SSO with multiple Google domains

Boyd, Todd M. tmboyd1 at ccis.edu
Thu Nov 2 11:34:28 EDT 2017


My only experience thus far with RelayState has been in an "unsolicited" SSO scenario, where our IdP was the system providing that RelayState to the SP. It was up to the SP to parse it and push it through their authentication/authorization logic.

-Todd

    
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Thursday, November 2, 2017 10:29:22 AM
To: Shib Users
Subject: RE: SSO with multiple Google domains
    
> Google is suggesting using the relay state of the authentication request to
> derive domain information which can then be used to build the appropriate
> email address for the SAML response.  Is this something that can be done in
> the IdP?

You can control the RelayState if using unsolicited responses starting at the IdP, otherwise it's whatever came from the SP.

> Are there other options/recommendations?

I don't know enough about how broken their system is to really comment on what else might be possible. I think somebody needs to tell Google to fix their code.

-- Scott

-- 
For Consortium Member technical support, see  https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
    


More information about the users mailing list