Google Apps + v3 Idp (again)

Dave Perry Dave.Perry at hull-college.ac.uk
Wed Apr 20 05:34:37 EDT 2016 

Just checking, did you change anything in the file saml-nameid.properties? Currently I have all lines commented out.

I managed to get hold of a google SAML specialist, and so far they are just as baffled. They suggested trying a couple of different nameID formats (urn:oasis:names:tc:SAML:2.0:nameid-format:email and unspecified), ignoring the unspecified one the 2.0-email one just gave an error:

Trying to generate NameID with Format urn:oasis:names:tc:SAML:2.0:nameid-format:email
2016-04-20 10:28:26,063 - ERROR [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:404] - Profile Action AddNameIDToSubjects: Error while generating NameID
org.opensaml.saml.common.SAMLException: Invalid NameIdentifierGenerationService configuration


Dave
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk *


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Andrew Morgan
Sent: 13 April 2016 18:46
To: Shib Users
Subject: RE: Google Apps + v3 Idp (again)

On Wed, 13 Apr 2016, Dave Perry wrote:

> Thanks.
>
> I have this in the saml-nameid.xml file:
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
>            p:attributeSourceIds="#{ {'mail'} }" />
>
> I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
>        
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</N
> ameIDFormat> But changing that to 2.0 didn't work either.
>
> Their support chat people are denying that they have any access to 
> SAML logs. These non-standard software types, grr.

Dave,

Here is our working configuration for Google.

saml-nameid.xml:

         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
             p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
             p:attributeSourceIds="#{ {'google-principal'} }">
             <property name="activationCondition">
                 <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com/a/oregonstate.edu" />
             </property>
         </bean>


relying-party.xml:

         <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'google.com/a/oregonstate.edu'}}">
             <property name="profileConfigurations">
                 <list>
                     <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />
                 </list>
             </property>
         </bean>


attribute-resolver.xml:

     <!-- Google oregonstate.edu NameID attribute -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="google-principal" sourceAttributeID="googlePrincipalName">
         <resolver:Dependency ref="ONIDLDAP" />
     </resolver:AttributeDefinition>


attribute-filter.xml:

     <!-- Google oregonstate.edu principal -->
     <AttributeFilterPolicy id="google-orst-principal">
         <PolicyRequirementRule xsi:type="Requester" value="google.com/a/oregonstate.edu" />
         <AttributeRule attributeID="google-principal">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>


metadata/google-orst.xml:

<EntityDescriptor entityID="google.com/a/oregonstate.edu" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
         <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
                 <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/oregonstate.edu/acs" />
         </SPSSODescriptor>
</EntityDescriptor>


Make sure you don't release ANY attributes to Google.  They don't want any attributes.  If you look closely, you'll see that we don't have any encoders on the google-principal attribute, so it can never be released as an attribute.

 	Andy
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT

More information about the users mailing list