redirected after authentication as advertized to
sp.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php'
where dump of the response object is (more questions after second line of
************):
******************************************
object(SAML2_Response)[20]
private 'assertions' =>
array
0 =>
object(SAML2_Assertion)[24]
private 'id' => string 'pfxa588774f-046b-5fd1-c8a1-eb235281b344'
(length=39)
private 'issueInstant' => int 1267432305
private 'issuer' => string
'https://samlip.kostia.com/simplesaml/saml2/idp/metadata.php' (length=68)
private 'nameId' =>
array
...
private 'encryptedNameId' => null
private 'notBefore' => int 1267432275
private 'notOnOrAfter' => int 1267432605
private 'destination' => string
'https://next.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php'
(length=81)
private 'inResponseTo' => string
'_adb53513a48bdfb4c6d6b00970169eb0c52eab6f05' (length=43)
private 'validAudiences' =>
array
...
private 'sessionNotOnOrAfter' => int 1267461105
private 'sessionIndex' => string
'_d207ff049ac9a25466222b58e1879fe8f1fb660400' (length=43)
private 'authnContext' => string
'urn:oasis:names:tc:SAML:2.0:ac:classes:Password' (length=47)
private 'attributes' =>
array
...
private 'nameFormat' => string
'urn:oasis:names:tc:SAML:2.0:attrname-format:basic' (length=49)
private 'signatureKey' => null
private 'certificates' =>
array
...
private 'signatureData' =>
array
...
public 'authnStatement' =>
array
...
private 'inResponseTo' => string
'_adb53513a48bdfb4c6d6b00970169eb0c52eab6f05' (length=43)
private 'status' =>
array
'Code' => string 'urn:oasis:names:tc:SAML:2.0:status:Success'
(length=42)
'SubCode' => null
'Message' => null
private 'tagName' => string 'Response' (length=8)
private 'id' => string 'pfxd4471734-ed75-7a88-1b7c-f62ee4797f8d'
(length=39)
private 'issueInstant' => int 1267432305
private 'destination' => string
'https://next.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php'
(length=81)
private 'issuer' => string
'https://samlip.kostia.com/simplesaml/saml2/idp/metadata.php' (length=68)
private 'relayState' => string
'https://samlip.kostia.com/simplesaml/module.php/core/authenticate.php?as=de
fault-sp' (length=92)
protected 'document' => null
private 'signatureKey' => null
private 'certificates' =>
array
0 => string 'MIICgTCCAeoCCQCbOl... (length=860)
private 'validators' =>
array
0 =>
array
'Function' =>
array
...
'Data' =>
array
...
****************************************
I am getting
Could not find any default metadata entities in set [saml20-sp-hosted] for
host [sp.kostia.com : sp.kostia.com/simplesaml]
How am I supposed to configure my SP to treat this out of order response as
a valid Authentication Response? I assume RelayState should redirect to the
correct page where I would be able to extract SP user identity from the
response?
Kostia Grebelsky
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname of the server (VHOST)
that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this
entry by default.
*/
'host' => '__DEFAULT__',
/* X.509 key and certificate. Relative to
the cert directory. */
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
/*
* Authentication source to use. Must be
one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'example-userpass',
'RelayState' =>
'sp.kostia.com/system/login.php',
);
Anybody? I am still getting: 'Could not find any default metadata entities
in set...'
-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com]
On Behalf Of Kostia Grebelsky
--
Olav Morken
> OK. I am still confused and I think it is configuration more than anything
> else.
> I have a client who has asked us if we can support SSO. We said yes and now
> I need to make sure that if they say they need it I am able to provide it
> for them. We are to support SAML2. I am expecting initial request to come
> from them (IdP). I assume they will do their idp configuration that once the
> user clicks on a link provided somewhere on their intra net they would get
> redirected to us with a reply message from IdP which I would have to use on
> my SP as authorization response. Basically no matter how it is implemented I
> assume it will be an IdP-first scenario.
>
> Here is how I have things configured and if you say that something is wrong,
> please tell me how it should be.
> On IDP side in saml2-sp-remote. This will be configured by the client, so
> the only reason I need to set this up is to make sure that I can get it to
> work.
