{Disarmed} Re: Google Apps + v3 Idp (again)

Dave Perry Dave.Perry at hull-college.ac.uk
Wed Apr 13 10:34:18 EDT 2016 

I was offered a metadata download on the SSO Settings page. But that was the bloated one.

That is soooo much better thanks!

BUT it is failing to generate a NameID.

I can confirm that the attribute I set it to use (mail) is getting a value from LDAP:
2016-04-13 15:11:17,421 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:247] - Attribute Definition 'mail': produced an attribute with the following values [StringAttributeValue{value=Dave.Perry at hull-college.ac.uk}]

But it doesn’t seem to like that when it comes to packaging it…
2016-04-13 15:11:17,573 - DEBUG [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:183] - Checking for source attribute mail
2016-04-13 15:11:17,574 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:213] - Attribute sources [mail] did not produce a usable identifier
2016-04-13 15:11:17,574 - DEBUG [org.opensaml.saml.saml2.profile.AbstractSAML2NameIDGenerator:92] - No identifier to use
2016-04-13 15:11:17,575 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:341] - Profile Action AddNameIDToSubjects: Unable to generate a NameID, leaving empty

Should I be adding anything in attribute-filter, or is NameID sufficient (when it behaves)?

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk<mailto:elearning at hull-college.ac.uk> *

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Dan Oachs
Sent: 13 April 2016 14:50
To: Shib Users
Subject: {Disarmed} Re: Google Apps + v3 Idp (again)

I forget exactly where in the Google Apps Admin pages we found a link to the metadata file, but this is what ours looks like.

<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location=MailScanner has detected a possible fraud attempt from "www.google.com" claiming to be "https://www.google.com/a/gustavus.edu/acs"<https://www.google.com/a/gustavus.edu/acs> />
    </SPSSODescriptor>
</EntityDescriptor>


    Thanks,
        Dan Oachs
        Gustavus Adolphus College


On 04/13/2016 08:45 AM, Dave Perry wrote:
Thanks Dan. What was your metadata file? Scott’s reply suggests their one is overly complicated with things that may as well not be there.


Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk<mailto:elearning at hull-college.ac.uk> *

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Dan Oachs
Sent: 13 April 2016 14:07
To: users at shibboleth.net<mailto:users at shibboleth.net>
Subject: {Disarmed} Re: Google Apps + v3 Idp (again)

We recently got idp 3 working for our Google Apps accounts.  Here is what I know:

Added this to relying-party.xml in the shibboleth.RelyingPartyOverrides section.

        <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>


Added this to metadata-providers.xml

    <MetadataProvider id="GoogleMD"
                  xsi:type="FilesystemMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata"
                  metadataFile="%{idp.home}/metadata/google-metadata.xml"/>

Added this to the saml-nameid.xml file in the shibboleth.SAML2NameIDGenerators section

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
            p:attributeSourceIds="#{ {'principal','uid'} }" />

Hopefully I remembered all the steps but I may have missed something.  Hope that helps anyway.

    Thanks,
        Dan Oachs
        Gustavus Adolphus College

On 04/13/2016 05:22 AM, Dave Perry wrote:
I am utterly confused (nothing new there, but I’ll attempt to explain this one).

I have a relying-party entry which I believe others have used:
                                <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
            <property name="profileConfigurations">
                <list>
                        <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>

I have a request from google in my log which asks for NameID as unspecified:
<samlp:AuthnRequest
    AssertionConsumerServiceURL=MailScanner has detected a possible fraud attempt from "www.google.com" claiming to be "https://www.google.com/a/hull-college.ac.uk/acs"<https://www.google.com/a/hull-college.ac.uk/acs>
    ID="achibhchkpnnlacecgddfgbpfdallakncgfgofab" IsPassive="false"
    IssueInstant="2016-04-13T09:39:51Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    ProviderName="google.com" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>
    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>

And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of https://accounts.google.com/o/saml2?idpid=C04au2c47
Which specifies emailAddress as the NameID policy (somewhat contradictory to the request the IdP gets):
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

My error log says there is no entry to handle entityID google.com in relying-party:
2016-04-13 10:39:52,256 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: google.com

Even editing the metadata file they provide, to the following first line:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">
Doesn’t work.

Any suggestions appreciated.


Thanks,
Dav

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk<mailto:elearning at hull-college.ac.uk> *

The Review Newsletter<http://www.hull-college.ac.uk/about-us/stakeholders-newsletter>�

This message is sent in confidence for the addressee� only. �It may contain confidential or sensitive� information. �The contents are not to be disclosed� to anyone other than the addressee. �Unauthorised� recipients are requested to preserve this� confidentiality and to advise us of any errors in� transmission. �Any views expressed in this message� are solely the views of the individual and do not� represent the views of the College. �Nothing in this� message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
________________________________


The Review Newsletter<http://www.hull-college.ac.uk/about-us/stakeholders-newsletter>

This message is sent in confidence for the addressee  only.  It may contain confidential or sensitive  information.  The contents are not to be disclosed  to anyone other than the addressee.  Unauthorised  recipients are requested to preserve this  confidentiality and to advise us of any errors in  transmission.  Any views expressed in this message  are solely the views of the individual and do not  represent the views of the College.  Nothing in this  message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
________________________________



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/61298dc1/attachment-0001.html>

More information about the users mailing list