Google Apps with IdP v3 not working
David Langenberg
davel at uchicago.edu
Fri Aug 28 14:26:34 EDT 2015
> On Aug 28, 2015, at 11:58 AM, Tom Poage <tfpoage at ucdavis.edu> wrote:
>
> On 08/26/2015 07:57 AM, David Langenberg wrote:
>> Here's our setup for Google & service-now:
>>
>> relying-party.xml
>>
>> <bean id="r31" parent="RelyingPartyByName"
>> c:relyingPartyIds="#{{'google.com',
>> 'uchicago.maps.arcgis.com',
> [longish list]
>> <property name="profileConfigurations">
>> <list>
>> <bean id="b31" parent="SAML2.SSO"
>> p:postAuthenticationFlows="context-check"
>> p:encryptAssertions="false"
> ...
>
> Our experience is that most relying parties (Google, ServiceNow, ...)
> who do/will not support encryption need metadata local to the IdP.
>
> In V2 we set these apart in a named <EntitiesDescriptor> metadata group,
> with a corresponding <RelyingParty> entry with encryptAssertions="never"
> for the SAML2SSOProfile.
>
> Given the direction metadata aggregates seem to be headed (cf.
> per-entity), is the metadata group supported in V3? Recommended?
>
> Alternatively, IIRC relying-party.xml in V2 is by default not
> auto-reloaded, so any change in V2 to add a new profile configuration by
> named relying party requires container restart. Does V3 auto-reload
> relying-party.xml by default now, where adding an entity to the 'longish
> list' above gets picked up without a restart?
You can reload it. In our environment, we don't reload it, rather, we've dockerized our IdPs and bake the configuration into the docker images. Makes for EXTREMELY easy rollback of any changes that have unintended consequences.
Dave
--
David Langenberg
Identity & Access Management Architect
The University of Chicago
More information about the users
mailing list