Google Apps + v3 Idp (again)
Andrew Morgan
morgan at orst.edu
Wed Apr 20 12:42:02 EDT 2016
On Wed, 20 Apr 2016, Dave Perry wrote:
> Just checking, did you change anything in the file
> saml-nameid.properties? Currently I have all lines commented out.
The only lines I have uncommented in saml-nameid.properties are:
idp.persistentId.sourceAttribute = uid
idp.persistentId.useUnfilteredAttributes = true
I don't think these are relevant for the Google configuration I'm using...
> I managed to get hold of a google SAML specialist, and so far they are
> just as baffled. They suggested trying a couple of different nameID
> formats (urn:oasis:names:tc:SAML:2.0:nameid-format:email and
> unspecified), ignoring the unspecified one the 2.0-email one just gave
> an error:
>
> Trying to generate NameID with Format
> urn:oasis:names:tc:SAML:2.0:nameid-format:email 2016-04-20 10:28:26,063
> - ERROR [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:404] -
> Profile Action AddNameIDToSubjects: Error while generating NameID
> org.opensaml.saml.common.SAMLException: Invalid
> NameIdentifierGenerationService configuration
I think the important question is - what does your SAML assertion to
Google look like? Is it signed by the same certificate you uploaded to
Google as the "Verification certificate"? Does it contain the Google
username, exactly as listed by Google, in the SAML NameID?
Thanks,
Andy
More information about the users
mailing list