Trying to get Shibboleth and google apps working
Leonard Kroll
Leonard.Kroll at umb.edu
Thu May 7 11:36:44 EDT 2015
Hi all, I hope someone can point me in the right direction.
Google apps support gave me some code to modify and use.
(see Below) But it does not make sense to me.
Any help is greatly appreciated :)
Ref: This was previously defined under https://developers.google.com/google-apps/sso/saml_reference_implementation_web, but that document is out of date.
Samples
- Sample request<https://docs.google.com/a/google.com/document/d/1RfRnkJIutVhfqKEEKVKyst-S3gbY-kjrUhSFbHEj1Xw/edit?usp=sharing>
- Sample response<https://docs.google.com/a/google.com/document/d/1I7oTeUBIEWXlJrNvdYv3KtHs3jedVLrZNe9cXEh80Q8/edit?usp=sharing>
Request
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="[[REQUEST_ID<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.s5k75rwks290>]]" Version="2.0" IssueInstant="[[REQUEST_ISSUE_INSTANT<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.69txibm93ms8>]]" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="[[PROVIDER_NAME<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.bitb2ksowmm4>]]" IsPassive="false" AssertionConsumerServiceURL="[[ACS_URL<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.9df19zbe03je>]]">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[[REQUEST_ISSUER<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.bikozsex68sm>]]</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
Response
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="[[RESPONSE_ID<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.mpuo0x6fbw4c>]]" Version="2.0" IssueInstant="[[RESPONSE_ISSUE_INSTANT<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.tx3haro3sdz>]]" Destination="[[ACS_URL<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.9df19zbe03je>]]" InResponseTo="[[REQUEST_ID<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.s5k75rwks290>]]">
<saml:Issuer>[[RESPONSE_ISSUER<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.8jrvkb4lcesn>]]</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#[[SIGNATURE_METHOD<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.y2xsrk57dr1e>]]" />
<ds:Reference URI="#[[RESPONSE_ID<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.mpuo0x6fbw4c>]]">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#[[DIGEST_METHOD<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.rm1ptuupsu72>]]" />
<ds:DigestValue>[[RESPONSE_DIGEST_VALUE<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.gbxtod1pht6x>]]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[[RESPONSE_SIGNATURE_VALUE<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.ikbn5qe7csuj>]]</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[[X_509_CERTIFICATE<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.bjqnkgglbanq>]]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="[[ASSERTION_ID<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.s985r0m0ghvq>]]" Version="2.0" IssueInstant="[[ASSERTION_ISSUE_INSTANT<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.ck2z4g5l3jvv>]]">
<saml:Issuer>[[RESPONSE_ISSUER<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.8jrvkb4lcesn>]]</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#[[SIGNATURE_METHOD<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.y2xsrk57dr1e>]]" />
<ds:Reference URI="#[[ASSERTION_ID<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.s985r0m0ghvq>]]">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#[[DIGEST_METHOD<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.rm1ptuupsu72>]]" />
<ds:DigestValue>[[ASSERTION_DIGEST_VALUE<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.qfxrh42edlse>]]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[[ASSERTION_SIGNATURE_VALUE<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.qusgjcdxi551>]]</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[[X_509_CERTIFICATE<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.bjqnkgglbanq>]]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID SPNameQualifier="[[PROVIDER_NAME<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.bitb2ksowmm4>]]" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">[[USERNAME_STRING<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.wy613q2o2r9h>]]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="[[NOT_ON_OR_AFTER<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.re9veb9qrvvh>]]" Recipient="[[ACS_URL<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.9df19zbe03je>]]" InResponseTo="[[REQUEST_ID<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.s5k75rwks290>]]" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="[[NOT_BEFORE<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.o1kflw9r89hf>]]" NotOnOrAfter="[[NOT_ON_OR_AFTER<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.re9veb9qrvvh>]]">
<saml:AudienceRestriction>
<saml:Audience>[[AUDIENCE<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.4wp2ljuh2pph>]]</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="[[AUTHN_INSTANT<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.em6y6nffdaa3>]]" SessionNotOnOrAfter="[[NOT_ON_OR_AFTER<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.re9veb9qrvvh>]]" SessionIndex="[[SESSION_INDEX<https://docs.google.com/document/d/1d4SrOSSh3SuL9bHnf3YrkRXSKya9zQ5OrtjvsTKX9nU/edit?pli=1#bookmark=kix.mwbjfj747qb3>]]">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
Leonard Kroll
UNIX / GIS Administrator
Univ. Massachusetts Boston
Leonard(dot)Kroll(at)umb.edu<mailto:at at umb.edu>
Phone: 617-287-5048
fax: 617-287-5224
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 47141 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20150507/5d6ee41b/attachment-0001.bin>
More information about the users
mailing list