Google Apps + v3 Idp (again)

Dan Oachs doachs at gac.edu
Wed Apr 13 12:09:33 EDT 2016 

I don't think they want you to send a full email address.  Just a 
username.  At least that is what worked for us.

     Thanks,
         Dan Oachs

On 04/13/2016 11:06 AM, Dave Perry wrote:
> Thanks.
>
> I have this in the saml-nameid.xml file:
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>              p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
>              p:attributeSourceIds="#{ {'mail'} }" />
>
> I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
>          <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
> But changing that to 2.0 didn't work either.
>
> Their support chat people are denying that they have any access to SAML logs. These non-standard software types, grr.
>
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
>
> * Need a fast reply? Try elearning at hull-college.ac.uk *
>
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Dan Oachs
> Sent: 13 April 2016 16:43
> To: Shib Users
> Subject: Re: Google Apps + v3 Idp (again)
>
> Pretty sure that is the exact error we were seeing until we added the bean for nameid-format:unspecified in the saml-nameid.xml file.
>
> In case it helps, here are the important bits in our attribute-filter.xml
>
>       <AttributeFilterPolicy id="releaseToAnyone">
>           <PolicyRequirementRule xsi:type="ANY" />
>           <AttributeRule attributeID="uid">
>               <PermitValueRule xsi:type="ANY" />
>           </AttributeRule>
>           <AttributeRule attributeID="mail">
>               <PermitValueRule xsi:type="ANY" />
>           </AttributeRule>
>           <AttributeRule attributeID="principal">
>               <PermitValueRule xsi:type="ANY" />
>           </AttributeRule>
>       </AttributeFilterPolicy>
>
>
>       Thanks,
>           Dan Oachs
>           Gustavus Adolphus College
>
>
> On 04/13/2016 10:35 AM, Dave Perry wrote:
>> Oops my bad. The error is:
>> This account cannot be accessed because the login credentials could not be verified.
>>
>> (I tried the includeAttributeStatement=false thing, but like you thought it made no difference to the end result).
>>
>> _________________________________________________
>> Dave Perry
>> eLearning Technologist, Hull College Group
>>
>> Room L34 - Queens Gardens Library
>> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG Extension 2230 /
>> Direct Dial 01482 381930
>>
>> * Need a fast reply? Try elearning at hull-college.ac.uk *
>>
>>
>> -----Original Message-----
>> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor,
>> Scott
>> Sent: 13 April 2016 16:22
>> To: Shib Users
>> Subject: Re: {Disarmed} Re: Google Apps + v3 Idp (again)
>>
>> On 4/13/16, 11:18 AM, "users on behalf of Dave Perry" <users-bounces at shibboleth.net on behalf of Dave.Perry at hull-college.ac.uk> wrote:
>>
>>
>>
>>> OK thanks for that.
>>> The Response it sends back to google includes my email address in the nameID. Hurrah.
>>> It also sends the mail attribute in a separate part of it (AttributeStatement), but still the same error.
>> You can prevent the duplication if it matters (one way being just turning includeAttributeStatement off for that RP), but it generally doesn't.
>>
>> You never said what the error was, but since I'm sure it's coming from Google, that isn't really for me to diagnose.
>>
>>
>> -- Scott
>>
>
>
> **********************************************************************
> This message is sent in confidence for the addressee
> only. It may  contain confidential or sensitive
> information.  The contents are not to be disclosed
> to anyone other than the addressee.  Unauthorised
> recipients are requested to preserve this
> confidentiality and to advise us of any errors in
> transmission.  Any views expressed in this message
> are solely the views of the individual and do not
> represent the views of the College.  Nothing in this
> message should be construed as creating a contract.
>
> Hull College Group owns the email infrastructure, including the contents.
>
> Hull College Group is committed to sustainability, please reflect before printing this email.
> **********************************************************************
>
> TEXT


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3693 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/669085f1/attachment.p7s>

More information about the users mailing list