>
> $metadata['https://idp.kostia.com/simplesaml/module.php/saml/sp/metadata.php
> /default-sp'] = array (
> 'AssertionConsumerService' =>
> 'https://sp.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php',
This is the ACS url for the old SAML 2 SP implementation in simpleSAMLphp,
> 'SingleLogoutService' =>
> 'https://sp.kostia.com/simplesaml/module.php/saml/sp/saml2-logout.php/defaul
> t-sp',
while this is the SLO url for the new SAML 2 SP implementation.
You must pick one. If you use the old, you configure it in
metadata/saml20-sp-hosted.php, and if you use the new, you configure it
in config/authsources.php.
> );
> This however contradicts
> https://idp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=sp.ex
> ample.org
> as suggested on 10 A. IdP-first setup on
> http://simplesamlphp.org/docs/1.5/simplesamlphp-idp#section_10 is this still
> valid?
> Or am I missing something?
Actually, there is one error there - it says that you must have
RelayState added to saml20-sp-hosted. It can either be specified in
saml20-sp-hosted.php or authsources.php. You can also specify it as a
paraheter to the IdP's SSOService.php.
> I get redirected after authentication as advertized to
> sp.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php'
>
> where dump of the response object is (more questions after second line of
> ************):
[...]
> I am getting
> Could not find any default metadata entities in set [saml20-sp-hosted] for
> host [sp.kostia.com : sp.kostia.com/simplesaml]
This is because you have configured the SP in authsources.php, but the
ACS you are sending the response to expects the SP to be configured in
saml20-sp-hosted.php
> How am I supposed to configure my SP to treat this out of order response as
> a valid Authentication Response? I assume RelayState should redirect to the
> correct page where I would be able to extract SP user identity from the
> response?
The RelayState determines which URL the SP should redirect to after
receiving a valid authentication response from the IdP.
Kostia Grebelsky
confusing, or I am just not getting it...
You say: "
'AssertionConsumerService' =>
> 'https://sp.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php',
This is the ACS url for the old SAML 2 SP implementation in simpleSAMLphp,
> 'SingleLogoutService' =>
>
'https://sp.kostia.com/simplesaml/module.php/saml/sp/saml2-logout.php/defaul
> t-sp',
while this is the SLO url for the new SAML 2 SP implementation.
You must pick one. If you use the old, you configure it in
metadata/saml20-sp-hosted.php, and if you use the new, you configure it
in config/authsources.php."
I need to configure IdP side to be aware of the Assertion Consumer Service
so that once authorization is done by IdP it knows where to directed
authorized request? Are you saying this should be done through
config/authsources.php on IdP side?
RelayState added to saml20-sp-hosted On SP side must be configured to
contain a URL where to redirect once SP confirms authorization done by IdP?
To clarify if I have no control of IdP side, but will provide the client
with entityID and then on my side (SP)
I would use config/authsources.php
Specifying
'entityID' => 'idp_used_by_kostia',
> 'idp' => 'https://samlip.kostia.com/
'SingleSignOnService' => 'https://samlip.kostia.com/simplesaml',
> 'SingleLogoutService' => 'https://samlip.kostia.com/simplesaml',
'RelayState' => 'https://sp.kostia.com/login.php'
If I am configuring my IdP
Then I need to create an entry in saml20-sp-remote.php or would it go into
config/authsources.php as well?
$metadata['https://samlip.kostia.com'] = array (
'AssertionConsumerService' =>
'https://sp.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php',
}
-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com]
Olav Morken
> Just want to clarify things. With IdP first flow since the answers are still
> confusing, or I am just not getting it...
>
> You say: "
> 'AssertionConsumerService' =>
> > 'https://sp.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php',
>
> This is the ACS url for the old SAML 2 SP implementation in simpleSAMLphp,
>
> > 'SingleLogoutService' =>
> >
> 'https://sp.kostia.com/simplesaml/module.php/saml/sp/saml2-logout.php/defaul
> > t-sp',
>
> while this is the SLO url for the new SAML 2 SP implementation.
>
> You must pick one. If you use the old, you configure it in
> metadata/saml20-sp-hosted.php, and if you use the new, you configure it
> in config/authsources.php."
>
> I need to configure IdP side to be aware of the Assertion Consumer Service
> so that once authorization is done by IdP it knows where to directed
> authorized request? Are you saying this should be done through
> config/authsources.php on IdP side?
