Three-legged-auth & SSO w/JumpCloud & RC

  • 1
  • Problem
  • Updated 3 months ago
Hi All,

We are about a week off from going into production with RingCentral. Whole company is super excited. There is one snafu that I ran into doing pre-production launch tests.  I was successfully able to implement the login and ringout APIs that are required in the sandbox environment and meet all requirements.  The difference in our production environments and sandbox environments is that production uses Jumpcloud for SSO.  Upon logging into Jumpcloud with the three-legged-auth I am immediately redirect back to the login screen instead of being prompted with the screen that asks the user to accept the permissions / finish authentication.  It works fine in production when utilizing RingCentral's username/password authentication.

Has anyone else experienced something similar to this?


Photo of Damian Miller

Damian Miller

  • 120 Points 100 badge 2x thumb

Posted 3 months ago

  • 1
Photo of Phong Vu

Phong Vu, Devangelist

  • 3,192 Points 3k badge 2x thumb
Hi Damian,

I am excited to see your app running on the production environment too!

Can you double check if SSO is setup for your production account? If not, please read the instruction from the link below.

https://success.ringcentral.com/articles/en_US/RC_Knowledge_Article/1149

Let me know,

+ Phong
Photo of Damian Miller

Damian Miller

  • 120 Points 100 badge 2x thumb
Hi Phong,

Thanks for getting back to me.  We actually have SSO as a hard requirement (the checkbox that doesn't allow RC username/password) to login to RC/Glip/Meetings.  The screen in the attached image is the one that is skipped after logging into our SSO provider.  Instead of seeing this upon successful login, the RC  Login form is shown again.




Photo of Damian Miller

Damian Miller

  • 120 Points 100 badge 2x thumb
We can login to both service.ringcentral.com and glip.com using the SSO flow.  This only happens when utilizing SSO w/the code above.  

SAML-Tracer Output Below.  It seems like at some point the redirect is being lost with SSO.

