rqst: Google apps config/template files

Christopher Bongaarts cab at umn.edu
Thu Nov 15 11:03:08 EST 2012

On 11/15/2012 9:27 AM, Cantor, Scott wrote:
> On 11/15/12 10:11 AM, "C G" <ci_98yr at yahoo.com> wrote:
>> Getting the following in the logs after the user authenticates and being
>> redirect back to acs of google:
> You didn't turn off encryption for that SP. Google does not fully support
> the standard, and you can't use default behavior. You have to create a
> RelyingParty element for their entityID and put in the SAML 2.0 SSO
> profile element with non-default settings that turn off encryption of the
> NameID or Assertion.


     <RelyingParty id="googleTestDomains"
         <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                               encryptNameIds="never" />

We have our hand-built metadata for our Google Apps domains wrapped in
<EntitiesDescriptor id="googleTestDomains">; if you only have one domain 
you can skip that and drop the entityID in the <RelyingParty> instead.
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list