Broken GSuite Auth in Prep for IdPV4

Kevin Ratcliffe kratcliffe at
Sun Aug 16 18:48:09 UTC 2020


I had a working Google Gsuite configuration before I started removing all the deprecated namespaces and such from my IdP. Could someone help get a v4 compatible Gsuite configuration please.

On the shib docs site there are some instructions which kind of work but aren't appropriate because we have different domains as email addresses and we only have one Google domain.

See below for (what I think are)the relevant parts of my old working configuration.

Thanks in advance for any help.

    <!-- Google Apps -->
    <AttributeFilterPolicy id="allowPrincipalToGoogle">
        <PolicyRequirementRule xsi:type="Requester" value="" />
        <AttributeRule attributeID="principal">
            <PermitValueRule xsi:type="ANY" />

    <!-- principal for Google Apps for Education -->
    <resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
        <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                                   nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />

    <!-- SAML 2 NameID Generation -->
    <util:list id="shibboleth.SAML2NameIDGenerators">

        <ref bean="shibboleth.SAML2TransientGenerator" />

        <!-- Uncommenting this bean requires configuration in -->
        <ref bean="shibboleth.SAML2PersistentGenerator" />

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
                  p:attributeSourceIds="#{ {'principal'} }" />

Kevin Ratcliffe
Network & IT Systems Support
The Sixth Form Bolton
T: 01204 846215
E: kratcliffe at
Save Paper. Please consider the environment before printing.

More information about the users mailing list