Google Apps + v3 Idp (again)

Dave Perry Dave.Perry at hull-college.ac.uk
Wed Apr 13 06:22:11 EDT 2016 

I am utterly confused (nothing new there, but I'll attempt to explain this one).

I have a relying-party entry which I believe others have used:
                                <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
            <property name="profileConfigurations">
                <list>
                        <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>

I have a request from google in my log which asks for NameID as unspecified:
<samlp:AuthnRequest
    AssertionConsumerServiceURL="https://www.google.com/a/hull-college.ac.uk/acs"
    ID="achibhchkpnnlacecgddfgbpfdallakncgfgofab" IsPassive="false"
    IssueInstant="2016-04-13T09:39:51Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    ProviderName="google.com" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>

And google's own metadata download (taken from the GA admin control panel) which has a weird entityID of https://accounts.google.com/o/saml2?idpid=C04au2c47
Which specifies emailAddress as the NameID policy (somewhat contradictory to the request the IdP gets):
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

My error log says there is no entry to handle entityID google.com in relying-party:
2016-04-13 10:39:52,256 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: google.com

Even editing the metadata file they provide, to the following first line:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">
Doesn't work.

Any suggestions appreciated.


Thanks,
Dav

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk<mailto:elearning at hull-college.ac.uk> *


**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/d876d3d3/attachment-0001.html>

More information about the users mailing list