Google Apps + v3 Idp (again)

Cantor, Scott cantor.2 at
Wed Apr 13 09:33:37 EDT 2016

On 4/13/16, 6:22 AM, "users on behalf of Dave Perry" <users-bounces at on behalf of Dave.Perry at> wrote:

>I have a request from google in my log which asks for NameID as unspecified:

The IdP ignores that, as we documented, at length. It doesn't matter that it asks for that, and I believe it's been proven by at least one person that Googles *doesn't* require any given Format at all, so using "unspecified" would be a mistake.

>And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of

I don't believe that's the relevant metadata. Pretty sure the entityID is (also invalid, but whatever, it is what it is).

>Even editing the metadata file they provide, to the following first line:
><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="" validUntil="2021-04-12T08:53:16.000Z">
>Doesn’t work.

Given that they don't support encryption, the metadata is simple: use their entityID and insert an AssertionConsumerService that matches the binding and URL they sent you in the AuthnRequest. No KeyDescriptor. That should be it.

-- Scott

More information about the users mailing list