Google Apps + v3 Idp (again)
Cantor, Scott
cantor.2 at osu.edu
Wed Apr 13 09:33:37 EDT 2016
On 4/13/16, 6:22 AM, "users on behalf of Dave Perry" <users-bounces at shibboleth.net on behalf of Dave.Perry at hull-college.ac.uk> wrote:
>I have a request from google in my log which asks for NameID as unspecified:
The IdP ignores that, as we documented, at length. It doesn't matter that it asks for that, and I believe it's been proven by at least one person that Googles *doesn't* require any given Format at all, so using "unspecified" would be a mistake.
>And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of
>https://accounts.google.com/o/saml2?idpid=C04au2c47
I don't believe that's the relevant metadata. Pretty sure the entityID is google.com (also invalid, but whatever, it is what it is).
>Even editing the metadata file they provide, to the following first line:
><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">
>Doesn’t work.
Given that they don't support encryption, the metadata is simple: use their entityID and insert an AssertionConsumerService that matches the binding and URL they sent you in the AuthnRequest. No KeyDescriptor. That should be it.
-- Scott
More information about the users
mailing list