Google Apps + v3 Idp (again)

Dave Perry Dave.Perry at
Thu Apr 14 11:43:13 EDT 2016

OK. If I take the format line out of the metadata, and the saml-nameid bean definition (so no definition by me of what format I'd be sending google-principal as) I still get a transient NameID sending.

Probably missing something here.

But our v2 setup sent the whole email address in the SAML response, and that was fine.


Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at *

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: 14 April 2016 15:47
To: Shib Users
Subject: RE: Google Apps + v3 Idp (again)

> I need to enter my full work email address into google's login form, 
> for it to trigger the shibboleth login.
> Our login names (staff or student ID) are completely different, and we 
> don't store them on google at all when provisioning accounts via GADS.

Well, I don't actually think the first point implies that's the internal object's key in Google, but the second probably does.

> I tried creating a username of mystaffID at on google 
> as an experiment, then changed the attribute resolver google-principal 
> to use sAMAccountName (so the NameID bean definition would use it to). 
> And the metadata to ask for a nameid-format:unspecified). But it just 
> changed it to be a transient ID and set something google would be even 
> more clueless about.

Well, that's misconfiguring the IdP, it has nothing to do with what we're talking about.

You cannot request or drive the unspecified Format with metadata, period. I don't know how else to say it. I documented it. I noted it in big yellow boxes.

It's already 100% confirmed: you don't need that Format with Google. So that's just a red herring.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.


More information about the users mailing list