rqst: Google apps config/template files
Christopher Bongaarts
cab at umn.edu
Thu Nov 15 11:03:08 EST 2012
On 11/15/2012 9:27 AM, Cantor, Scott wrote:
> On 11/15/12 10:11 AM, "C G" <ci_98yr at yahoo.com> wrote:
>>
>> Getting the following in the logs after the user authenticates and being
>> redirect back to acs of google:
>
> You didn't turn off encryption for that SP. Google does not fully support
> the standard, and you can't use default behavior. You have to create a
> RelyingParty element for their entityID and put in the SAML 2.0 SSO
> profile element with non-default settings that turn off encryption of the
> NameID or Assertion.
e.g.
<RelyingParty id="googleTestDomains"
provider="https://idp-test.shib.umn.edu/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="never"
encryptNameIds="never" />
</RelyingParty>
We have our hand-built metadata for our Google Apps domains wrapped in
<EntitiesDescriptor id="googleTestDomains">; if you only have one domain
you can skip that and drop the entityID in the <RelyingParty> instead.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list