Google Apps + v3 Idp (again)
cantor.2 at osu.edu
Thu Apr 14 10:47:06 EDT 2016
> I need to enter my full work email address into google's login form, for it to
> trigger the shibboleth login.
> Our login names (staff or student ID) are completely different, and we don't
> store them on google at all when provisioning accounts via GADS.
Well, I don't actually think the first point implies that's the internal object's key in Google, but the second probably does.
> I tried creating a username of mystaffID at hull-college.ac.uk on google as an
> experiment, then changed the attribute resolver google-principal to use
> sAMAccountName (so the NameID bean definition would use it to). And the
> metadata to ask for a nameid-format:unspecified). But it just changed it to
> be a transient ID and set something google would be even more clueless
Well, that's misconfiguring the IdP, it has nothing to do with what we're talking about.
You cannot request or drive the unspecified Format with metadata, period. I don't know how else to say it. I documented it. I noted it in big yellow boxes.
It's already 100% confirmed: you don't need that Format with Google. So that's just a red herring.
More information about the users