Google Apps + v3 Idp (again)

Dan Oachs doachs at gac.edu
Wed Apr 13 11:42:36 EDT 2016 

Pretty sure that is the exact error we were seeing until we added the 
bean for nameid-format:unspecified in the saml-nameid.xml file.

In case it helps, here are the important bits in our attribute-filter.xml

     <AttributeFilterPolicy id="releaseToAnyone">
         <PolicyRequirementRule xsi:type="ANY" />
         <AttributeRule attributeID="uid">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
         <AttributeRule attributeID="mail">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
         <AttributeRule attributeID="principal">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>


     Thanks,
         Dan Oachs
         Gustavus Adolphus College


On 04/13/2016 10:35 AM, Dave Perry wrote:
> Oops my bad. The error is:
> This account cannot be accessed because the login credentials could not be verified.
>
> (I tried the includeAttributeStatement=false thing, but like you thought it made no difference to the end result).
>
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
>
> * Need a fast reply? Try elearning at hull-college.ac.uk *
>
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
> Sent: 13 April 2016 16:22
> To: Shib Users
> Subject: Re: {Disarmed} Re: Google Apps + v3 Idp (again)
>
> On 4/13/16, 11:18 AM, "users on behalf of Dave Perry" <users-bounces at shibboleth.net on behalf of Dave.Perry at hull-college.ac.uk> wrote:
>
>
>
>> OK thanks for that.
>> The Response it sends back to google includes my email address in the nameID. Hurrah.
>> It also sends the mail attribute in a separate part of it (AttributeStatement), but still the same error.
> You can prevent the duplication if it matters (one way being just turning includeAttributeStatement off for that RP), but it generally doesn't.
>
> You never said what the error was, but since I'm sure it's coming from Google, that isn't really for me to diagnose.
>
>
> -- Scott
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3693 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/0f3b29a9/attachment.p7s>

More information about the users mailing list