Google Apps + v3 Idp (again)

Andrew Morgan morgan at orst.edu
Wed Apr 13 13:46:14 EDT 2016 

On Wed, 13 Apr 2016, Dave Perry wrote:

> Thanks.
>
> I have this in the saml-nameid.xml file:
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
>            p:attributeSourceIds="#{ {'mail'} }" />
>
> I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
>        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
> But changing that to 2.0 didn't work either.
>
> Their support chat people are denying that they have any access to SAML 
> logs. These non-standard software types, grr.

Dave,

Here is our working configuration for Google.

saml-nameid.xml:

         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
             p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
             p:attributeSourceIds="#{ {'google-principal'} }">
             <property name="activationCondition">
                 <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com/a/oregonstate.edu" />
             </property>
         </bean>


relying-party.xml:

         <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'google.com/a/oregonstate.edu'}}">
             <property name="profileConfigurations">
                 <list>
                     <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />
                 </list>
             </property>
         </bean>


attribute-resolver.xml:

     <!-- Google oregonstate.edu NameID attribute -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="google-principal" sourceAttributeID="googlePrincipalName">
         <resolver:Dependency ref="ONIDLDAP" />
     </resolver:AttributeDefinition>


attribute-filter.xml:

     <!-- Google oregonstate.edu principal -->
     <AttributeFilterPolicy id="google-orst-principal">
         <PolicyRequirementRule xsi:type="Requester" value="google.com/a/oregonstate.edu" />
         <AttributeRule attributeID="google-principal">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>


metadata/google-orst.xml:

<EntityDescriptor entityID="google.com/a/oregonstate.edu" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
         <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
                 <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/oregonstate.edu/acs" />
         </SPSSODescriptor>
</EntityDescriptor>


Make sure you don't release ANY attributes to Google.  They don't want any 
attributes.  If you look closely, you'll see that we don't have any 
encoders on the google-principal attribute, so it can never be released as 
an attribute.

 	Andy

More information about the users mailing list