{Disarmed} Re: Google Apps + v3 Idp (again)

Dan Oachs doachs at gac.edu
Wed Apr 13 09:06:47 EDT 2016 

We recently got idp 3 working for our Google Apps accounts.  Here is 
what I know:

Added this to relying-party.xml in the shibboleth.RelyingPartyOverrides 
section.

         <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
             <property name="profileConfigurations">
                 <list>
                     <bean parent="SAML2.SSO" 
p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" 
p:encryptAssertions="false" />
                 </list>
             </property>
         </bean>


Added this to metadata-providers.xml

     <MetadataProvider id="GoogleMD"
                   xsi:type="FilesystemMetadataProvider"
                   xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="%{idp.home}/metadata/google-metadata.xml"/>

Added this to the saml-nameid.xml file in the 
shibboleth.SAML2NameIDGenerators section

         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
             p:attributeSourceIds="#{ {'principal','uid'} }" />

Hopefully I remembered all the steps but I may have missed something.  
Hope that helps anyway.

     Thanks,
         Dan Oachs
         Gustavus Adolphus College



On 04/13/2016 05:22 AM, Dave Perry wrote:
>
> I am utterly confused (nothing new there, but I’ll attempt to explain 
> this one).
>
> I have a relying-party entry which I believe others have used:
>
>                                 <bean parent="RelyingPartyByName" 
> c:relyingPartyIds="google.com">
>
>             <property name="profileConfigurations">
>
>                 <list>
>
>                         <bean parent="SAML2.SSO" 
> p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" 
> p:encryptAssertions="false" />
>
>                 </list>
>
>             </property>
>
>         </bean>
>
> I have a request from google in my log which asks for NameID as 
> unspecified:
>
> <samlp:AuthnRequest
>
> AssertionConsumerServiceURL="https://www.google.com/a/hull-college.ac.uk/acs"
>
> ID="achibhchkpnnlacecgddfgbpfdallakncgfgofab" IsPassive="false"
>
>     IssueInstant="2016-04-13T09:39:51Z"
>
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
>     ProviderName="google.com" Version="2.0" 
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
>
>     <saml:Issuer 
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>
>
>     <samlp:NameIDPolicy AllowCreate="true" 
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
>
> </samlp:AuthnRequest>
>
> And google’s own metadata download (taken from the GA admin control 
> panel) which has a weird entityID of 
> https://accounts.google.com/o/saml2?idpid=C04au2c47
>
> Which specifies emailAddress as the NameID policy (somewhat 
> contradictory to the request the IdP gets):
>
> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>
> My error log says there is no entry to handle entityID google.com in 
> relying-party:
>
> 2016-04-13 10:39:52,256 - DEBUG 
> [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - 
> Metadata backing store does not contain any EntityDescriptors with the 
> ID: google.com
>
> Even editing the metadata file they provide, to the following first line:
>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
> entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">
>
> Doesn’t work.
>
> Any suggestions appreciated.
>
> Thanks,
>
> Dav
>
> _________________________________________________
>
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
>
> ** Need a fast reply? Try elearning at hull-college.ac.uk 
> <mailto:elearning at hull-college.ac.uk> **
>
> The Review Newsletter 
> <http://www.hull-college.ac.uk/about-us/stakeholders-newsletter>�
>
> This message is sent in confidence for the addressee� only. �It may 
> contain confidential or sensitive� information. �The contents are not 
> to be disclosed� to anyone other than the addressee. �Unauthorised� 
> recipients are requested to preserve this� confidentiality and to 
> advise us of any errors in� transmission. �Any views expressed in this 
> message� are solely the views of the individual and do not� represent 
> the views of the College. �Nothing in this� message should be 
> construed as creating a contract.
>
> Hull College Group owns the email infrastructure, including the contents.
>
> Hull College Group is committed to sustainability, please reflect 
> before printing this email.
> ------------------------------------------------------------------------
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/323dfe9e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3693 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/323dfe9e/attachment-0001.p7s>

More information about the users mailing list