Google Apps + v3 Idp (again)

Dave Perry Dave.Perry at
Thu Apr 14 10:04:34 EDT 2016

That (with the odd change) has got me to the same point I reached yesterday - I have a SAML response which has my email address in the NameID, in the right format according to DEBUG. But google is still rejecting it. No attribute beyond the nameID being released.

Would you be willing to share a response, with your certificate element snipped, for me to compare to.


Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at *

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Andrew Morgan
Sent: 13 April 2016 18:46
To: Shib Users
Subject: RE: Google Apps + v3 Idp (again)

On Wed, 13 Apr 2016, Dave Perry wrote:

> Thanks.
> I have this in the saml-nameid.xml file:
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
>            p:attributeSourceIds="#{ {'mail'} }" />
> I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</N
> ameIDFormat> But changing that to 2.0 didn't work either.
> Their support chat people are denying that they have any access to 
> SAML logs. These non-standard software types, grr.


Here is our working configuration for Google.


         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
             p:attributeSourceIds="#{ {'google-principal'} }">
             <property name="activationCondition">
                 <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="" />


         <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{''}}">
             <property name="profileConfigurations">
                     <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />


     <!-- Google NameID attribute -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="google-principal" sourceAttributeID="googlePrincipalName">
         <resolver:Dependency ref="ONIDLDAP" />


     <!-- Google principal -->
     <AttributeFilterPolicy id="google-orst-principal">
         <PolicyRequirementRule xsi:type="Requester" value="" />
         <AttributeRule attributeID="google-principal">
             <PermitValueRule xsi:type="ANY" />


<EntityDescriptor entityID="" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
         <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                 <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" />

Make sure you don't release ANY attributes to Google.  They don't want any attributes.  If you look closely, you'll see that we don't have any encoders on the google-principal attribute, so it can never be released as an attribute.

To unsubscribe from this list send an email to users-unsubscribe at

This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.


More information about the users mailing list