Google Apps with IdP v3 not working

Dave Perry Dave.Perry at
Thu Aug 27 09:19:53 EDT 2015

I dropped Dave's config into the files he said, and I now get this error (with successful login to AD):
ERROR - Access Denied
You are not eligible for the service requested.

It looks like my g_principal attribute is populated, and the attribute filter knows to release it to

>From idp-process.log:
2015-08-27 14:06:18,847 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:168] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c47673fb51640537340245b5b78e9e2'  Filtering values for attribute 'g_principal' which currently contains 1 values
2015-08-27 14:06:18,847 - DEBUG [net.shibboleth.idp.attribute.filter.AttributeRule:177] - Attribute filtering engine '/AttributeFilterPolicyGroup:ShibbolethFilterPolicy/AttributeRule:_6c47673fb51640537340245b5b78e9e2'  Filter has permitted the release of 1 values for attribute 'g_principal'
2015-08-27 14:06:18,850 - DEBUG [net.shibboleth.idp.attribute.filter.impl.AttributeFilterImpl:167] - Attribute filtering engine 'ShibbolethAttributeFilter': 1 values for attribute 'g_principal' remained after filtering
2015-08-27 14:06:18,854 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.PopulateProfileInterceptorContext:126] - Profile Action PopulateProfileInterceptorContext: Installing flow intercept/context-check into interceptor context
2015-08-27 14:06:18,857 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.FilterFlowsByNonBrowserSupport:52] - Profile Action FilterFlowsByNonBrowserSupport: Request does not have non-browser requirement, nothing to do
2015-08-27 14:06:18,858 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:101] - Profile Action SelectProfileInterceptorFlow: Checking flow intercept/context-check for applicability...
2015-08-27 14:06:18,859 - DEBUG [net.shibboleth.idp.profile.interceptor.impl.SelectProfileInterceptorFlow:84] - Profile Action SelectProfileInterceptorFlow: Selecting flow intercept/context-check
2015-08-27 14:06:18,997 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:181] - Error event ContextCheckDenied will be handled locally
2015-08-27 14:06:19,019 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:206] - Profile Action PopulateAuditContext: Adding 1 value(s) for field 'attr'
2015-08-27 14:06:19,020 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:220] - Profile Action PopulateAuditContext: Adding 1 value for field 'u'
2015-08-27 14:06:19,021 - DEBUG [net.shibboleth.idp.profile.audit.impl.PopulateAuditContext:198] - Profile Action PopulateAuditContext: Skipping field 's' not included in audit format
2015-08-27 14:06:19,024 - INFO [Shibboleth-Audit.SSO:241] - 20150827T130619Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|gmdapadbcmamchajhbpkcjjamgiehnlhaekpemif||||||70012521||g_principal||

And idp-audit:

Any ideas welcome.

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at *

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of David Langenberg
Sent: 26 August 2015 16:38
To: Shib Users
Subject: Re: Google Apps with IdP v3 not working

> On Aug 26, 2015, at 9:30 AM, Cantor, Scott <cantor.2 at> wrote:
> On 8/26/15, 11:19 AM, "users on behalf of David Langenberg" <users-bounces at on behalf of davel at> wrote:
>> No
>> Dave
>>> On Aug 26, 2015, at 9:02 AM, Dave Perry <Dave.Perry at> wrote:
>>> That's brilliant, thanks Dave!
>>> Did you make any changes to
> He did omit one extra piece, releasing the attribute used to source the NameID in the filter policy. That will (optionally) go away in a future release.

Thanks Scott, you're right, I forgot the filter.  We are releasing principal to Google.


David Langenberg
Identity & Access Management Architect
The University of Chicago

To unsubscribe from this list send an email to users-unsubscribe at

This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.


More information about the users mailing list