signing in to chrome devices via sso is broken
signing in to chrome devices via sso (requires google apps with saml sso enabled and chrome device management licenses and a little setup) is broken under default configuration. Signing into apps works fine but doing initial chromebook login from the sign in page via sso fails with an error about the relaystate. After working with google support on the issue I was able to get an example relaystate for chrome device login and test with it. That showed that it was triggering the xss protections and after disabling those it worked both in my test case and then on the chrome device. The example relaystate I was given is below:
after url encoding that for actual use the relaystate was:
https%3A%2F%2Faccounts.google.com%2FCheckCookie%3Fcontinue%3Dhttps%253A%252F%252Faccounts.google.com%252Fo%252Foauth2%252Fprogrammatic_auth%253Fhl%253Den%2526scope%253Dhttps%25253A%25252F%25252Fwww.google.com%25252Faccounts%25252FOAuthLogin%2526client_id%253D77185425430.apps.googleusercontent.com%2526access_type%253Doffline
and that is the value I used for manually altering urls for testing purposes, before the final verification by testing from an actual chromebook.
I'm hoping there is a way to fix the xss protection code to either not trigger on this, it if that would require significantly weakening it, then adding an option to bypass it without disabling the rest of the xss protection so users who needed it to work could choose that option. This particular deployment was for my internal use with only one chromebook so far, but within the next few weeks I'm going to be rolling out a system using lemonldap to connect to google apps for education and do chrome device login for a small school with more than 30 chromebooks and I'd expect there are other schools for which this would be very useful.