Question about G Suite authentication via Shibboleth.
Ernie.Kinsey at cpcc.edu
Thu Aug 17 07:59:38 EDT 2017
I'm having problems getting G Suite to work properly with Shibboleth. What seems to be happening is that the "nameid-format" of the "NameID" attribute is beind delivered as "transient", as in:
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp-test.cpcc.edu/idp/shibboleth" SPNameQualifier="google.com">AAdzZWNyZXQx95Th/b1Mlxm2jEP4c7FNo19z0EBTZWm38vkumXm1Mlrtj4UqsdHMotpDVLbwU/yf2qg+Bz1BNT0Z2x87/+eg2uf8DA76XTEZkr7GfBcrqEGa</saml2:NameID>
Based on the Google documentation, it's supposed to be "email" (for SAML 1.1) or "emailAddress" (for SAML 2.0).
I've mucked around in the assorted configuration files in the /conf folder, but I can't seem to force this attribute to be anything other than "transient". To compound the problem, since the attribute IS "transient", the value I can see in the SAML message is "obscured" and I have no idea what value is actually being sent to G Suite - and the G Suite logging is inadequate to see what it thinks it's getting.
Any help would be appreciated. For what it’s worth, I’ve done some due diligence by looking through the other items posted here that seem relevant to this problem, but am still stumped.
Ernest K. Kinsey, Jr.
Information Technology and Research Services
Central Piedmont Community College
Charlotte, NC 28255
This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
More information about the users