{
  "requests": [
    {
      "method": "GET",
      "url": "http://admin/";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        }
      ],
      "get": [],
      "responseStatus": 302,
      "responseStatusText": "HTTP/1.1 302 Found",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.2.17"
        },
        {
          "name": "Set-Cookie",
          "value": "PHPSESSID={hash:83ffe3048032a4c8a26a78235ce0e270e707e5660c4d5123c0708c04b39ece83}; path={hash:8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1}; domain={hash:59428f9a8b7c0b007fbb83ef90fda886d702031bf5d124522bcd12f5b11a5b71}"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
        {
          "name": "Cache-Control",
          "value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
        },
        {
          "name": "Pragma",
          "value": "no-cache"
        },
        {
          "name": "Location",
          "value": "http://adminland.giftservices.com/adminland";
        },
        {
          "name": "Content-Length",
          "value": "0"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=1000"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html"
        }
      ]
    },
    {
      "method": "GET",
      "url": "http://adminland.giftservices.com/adminland";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}"
        }
      ],
      "get": [],
      "responseStatus": 301,
      "responseStatusText": "HTTP/1.1 301 Moved Permanently",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "Location",
          "value": "http://adminland.giftservices.com/adminland/";
        },
        {
          "name": "Content-Length",
          "value": "342"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=1000"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html; charset=iso-8859-1"
        }
      ]
    },
    {
      "method": "GET",
      "url": "http://adminland.giftservices.com/adminland/";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}"
        }
      ],
      "get": [],
      "responseStatus": 302,
      "responseStatusText": "HTTP/1.1 302 Found",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.2.17"
        },
        {
          "name": "Set-Cookie",
          "value": "PHPSESSID={hash:d999edd7d12e33ecc1000ce0ab668a0b605cf91705ce3642cb2445ef180ef706}; path={hash:8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1}; domain={hash:59428f9a8b7c0b007fbb83ef90fda886d702031bf5d124522bcd12f5b11a5b71}"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
        {
          "name": "Cache-Control",
          "value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
        },
        {
          "name": "Pragma",
          "value": "no-cache"
        },
        {
          "name": "Location",
          "value": "https://adminland.giftservices.com/adminland/";
        },
        {
          "name": "Content-Length",
          "value": "0"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=999"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html"
        }
      ]
    },
    {
      "method": "GET",
      "url": "https://adminland.giftservices.com/adminland/";,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate, br"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; k_gs_user_id={hash:9f6d3fb0134fd8eca6af833b7a9e1d1211bf5f66057db92ba52b0aa3da96e942}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_remote_addr={hash:120b4de23284b8e349ae4346f20dde4e9b4ee6d5507a977924ca04752315c59a}; k_rc_session_id={hash:3d8770d695d03ff8db79947b03db5cce9ff934b0240446429362ce4382850979}; md5_login_hash={hash:433221d15a918cca03d00912c3c591ab06a8fc656c345005bfed1d4f4eb44df2}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}; PHPSESSID={hash:d999edd7d12e33ecc1000ce0ab668a0b605cf91705ce3642cb2445ef180ef706}"
        }
      ],
      "get": [],
      "responseStatus": 302,
      "responseStatusText": "HTTP/1.1 302 Found",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.2.17"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
        {
          "name": "Cache-Control",
          "value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
        },
        {
          "name": "Pragma",
          "value": "no-cache"
        },
        {
          "name": "Location",
          "value": "https://gs3.giftservices.com/ringcentral/login?backto=https%3A%2F%2Fadminland.giftservices.com%2Fadm...;
        },
        {
          "name": "Content-Length",
          "value": "0"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=15, max=1000"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html"
        }
      ]
    },
    {
      "method": "GET",
      "url": "https://gs3.giftservices.com/ringcentral/login?backto=https%3A%2F%2Fadminland.giftservices.com%2Fadm...;,
      "requestId": "2150",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate, br"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; k_gs_user_id={hash:9f6d3fb0134fd8eca6af833b7a9e1d1211bf5f66057db92ba52b0aa3da96e942}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_remote_addr={hash:120b4de23284b8e349ae4346f20dde4e9b4ee6d5507a977924ca04752315c59a}; k_rc_session_id={hash:3d8770d695d03ff8db79947b03db5cce9ff934b0240446429362ce4382850979}; NOT_IMPORTANT={hash:ae70f35fcd98e0f6a46f0918b58920bcdf3881ddd286ec192e7b231262687190}; md5_login_hash={hash:433221d15a918cca03d00912c3c591ab06a8fc656c345005bfed1d4f4eb44df2}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}; PHPSESSID={hash:d999edd7d12e33ecc1000ce0ab668a0b605cf91705ce3642cb2445ef180ef706}"
        }
      ],
      "get": [
        [
          "backto",
          "https://adminland.giftservices.com/adminland/";
        ]
      ],
      "responseStatus": 200,
      "responseStatusText": "HTTP/1.1 200 OK",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.4.13"
        },
        {
          "name": "X-App-Time",
          "value": "6.364107131958 ms"
        },
