question

damian-miller avatar image
damian-miller asked ·

Three-legged-auth & SSO w/JumpCloud & RC

Hi All,

We are about a week off from going into production with RingCentral. Whole company is super excited. There is one snafu that I ran into doing pre-production launch tests.  I was successfully able to implement the login and ringout APIs that are required in the sandbox environment and meet all requirements.  The difference in our production environments and sandbox environments is that production uses Jumpcloud for SSO.  Upon logging into Jumpcloud with the three-legged-auth I am immediately redirect back to the login screen instead of being prompted with the screen that asks the user to accept the permissions / finish authentication.  It works fine in production when utilizing RingCentral's username/password authentication.

Has anyone else experienced something similar to this?


topic-default
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Phong Vu avatar image
Phong Vu answered ·
Hi Damian,

I am excited to see your app running on the production environment too!

Can you double check if SSO is setup for your production account? If not, please read the instruction from the link below.

https://success.ringcentral.com/articles/en_US/RC_Knowledge_Article/1149

Let me know,

+ Phong
Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

damian-miller avatar image
damian-miller answered ·
Hi Phong,

Thanks for getting back to me.  We actually have SSO as a hard requirement (the checkbox that doesn't allow RC username/password) to login to RC/Glip/Meetings.  The screen in the attached image is the one that is skipped after logging into our SSO provider.  Instead of seeing this upon successful login, the RC  Login form is shown again.




8 comments Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Did you change/add the correct redirect URL for the production environment in your RC app and in your production code? Are you coding in JavaScript? 
0 Likes 0 · ·
Correct. This actually works in the production environment without utilizing SSO. 

var oauth = null;
$(function() {
var url = ' https://platform.ringcentral.com/restapi/oauth/authorize?response_type=code&redirect_uri=https%3...;
var redirectUri = ' https://gs3.giftservices.com/ringcentral/auth';
var config = {
authUri: url,
redirectUri: redirectUri,
}
var win = null;
var OAuthCode = function (config) {
this.config = config;
this.loginPopup = function () {
console.log("The URL is :" + url);
this.loginPopupUri(this.config['authUri'], this.config['redirectUri'], 'test param');
}
this.loginPopupUri = function (authUri, redirectUri, state_param) {

var params = $.param({gs_user_id_inputbox:$('#gs_user_id').val(),
  ext_inputbox:$('#gs_extension').val(),
  backto:$('#backto').val()
  });
authUri += '&state=' + btoa(params);

win = window.open(authUri, 'RingCentral Login', 'width=800, height=600');
var pollOAuth = window.setInterval(function () {
try {
console.log('win.document.URL ' + win.document.URL);
if (win.document.URL.indexOf('success') != -1) {
window.clearInterval(pollOAuth);
//location.reload();
win.close();
location = $('#backto').val();
//console.log('success!');
}
if(win.document.URL.indexOf('error') != -1) {
console.log('ABORT!');
console.log(win.document.URL);
var url = new URL(win.document.URL);
var error_message = url.searchParams.get("error");
console.log(error_message);
$('#error-message').text(error_message);
win.close();
//location.reload();
}
} catch (e) {
//console.log(e);
//win.close();
}
}, 100);
}
}
oauth = new OAuthCode(config);
$('#gs-legacy-login').submit(function(e) {
e.preventDefault();
//console.log($('#gs-legacy-login').serializeArray());
$.post('/ringcentral/gs2_login', $('#gs-legacy-login').serializeArray(), function(data) {
if(data.rsp === 1) {
window.location = $('#backto').val();
} else {
$('#error-message').text(data.data.message);
}
},'json');
});

// $('#gs2-login').click(function(e) {
// $(this).fadeOut(500);
// });
});
0 Likes 0 · ·

Hi Damian,

Are you able to login "service.ringcentral.com" and "glip.com" via SSO flow?

If this only happens for this particular app, would you please capture the SSO login flow with either FireFox "SAML-tracer"  or Chrome "SAML-tracer"? 

