Google Apps + v3 Idp (again)

Greg Haverkamp gahaverkamp at
Wed Apr 13 12:27:24 EDT 2016

On Wed, Apr 13, 2016 at 6:33 AM, Cantor, Scott <cantor.2 at> wrote:

> On 4/13/16, 6:22 AM, "users on behalf of Dave Perry" <
> users-bounces at on behalf of Dave.Perry at>
> wrote:
> >I have a request from google in my log which asks for NameID as
> unspecified:
> The IdP ignores that, as we documented, at length. It doesn't matter that
> it asks for that, and I believe it's been proven by at least one person
> that Googles *doesn't* require any given Format at all, so using
> "unspecified" would be a mistake.

That's been our experience.  In fact, not one of the services that
previously used unspecified actually required it; after you had mentioned
in passing testing it, I ran through and removed all of our unspecifieds
during our v3 upgrade.  Nor did a recent vendor that came to us saying they
required it actually require it when challenged.  (They didn't need a
tailored NameID at all, it turned out, and lived just fine off of an

We use:

and this:
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:attributeSourceIds="#{ {'googlePrincipal'} }" />

(Due to our secondary domains, and the fact that the email addresses clash
with the official, "advertised" email address, we store the Google account
in a separate attribute.)

> >And google’s own metadata download (taken from the GA admin control
> panel) which has a weird entityID of
> >
> I don't believe that's the relevant metadata. Pretty sure the entityID is
> (also invalid, but whatever, it is what it is).

That's for Google's SAML IdP service.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list