{Disarmed} Re: Google Apps + v3 Idp (again)

Wed Apr 13 09:50:20 EDT 2016

I forget exactly where in the Google Apps Admin pages we found a link to 
the metadata file, but this is what ours looks like.

<EntityDescriptor entityID="google.com" 
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
     <SPSSODescriptor 
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
         <AssertionConsumerService index="1" 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
             Location="https://www.google.com/a/gustavus.edu/acs" />
     </SPSSODescriptor>
</EntityDescriptor>

     Thanks,
         Dan Oachs
         Gustavus Adolphus College

On 04/13/2016 08:45 AM, Dave Perry wrote:
>
> Thanks Dan. What was your metadata file? Scott’s reply suggests their 
> one is overly complicated with things that may as well not be there.
>
> Dave
>
> _________________________________________________
>
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
>
> ** Need a fast reply? Try elearning at hull-college.ac.uk 
> <mailto:elearning at hull-college.ac.uk> **
>
> *From:*users [mailto:users-bounces at shibboleth.net] *On Behalf Of *Dan 
> Oachs
> *Sent:* 13 April 2016 14:07
> *To:* users at shibboleth.net
> *Subject:* {Disarmed} Re: Google Apps + v3 Idp (again)
>
> We recently got idp 3 working for our Google Apps accounts. Here is 
> what I know:
>
> Added this to relying-party.xml in the 
> shibboleth.RelyingPartyOverrides section.
>
>         <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
>             <property name="profileConfigurations">
>                 <list>
>                     <bean parent="SAML2.SSO" 
> p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" 
> p:encryptAssertions="false" />
>                 </list>
>             </property>
>         </bean>
>
>
> Added this to metadata-providers.xml
>
>     <MetadataProvider id="GoogleMD"
>                   xsi:type="FilesystemMetadataProvider"
>                   xmlns="urn:mace:shibboleth:2.0:metadata"
> metadataFile="%{idp.home}/metadata/google-metadata.xml"/>
>
> Added this to the saml-nameid.xml file in the 
> shibboleth.SAML2NameIDGenerators section
>
>         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
> p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
>             p:attributeSourceIds="#{ {'principal','uid'} }" />
>
> Hopefully I remembered all the steps but I may have missed something.  
> Hope that helps anyway.
>
>     Thanks,
>         Dan Oachs
>         Gustavus Adolphus College
>
>
> On 04/13/2016 05:22 AM, Dave Perry wrote:
>
>     I am utterly confused (nothing new there, but I’ll attempt to
>     explain this one).
>
>     I have a relying-party entry which I believe others have used:
>
>                                     <bean parent="RelyingPartyByName"
>     c:relyingPartyIds="google.com">
>
>                 <property name="profileConfigurations">
>
>                     <list>
>
>                             <bean parent="SAML2.SSO"
>     p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>     p:encryptAssertions="false" />
>
>                     </list>
>
>                 </property>
>
>             </bean>
>
>     I have a request from google in my log which asks for NameID as
>     unspecified:
>
>     <samlp:AuthnRequest
>
>        
>     AssertionConsumerServiceURL="https://www.google.com/a/hull-college.ac.uk/acs"
>     <https://www.google.com/a/hull-college.ac.uk/acs>
>
>         ID="achibhchkpnnlacecgddfgbpfdallakncgfgofab" IsPassive="false"
>
>         IssueInstant="2016-04-13T09:39:51Z"
>
>     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
>         ProviderName="google.com" Version="2.0"
>     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
>
>         <saml:Issuer
>     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>
>
>         <samlp:NameIDPolicy AllowCreate="true"
>     Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
>
>     </samlp:AuthnRequest>
>
>     And google’s own metadata download (taken from the GA admin
>     control panel) which has a weird entityID of
>     https://accounts.google.com/o/saml2?idpid=C04au2c47
>
>     Which specifies emailAddress as the NameID policy (somewhat
>     contradictory to the request the IdP gets):
>
>     <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
>
>     My error log says there is no entry to handle entityID google.com
>     in relying-party:
>
>     2016-04-13 10:39:52,256 - DEBUG
>     [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334]
>     - Metadata backing store does not contain any EntityDescriptors
>     with the ID: google.com
>
>     Even editing the metadata file they provide, to the following
>     first line:
>
>     <md:EntityDescriptor
>     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>     entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">
>
>     Doesn’t work.
>
>     Any suggestions appreciated.
>
>     Thanks,
>
>     Dav
>
>     _________________________________________________
>
>     Dave Perry
>     eLearning Technologist, Hull College Group
>
>     Room L34 - Queens Gardens Library
>     Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
>     Extension 2230 / Direct Dial 01482 381930
>
>     ** Need a fast reply? Try elearning at hull-college.ac.uk
>     <mailto:elearning at hull-college.ac.uk> **
>
>     The Review Newsletter
>     <http://www.hull-college.ac.uk/about-us/stakeholders-newsletter>�
>
>
>     This message is sent in confidence for the addressee� only. �It
>     may contain confidential or sensitive� information. �The contents
>     are not to be disclosed� to anyone other than the addressee.
>     �Unauthorised� recipients are requested to preserve this�
>     confidentiality and to advise us of any errors in� transmission.
>     �Any views expressed in this message� are solely the views of the
>     individual and do not� represent the views of the College.
>     �Nothing in this� message should be construed as creating a contract.
>
>     Hull College Group owns the email infrastructure, including the
>     contents.
>
>     Hull College Group is committed to sustainability, please reflect
>     before printing this email.
>
>     ------------------------------------------------------------------------
>
>
>
> The Review Newsletter 
> <http://www.hull-college.ac.uk/about-us/stakeholders-newsletter>
>
> This message is sent in confidence for the addressee only.  It may 
> contain confidential or sensitive information.  The contents are not 
> to be disclosed to anyone other than the addressee.  Unauthorised 
> recipients are requested to preserve this confidentiality and to 
> advise us of any errors in transmission.  Any views expressed in this 
> message are solely the views of the individual and do not represent 
> the views of the College.  Nothing in this message should be construed 
> as creating a contract.
>
> Hull College Group owns the email infrastructure, including the contents.
>
> Hull College Group is committed to sustainability, please reflect 
> before printing this email.
> ------------------------------------------------------------------------
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/7bd4de58/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3693 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/7bd4de58/attachment-0001.p7s>