No, I'm saying that you have configured either the
AssertionConsumerService or the SingleLogoutService in saml20-sp-remote
metadata incorrectly. You have specified an URL to the old SAML 2 SP
installation in the AssertionConsumerService field, and an URL to the
new SAML 2 SP installation in the SingleLogoutService field.
The old SP is configured in saml20-sp-hosted, while the new SP is
configured in config/authsources.
> RelayState added to saml20-sp-hosted On SP side must be configured to
> contain a URL where to redirect once SP confirms authorization done by IdP?
>
> To clarify if I have no control of IdP side, but will provide the client
> with entityID and then on my side (SP)
> I would use config/authsources.php
Then you are using the new SP implementation, and should update the URL
to the AssertionConsumerService to point to that SP. It should be
something like:
https://sp.kostia.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
> Specifying
> 'entityID' => 'idp_used_by_kostia',
> > 'idp' => 'https://samlip.kostia.com/
> 'SingleSignOnService' => 'https://samlip.kostia.com/simplesaml',
> > 'SingleLogoutService' => 'https://samlip.kostia.com/simplesaml',
These two elements don't mean anything in authsources.php, and can be
safely removed. IdP metadata must be configured in saml20-idp-remote.
> 'RelayState' => 'https://sp.kostia.com/login.php'
>
> If I am configuring my IdP
> Then I need to create an entry in saml20-sp-remote.php or would it go into
> config/authsources.php as well?
Metadata for SPs goes in saml20-sp-remote.
> $metadata['https://samlip.kostia.com'] = array (
> 'AssertionConsumerService' =>
> 'https://sp.kostia.com/simplesaml/saml2/sp/AssertionConsumerService.php',
> }
--
Kostia Grebelsky
progress, but now I am getting:
This SP [https://sp.kostia.local/simplesaml/saml2/sp/metadata.php] is not a
valid audience for the assertion. Candidates were: [https://id.kostia.local]
This is happening regardless where I start my authentication.
On IdP side I have configured:
saml20-sp-remote
$metadata['https://idp.kostia.local'] = array(
'AssertionConsumerService' =>
'https://idp.kostia.local/simplesaml/saml2/sp/AssertionConsumerService.php',
};
$metadata['https://sp.kostia.local'] = array(
'AssertionConsumerService' =>
'https://sp.kostia.local/simplesaml/saml2/sp/AssertionConsumerService.php',
);
Saml20-idp-remote
$metadata['https://idp.kostia.local/simplesaml/saml2/idp/metadata.php'] =
array (
'name' => array(
'en' => 'Kostia test IdP'
),
'description' => 'Here you can login with your account on
Kostia VM.',
'SingleSignOnService' =>
'https://idp.kostia.local/simplesaml/saml2/idp/SSOService.php?spentityid=sp.
kostia.local',
'certFingerprint' => 'afe71c28ef740bc87425be13a2263d37971da1f9',
'NameIDFormat' =>
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);
ON SP side:
config/authsources.php
'default-sp' => array(
'saml:SP',
'entityID' => 'https://sp.kostia.local',
'idp' => 'https://idp.kostia.local',
),
Saml20-sp-hosted
Default with 'RelayState' => '/var/sites/sp.kostia.local/login.php',
Olav Morken
> I am trying to support IdP first as well as SP first flow, and I made some
> progress, but now I am getting:
> This SP [https://sp.kostia.local/simplesaml/saml2/sp/metadata.php] is not a
> valid audience for the assertion. Candidates were: [https://id.kostia.local]
>
> This is happening regardless where I start my authentication.
As stated before, this is caused by the incorrect
AssertionConsumerService URL being configured in the sp-remote metadata
on the IdP.
Kostia Grebelsky
that are trying to setup both ends make sure your metadata files are encoded
correctly because this was the problem for me all along. I could not get ids
to match until I recreated the files from scratch.
As stated before my client will be our IDP, and I want to make sure that
from security perspective I have things setup correctly and the best way
possible.
Should I be using certificate fingerprint on SP side to identify IDP
responses or IDP's public key? What else should I be aware of to make sure
that authorization responses are coming from the real IDP?
What is the best way to identify which IDP the response is coming from? Is
it through RelayState parameters, or should it be done through some response
attribute? All responses from all IDPs will be redirected to the same
'welcome' page, where actual mapping of users would have to be performed
(IDP user => MY USER).
Is my assumption correct that by default I can use uid attribute for this
mapping? Which of course will be set by the IDP in the response?
