Google Apps + v3 Idp (again)

Andrew Morgan morgan at
Wed Apr 20 12:42:02 EDT 2016

On Wed, 20 Apr 2016, Dave Perry wrote:

> Just checking, did you change anything in the file 
> Currently I have all lines commented out.

The only lines I have uncommented in are:

idp.persistentId.sourceAttribute = uid
idp.persistentId.useUnfilteredAttributes = true

I don't think these are relevant for the Google configuration I'm using...

> I managed to get hold of a google SAML specialist, and so far they are 
> just as baffled. They suggested trying a couple of different nameID 
> formats (urn:oasis:names:tc:SAML:2.0:nameid-format:email and 
> unspecified), ignoring the unspecified one the 2.0-email one just gave 
> an error:
> Trying to generate NameID with Format 
> urn:oasis:names:tc:SAML:2.0:nameid-format:email 2016-04-20 10:28:26,063 
> - ERROR [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:404] - 
> Profile Action AddNameIDToSubjects: Error while generating NameID 
> org.opensaml.saml.common.SAMLException: Invalid 
> NameIdentifierGenerationService configuration

I think the important question is - what does your SAML assertion to 
Google look like?  Is it signed by the same certificate you uploaded to 
Google as the "Verification certificate"?  Does it contain the Google 
username, exactly as listed by Google, in the SAML NameID?


More information about the users mailing list