Google Apps + v3 Idp (again)
Dave Perry
Dave.Perry at hull-college.ac.uk
Wed Apr 13 12:06:55 EDT 2016
Thanks.
I have this in the saml-nameid.xml file:
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
p:attributeSourceIds="#{ {'mail'} }" />
I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
But changing that to 2.0 didn't work either.
Their support chat people are denying that they have any access to SAML logs. These non-standard software types, grr.
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group
Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930
* Need a fast reply? Try elearning at hull-college.ac.uk *
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Dan Oachs
Sent: 13 April 2016 16:43
To: Shib Users
Subject: Re: Google Apps + v3 Idp (again)
Pretty sure that is the exact error we were seeing until we added the bean for nameid-format:unspecified in the saml-nameid.xml file.
In case it helps, here are the important bits in our attribute-filter.xml
<AttributeFilterPolicy id="releaseToAnyone">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Thanks,
Dan Oachs
Gustavus Adolphus College
On 04/13/2016 10:35 AM, Dave Perry wrote:
> Oops my bad. The error is:
> This account cannot be accessed because the login credentials could not be verified.
>
> (I tried the includeAttributeStatement=false thing, but like you thought it made no difference to the end result).
>
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG Extension 2230 /
> Direct Dial 01482 381930
>
> * Need a fast reply? Try elearning at hull-college.ac.uk *
>
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor,
> Scott
> Sent: 13 April 2016 16:22
> To: Shib Users
> Subject: Re: {Disarmed} Re: Google Apps + v3 Idp (again)
>
> On 4/13/16, 11:18 AM, "users on behalf of Dave Perry" <users-bounces at shibboleth.net on behalf of Dave.Perry at hull-college.ac.uk> wrote:
>
>
>
>> OK thanks for that.
>> The Response it sends back to google includes my email address in the nameID. Hurrah.
>> It also sends the mail attribute in a separate part of it (AttributeStatement), but still the same error.
> You can prevent the duplication if it matters (one way being just turning includeAttributeStatement off for that RP), but it generally doesn't.
>
> You never said what the error was, but since I'm sure it's coming from Google, that isn't really for me to diagnose.
>
>
> -- Scott
>
**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.
Hull College Group owns the email infrastructure, including the contents.
Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************
TEXT
More information about the users
mailing list