question

damian-miller11931 avatar image
damian-miller11931 asked damian-miller11931 commented

Three-legged-auth & SSO w/JumpCloud & RC

Hi All,


We are about a week off from going into production with RingCentral. Whole company is super excited. There is one snafu that I ran into doing pre-production launch tests. I was successfully able to implement the login and ringout APIs that are required in the sandbox environment and meet all requirements. The difference in our production environments and sandbox environments is that production uses Jumpcloud for SSO. Upon logging into Jumpcloud with the three-legged-auth I am immediately redirect back to the login screen instead of being prompted with the screen that asks the user to accept the permissions / finish authentication. It works fine in production when utilizing RingCentral's username/password authentication.


Has anyone else experienced something similar to this?



sdk
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Phong Vu avatar image
Phong Vu answered

Hi Damian,


I am excited to see your app running on the production environment too!


Can you double check if SSO is setup for your production account? If not, please read the instruction from the link below.


https://support.ringcentral.com/article/1149.html


Let me know,


+ Phong

1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

damian-miller11931 avatar image
damian-miller11931 answered damian-miller11931 commented
Hi Phong,

Thanks for getting back to me.  We actually have SSO as a hard requirement (the checkbox that doesn't allow RC username/password) to login to RC/Glip/Meetings.  The screen in the attached image is the one that is skipped after logging into our SSO provider.  Instead of seeing this upon successful login, the RC  Login form is shown again.




8 comments
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Phong Vu avatar image Phong Vu ♦♦ commented ·
Did you change/add the correct redirect URL for the production environment in your RC app and in your production code? Are you coding in JavaScript? 
0 Likes 0 ·
damian-miller11931 avatar image damian-miller11931 commented ·
Correct. This actually works in the production environment without utilizing SSO. 

var oauth = null;
$(function() {
var url = ' https://platform.ringcentral.com/restapi/oauth/authorize?response_type=code&redirect_uri=https%3...;
var redirectUri = ' https://gs3.giftservices.com/ringcentral/auth';
var config = {
authUri: url,
redirectUri: redirectUri,
}
var win = null;
var OAuthCode = function (config) {
this.config = config;
this.loginPopup = function () {
console.log("The URL is :" + url);
this.loginPopupUri(this.config['authUri'], this.config['redirectUri'], 'test param');
}
this.loginPopupUri = function (authUri, redirectUri, state_param) {

var params = $.param({gs_user_id_inputbox:$('#gs_user_id').val(),
  ext_inputbox:$('#gs_extension').val(),
  backto:$('#backto').val()
  });
authUri += '&state=' + btoa(params);

win = window.open(authUri, 'RingCentral Login', 'width=800, height=600');
var pollOAuth = window.setInterval(function () {
try {
console.log('win.document.URL ' + win.document.URL);
if (win.document.URL.indexOf('success') != -1) {
window.clearInterval(pollOAuth);
//location.reload();
win.close();
location = $('#backto').val();
//console.log('success!');
}
if(win.document.URL.indexOf('error') != -1) {
console.log('ABORT!');
console.log(win.document.URL);
var url = new URL(win.document.URL);
var error_message = url.searchParams.get("error");
console.log(error_message);
$('#error-message').text(error_message);
win.close();
//location.reload();
}
} catch (e) {
//console.log(e);
//win.close();
}
}, 100);
}
}
oauth = new OAuthCode(config);
$('#gs-legacy-login').submit(function(e) {
e.preventDefault();
//console.log($('#gs-legacy-login').serializeArray());
$.post('/ringcentral/gs2_login', $('#gs-legacy-login').serializeArray(), function(data) {
if(data.rsp === 1) {
window.location = $('#backto').val();
} else {
$('#error-message').text(data.data.message);
}
},'json');
});

// $('#gs2-login').click(function(e) {
// $(this).fadeOut(500);
// });
});
0 Likes 0 ·
tony-li73 avatar image tony-li73 commented ·

Hi Damian,

Are you able to login "service.ringcentral.com" and "glip.com" via SSO flow?

If this only happens for this particular app, would you please capture the SSO login flow with either FireFox "SAML-tracer"  or Chrome "SAML-tracer"? 

Firefox : https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/?src=recommended

Chrome :   https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch/related?hl=en

Thanks,
Tony
0 Likes 0 ·
damian-miller11931 avatar image damian-miller11931 commented ·
We can login to both service.ringcentral.com and glip.com using the SSO flow.  This only happens when utilizing SSO w/the code above.  

SAML-Tracer Output Below.  It seems like at some point the redirect is being lost with SSO.

