Google Apps + v3 Idp (again)

Greg Haverkamp gahaverkamp at lbl.gov
Wed Apr 13 12:27:24 EDT 2016 

On Wed, Apr 13, 2016 at 6:33 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 4/13/16, 6:22 AM, "users on behalf of Dave Perry" <
> users-bounces at shibboleth.net on behalf of Dave.Perry at hull-college.ac.uk>
> wrote:
>
>
>
> >I have a request from google in my log which asks for NameID as
> unspecified:
>
> The IdP ignores that, as we documented, at length. It doesn't matter that
> it asks for that, and I believe it's been proven by at least one person
> that Googles *doesn't* require any given Format at all, so using
> "unspecified" would be a mistake.
>

That's been our experience.  In fact, not one of the services that
previously used unspecified actually required it; after you had mentioned
in passing testing it, I ran through and removed all of our unspecifieds
during our v3 upgrade.  Nor did a recent vendor that came to us saying they
required it actually require it when challenged.  (They didn't need a
tailored NameID at all, it turned out, and lived just fine off of an
attribute.)

We use:
<NameIDFormat>https://identity.lbl.gov/nameid/googleAccountName
</NameIDFormat>

and this:
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="https://identity.lbl.gov/nameid/googleAccountName"
            p:attributeSourceIds="#{ {'googlePrincipal'} }" />

(Due to our secondary domains, and the fact that the email addresses clash
with the official, "advertised" email address, we store the Google account
in a separate attribute.)



>
> >And google’s own metadata download (taken from the GA admin control
> panel) which has a weird entityID of
> >https://accounts.google.com/o/saml2?idpid=C04au2c47
>
> I don't believe that's the relevant metadata. Pretty sure the entityID is
> google.com (also invalid, but whatever, it is what it is).
>

That's for Google's SAML IdP service.

Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/fa7de10b/attachment.html>

More information about the users mailing list