Currently for testing purposes I have the following setup:
IDP
Created private key and certificate
saml20-sp-remote
$metadata['https://next.kostia.local'] = array(
'AssertionConsumerService' =>
'https://next.kostia.local/simplesaml/module.php/saml/sp/saml2-acs.php/defau
lt-sp',
'SingleLogoutService' =>
'https://next.kostia.local/simplesaml/module.php/saml/sp/saml2-logout.php/de
fault-sp',
);
saml20-idp-hosted
$metadata['https://idp.kostia.local']=array(
'host' => 'idp.kostia.local',
'auth' => 'example-userpass',
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
);
FOR IDP First I have a link on front page:
https://idp.kostia.local/simplesaml/saml2/idp/SSOService.php?spentityid=http
s://next.kostia.local
SP
Config/authsources
'default-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is
generated based on the metadata URL.
'entityID' => 'https://next.kostia.local',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a
list of available IdPs.
'idp' => NULL,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery
service will be used.
'discoURL' => NULL,
'RelayState' => 'https://next.kostia.local/system/login.php',
),
Saml20-idp-remote
$metadata['https://idp.kostia.local'] = array (
'name' => array('en'=>'Kostia IDP'),
'SingleSignOnService' =>
'https://idp.kostia.local/simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' =>
'https://idp.kostia.local/simplesaml/saml2/idp/SingleLogoutService.php',
// 'certFingerprint' => '076685b0091892fa52d8a4afa8b781cb04cfe123',
'NameIDFormat' =>
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
'certificate' => 'idppub.pem',
);
Olav Morken
> I finally got both sides (IDP and SP) working. A recommendation for those
> that are trying to setup both ends make sure your metadata files are encoded
> correctly because this was the problem for me all along. I could not get ids
> to match until I recreated the files from scratch.
>
> As stated before my client will be our IDP, and I want to make sure that
> from security perspective I have things setup correctly and the best way
> possible.
> Should I be using certificate fingerprint on SP side to identify IDP
> responses or IDP's public key?
If you need to validate logout messages from the IdP, you must use
the full certificate. If you don't, it shouldn't matter which one you
use.
> What else should I be aware of to make sure
> that authorization responses are coming from the real IDP?
If simpleSAMLphp accepts the response and extracts attributes from it,
it means that the signature on the response has been validated.
Note: you should remove untrusted IdPs from saml20-idp-remote.php.
> What is the best way to identify which IDP the response is coming from?
That depends on how certain you want to be.
> Is
> it through RelayState parameters, or should it be done through some response
> attribute?
The RelayState can be easily forged by anyone. Attributes can be forged
by the IdP. If you trust your IdP, you can use attributes.
Curently, the only way to retrieve the IdP that authenticated the user
is to do the following:
$session = SimpleSAML_Session::getInstance();
$idp = $session->getIdP();
$idp will then contain the entityID of the IdP.
> All responses from all IDPs will be redirected to the same
> 'welcome' page, where actual mapping of users would have to be performed
> (IDP user => MY USER).
> Is my assumption correct that by default I can use uid attribute for this
> mapping? Which of course will be set by the IDP in the response?
What attributes you receive depends on the IdP.
Kostia Grebelsky
longer returning idp. Because session object does not have it set.
Seesion object
object(SimpleSAML_Session)[15]
private 'trackid' => string 'c342ee22ad' (length=10)
private 'idp' => null
private 'authenticated' => boolean true
private 'attributes' =>
Code:
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth(); //infinite loop
$isAuth = $as->isAuthenticated();
$session = SimpleSAML_Session::getInstance();
var_dump($session);
$idp = $session->getIdP();
Any suggestions?
-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com]
On Behalf Of Olav Morken
Sent: Wednesday, April 14, 2010 2:58 AM
To: simple...@googlegroups.com
Kostia Grebelsky
first flow!
Any suggestions?
--
Olav Morken
> It may be that it is there when it is SP first flow and missing if it is IDP
> first flow!
You are correct. There was a bug which lead to $session->idp not being
set when receiving an unsolicited response from the IdP. This bug is
fixed in r2250[1].
[1] http://code.google.com/p/simplesamlphp/source/detail?r=2250
Kostia Grebelsky
help you have provided!
-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com]
On Behalf Of Olav Morken
Sent: Friday, April 16, 2010 3:08 AM
To: simple...@googlegroups.com