        {
          "name": "X-Query-Count",
          "value": "4"
        },
        {
          "name": "Cache-Control",
          "value": "max-age=0"
        },
        {
          "name": "Expires",
          "value": "Mon, 24 Sep 2018 21:55:08 GMT"
        },
        {
          "name": "Vary",
          "value": "Accept-Encoding,User-Agent"
        },
        {
          "name": "Content-Encoding",
          "value": "gzip"
        },
        {
          "name": "Content-Length",
          "value": "4472"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=10, max=1000"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html"
        }
      ]
    },
    {
      "method": "POST",
      "url": "https://gs3.giftservices.com/ringcentral/gs2_login";,
      "requestId": "2174",
      "requestHeaders": [
        {
          "name": "Accept",
          "value": "application/json, text/javascript, */*; q=0.01"
        },
        {
          "name": "Origin",
          "value": "https://gs3.giftservices.com";
        },
        {
          "name": "X-Requested-With",
          "value": "XMLHttpRequest"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Content-Type",
          "value": "application/x-www-form-urlencoded; charset=UTF-8"
        },
        {
          "name": "Referer",
          "value": "https://gs3.giftservices.com/ringcentral/login?backto=https%3A%2F%2Fadminland.giftservices.com%2Fadm...;
        },
        {
          "name": "Accept-Encoding",
          "value": "gzip, deflate, br"
        },
        {
          "name": "Accept-Language",
          "value": "en-US,en;q=0.9"
        },
        {
          "name": "Cookie",
          "value": "gs_user_id={hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}; k_gs_user_id={hash:9f6d3fb0134fd8eca6af833b7a9e1d1211bf5f66057db92ba52b0aa3da96e942}; _gt_override_warehouse={hash:038c616c58034ec577ee376a5ebf31164c4250b057c13acd5fc197711266e488}; k_remote_addr={hash:120b4de23284b8e349ae4346f20dde4e9b4ee6d5507a977924ca04752315c59a}; k_rc_session_id={hash:3d8770d695d03ff8db79947b03db5cce9ff934b0240446429362ce4382850979}; NOT_IMPORTANT={hash:ae70f35fcd98e0f6a46f0918b58920bcdf3881ddd286ec192e7b231262687190}; md5_login_hash={hash:433221d15a918cca03d00912c3c591ab06a8fc656c345005bfed1d4f4eb44df2}; k_gs_user_dn={hash:5572470cc743c86d2508495b7197a0ae4d2d5adf9ec32d4f097d86573e0f52d6}; PHPSESSID={hash:d999edd7d12e33ecc1000ce0ab668a0b605cf91705ce3642cb2445ef180ef706}"
        }
      ],
      "postData": "{overwritten}",
      "post": [
        [
          "backto",
          "{hash:a4aabbe343bccc3ca36cd2b2f841c2ef355ba7cb0e0e0fba35492c0fbe7ba76c}"
        ],
        [
          "{hash:68053fc325218c48c4c398ff939ae70fc662db2bc369eadc5f0b7d1cf6d2511e}",
          ""
        ],
        [
          "{hash:7e8e0317d35a37fbde3c0efea05623d9b76bbde73bd8d3ae93bd0d63575f6524}",
          ""
        ],
        [
          "gs_user_id_inputbox",
          "{hash:251f765e7b59cad17c8bdae6f71705020292f246dacddc8f65cbb3cc4b8e3384}"
        ]
      ],
      "responseStatus": 200,
      "responseStatusText": "HTTP/1.1 200 OK",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Mon, 24 Sep 2018 21:55:11 GMT"
        },
        {
          "name": "Server",
          "value": "Apache/2.2.22 (Unix)"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.4.13"
        },
        {
          "name": "Expires",
          "value": "Thu, 19 Nov 1981 08:52:00 GMT"
        },
        {
          "name": "Cache-Control",
          "value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
        },
        {
          "name": "Pragma",
          "value": "no-cache"
        },
        {
          "name": "X-App-Time",
          "value": "1.6131401062012 ms"
        },
        {
          "name": "X-Query-Count",
          "value": "5"
        },
        {
          "name": "Vary",
          "value": "Accept-Encoding,User-Agent"
        },
        {
          "name": "Content-Encoding",
          "value": "gzip"
        },
        {
          "name": "Content-Length",
          "value": "73"
        },
        {
          "name": "Keep-Alive",
          "value": "timeout=10, max=999"
        },
        {
          "name": "Connection",
          "value": "Keep-Alive"
        },
        {
          "name": "Content-Type",
          "value": "text/html"
        }
      ]
    },
    {
      "method": "GET",
      "url": "https://platform.ringcentral.com/restapi/oauth/authorize?response_type=code&redirect_uri=https%3...;,
      "requestId": "2175",
      "requestHeaders": [
        {
          "name": "Upgrade-Insecure-Requests",
          "value": "1"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
        },
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
        },
        {
          "name": "Referer",
          "value": "https://gs3.giftservices.com/r
Photo of Tony Li

Tony Li, Official Rep

  • 90 Points 75 badge 2x thumb
Hi Damian,

From the SAML tracer's log, I didn't see SAML 2.0 SSO flow at all. Only at the end of the flow, something triggers the RingCentral 3-legged OAuth login flow. 

In fact, glip.com app is using 3-legged OAuth too by using - https://api.ringcentral.com/restapi/oauth/authorize?client_id=cZPfEqZkQxKa9dUEu9RkCA&response_ty..., where it starts with the 3-legged login URL, so that a user can clicks on the "Single Sign-on" button to login via SAML 2.0 based SSO flow.
Photo of Damian Miller

Damian Miller

  • 120 Points 100 badge 2x thumb
It appears that the RC forums truncated the message.  Sorry I didn't see that.  See this: https://pastebin.com/k0tyBM2Q
Photo of Tony Li

Tony Li, Official Rep

  • 90 Points 75 badge 2x thumb
Hi Damian,

OK, we made some configuration change. Would you please try it again?

Thanks,
Tony
Photo of Damian Miller

Damian Miller

  • 120 Points 100 badge 2x thumb
Not sure what you did, but things are working now :) Thanks!!