SSO with multiple Google domains
Boyd, Todd M.
tmboyd1 at ccis.edu
Thu Nov 2 11:34:28 EDT 2017
My only experience thus far with RelayState has been in an "unsolicited" SSO scenario, where our IdP was the system providing that RelayState to the SP. It was up to the SP to parse it and push it through their authentication/authorization logic.
-Todd
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Thursday, November 2, 2017 10:29:22 AM
To: Shib Users
Subject: RE: SSO with multiple Google domains
> Google is suggesting using the relay state of the authentication request to
> derive domain information which can then be used to build the appropriate
> email address for the SAML response. Is this something that can be done in
> the IdP?
You can control the RelayState if using unsolicited responses starting at the IdP, otherwise it's whatever came from the SP.
> Are there other options/recommendations?
I don't know enough about how broken their system is to really comment on what else might be possible. I think somebody needs to tell Google to fix their code.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list