Firefox : https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/?src=recommended

Chrome :   https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch/related?hl=en

Thanks,
Tony
0 Likes 0 · ·
We can login to both service.ringcentral.com and glip.com using the SSO flow.  This only happens when utilizing SSO w/the code above.  

SAML-Tracer Output Below.  It seems like at some point the redirect is being lost with SSO.

{
  "requests": [
    {
      "method": "GET",
      "url": " http://admin/";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        }
      ],
      "get": [],
      "responseStatus": 302,
      "responseStatusText": "HTTP/1.1 302 Found",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.2.17"
        },
        {
          "name": "Set-Cookie",
          "value": "PHPSESSID={hash:83ffe3048032a4c8a26a78235ce0e270e707e5660c4d5123c0708c04b39ece83}; path={hash:8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1}; domain={hash:59428f9a8b7c0b007fbb83ef90fda886d702031bf5d124522bcd12f5b11a5b71}"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
        {
          "name": "Cache-Control",
          "value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
        },
        {
          "name": "Pragma",
          "value": "no-cache"
        },
        {
          "name": "Location",
          "value": " http://adminland.giftservices.com/adminland";
        },
        {
          "name": "Content-Length",
          "value": "0"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=1000"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html"
        }
      ]
    },
    {
      "method": "GET",
      "url": " http://adminland.giftservices.com/adminland";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}"
        }
      ],
      "get": [],
      "responseStatus": 301,
      "responseStatusText": "HTTP/1.1 301 Moved Permanently",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "Location",
          "value": " http://adminland.giftservices.com/adminland/";
        },
        {
          "name": "Content-Length",
          "value": "342"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=1000"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html; charset=iso-8859-1"
        }
      ]
    },
    {
      "method": "GET",
      "url": " http://adminland.giftservices.com/adminland/";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}"
        }
      ],
      "get": [],
      "responseStatus": 302,
      "responseStatusText": "HTTP/1.1 302 Found",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.2.17"
        },
        {
          "name": "Set-Cookie",
          "value": "PHPSESSID={hash:d999edd7d12e33ecc1000ce0ab668a0b605cf91705ce3642cb2445ef180ef706}; path={hash:8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1}; domain={hash:59428f9a8b7c0b007fbb83ef90fda886d702031bf5d124522bcd12f5b11a5b71}"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
        {
          "name": "Cache-Control",
          "value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
        },
        {
          "name": "Pragma",
          "value": "no-cache"
        },
        {
          "name": "Location",
          "value": " https://adminland.giftservices.com/adminland/";
        },
        {
          "name": "Content-Length",
          "value": "0"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=999"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html"
        }
      ]
    },
    {
      "method": "GET",
      "url": " https://adminland.giftservices.com/adminland/";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate, br"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; k_gs_user_id={hash:9f6d3fb0134fd8eca6af833b7a9e1d1211bf5f66057db92ba52b0aa3da96e942}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_remote_addr={hash:120b4de23284b8e349ae4346f20dde4e9b4ee6d5507a977924ca04752315c59a}; k_rc_session_id={hash:3d8770d695d03ff8db79947b03db5cce9ff934b0240446429362ce4382850979}; md5_login_hash={hash:433221d15a918cca03d00912c3c591ab06a8fc656c345005bfed1d4f4eb44df2}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}; PHPSESSID={hash:d999edd7d12e33ecc1000ce0ab668a0b605cf91705ce3642cb2445ef180ef706}"
        }
      ],
      "get": [],
      "responseStatus": 302,
      "responseStatusText": "HTTP/1.1 302 Found",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.2.17"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
0 Likes 0 · ·
Hi Damian,

From the SAML tracer's log, I didn't see SAML 2.0 SSO flow at all. Only at the end of the flow, something triggers the RingCentral 3-legged OAuth login flow. 

In fact, glip.com app is using 3-legged OAuth too by using -  https://api.ringcentral.com/restapi/oauth/authorize?client_id=cZPfEqZkQxKa9dUEu9RkCA&response_ty..., where it starts with the 3-legged login URL, so that a user can clicks on the "Single Sign-on" button to login via SAML 2.0 based SSO flow.
0 Likes 0 · ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.