{
  "requests": [
    {
      "method": "GET",
      "url": " http://admin/";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        }
      ],
      "get": [],
      "responseStatus": 302,
      "responseStatusText": "HTTP/1.1 302 Found",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.2.17"
        },
        {
          "name": "Set-Cookie",
          "value": "PHPSESSID={hash:83ffe3048032a4c8a26a78235ce0e270e707e5660c4d5123c0708c04b39ece83}; path={hash:8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1}; domain={hash:59428f9a8b7c0b007fbb83ef90fda886d702031bf5d124522bcd12f5b11a5b71}"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
        {
          "name": "Cache-Control",
          "value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
        },
        {
          "name": "Pragma",
          "value": "no-cache"
        },
        {
          "name": "Location",
          "value": " http://adminland.giftservices.com/adminland";
        },
        {
          "name": "Content-Length",
          "value": "0"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=1000"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html"
        }
      ]
    },
    {
      "method": "GET",
      "url": " http://adminland.giftservices.com/adminland";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}"
        }
      ],
      "get": [],
      "responseStatus": 301,
      "responseStatusText": "HTTP/1.1 301 Moved Permanently",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "Location",
          "value": " http://adminland.giftservices.com/adminland/";
        },
        {
          "name": "Content-Length",
          "value": "342"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=1000"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html; charset=iso-8859-1"
        }
      ]
    },
    {
      "method": "GET",
      "url": " http://adminland.giftservices.com/adminland/";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}"
        }
      ],
      "get": [],
      "responseStatus": 302,
      "responseStatusText": "HTTP/1.1 302 Found",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.2.17"
        },
        {
          "name": "Set-Cookie",
          "value": "PHPSESSID={hash:d999edd7d12e33ecc1000ce0ab668a0b605cf91705ce3642cb2445ef180ef706}; path={hash:8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1}; domain={hash:59428f9a8b7c0b007fbb83ef90fda886d702031bf5d124522bcd12f5b11a5b71}"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
        {
          "name": "Cache-Control",
          "value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
        },
        {
          "name": "Pragma",
          "value": "no-cache"
        },
        {
          "name": "Location",
          "value": " https://adminland.giftservices.com/adminland/";
        },
        {
          "name": "Content-Length",
          "value": "0"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=999"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html"
        }
      ]
    },
    {
      "method": "GET",
      "url": " https://adminland.giftservices.com/adminland/";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate, br"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; k_gs_user_id={hash:9f6d3fb0134fd8eca6af833b7a9e1d1211bf5f66057db92ba52b0aa3da96e942}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_remote_addr={hash:120b4de23284b8e349ae4346f20dde4e9b4ee6d5507a977924ca04752315c59a}; k_rc_session_id={hash:3d8770d695d03ff8db79947b03db5cce9ff934b0240446429362ce4382850979}; md5_login_hash={hash:433221d15a918cca03d00912c3c591ab06a8fc656c345005bfed1d4f4eb44df2}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}; PHPSESSID={hash:d999edd7d12e33ecc1000ce0ab668a0b605cf91705ce3642cb2445ef180ef706}"
        }
      ],
      "get": [],
      "responseStatus": 302,
      "responseStatusText": "HTTP/1.1 302 Found",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.2.17"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
0 Likes 0 ·
tony-li73 avatar image tony-li73 commented ·
Hi Damian,

From the SAML tracer's log, I didn't see SAML 2.0 SSO flow at all. Only at the end of the flow, something triggers the RingCentral 3-legged OAuth login flow. 

In fact, glip.com app is using 3-legged OAuth too by using -  https://api.ringcentral.com/restapi/oauth/authorize?client_id=cZPfEqZkQxKa9dUEu9RkCA&response_ty..., where it starts with the 3-legged login URL, so that a user can clicks on the "Single Sign-on" button to login via SAML 2.0 based SSO flow.
0 Likes 0 ·
damian-miller11931 avatar image damian-miller11931 commented ·
It appears that the RC forums truncated the message.  Sorry I didn't see that.  See this:  https://pastebin.com/k0tyBM2Q
0 Likes 0 ·
tony-li73 avatar image tony-li73 commented ·
Hi Damian,

OK, we made some configuration change. Would you please try it again?

Thanks,
Tony
0 Likes 0 ·
damian-miller11931 avatar image damian-miller11931 commented ·
Not sure what you did, but things are working now :) Thanks!!
0 Likes 0 ·

Developer sandbox tools

Using the RingCentral Phone for Desktop, you can dial or receive test calls, send and receive test SMS or Fax messages in your sandbox environment.

Download RingCentral Phone for Desktop:

Tip: switch to the "sandbox mode" before logging in the app:

  • On MacOS: press "fn + command + f2" keys
  • On Windows: press "Ctrl + F2" keys