Google Apps + v3 Idp (again)

classic Classic list List threaded Threaded
29 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Google Apps + v3 Idp (again)

Dave Perry

I am utterly confused (nothing new there, but I’ll attempt to explain this one).

 

I have a relying-party entry which I believe others have used:

                                <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">

            <property name="profileConfigurations">

                <list>

                        <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:encryptAssertions="false" />

                </list>

            </property>

        </bean>

 

I have a request from google in my log which asks for NameID as unspecified:

<samlp:AuthnRequest

    AssertionConsumerServiceURL="https://www.google.com/a/hull-college.ac.uk/acs"

    ID="achibhchkpnnlacecgddfgbpfdallakncgfgofab" IsPassive="false"

    IssueInstant="2016-04-13T09:39:51Z"

    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    ProviderName="google.com" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>

    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

</samlp:AuthnRequest>

 

And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of https://accounts.google.com/o/saml2?idpid=C04au2c47

Which specifies emailAddress as the NameID policy (somewhat contradictory to the request the IdP gets):

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

 

My error log says there is no entry to handle entityID google.com in relying-party:

2016-04-13 10:39:52,256 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: google.com

 

Even editing the metadata file they provide, to the following first line:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">

Doesn’t work.

 

Any suggestions appreciated.

 

 

Thanks,

Dav

 

_________________________________________________

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

 

* Need a fast reply? Try [hidden email] *

 


This message is sent in confidence for the addressee  only.  It may contain confidential or sensitive  information.  The contents are not to be disclosed  to anyone other than the addressee.  Unauthorised  recipients are requested to preserve this  confidentiality and to advise us of any errors in  transmission.  Any views expressed in this message  are solely the views of the individual and do not  represent the views of the College.  Nothing in this  message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

{Disarmed} Re: Google Apps + v3 Idp (again)

Dan Oachs
We recently got idp 3 working for our Google Apps accounts.  Here is what I know:

Added this to relying-party.xml in the shibboleth.RelyingPartyOverrides section.

        <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>


Added this to metadata-providers.xml

    <MetadataProvider id="GoogleMD"
                  xsi:type="FilesystemMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata"
                  metadataFile="%{idp.home}/metadata/google-metadata.xml"/>

Added this to the saml-nameid.xml file in the shibboleth.SAML2NameIDGenerators section

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
            p:attributeSourceIds="#{ {'principal','uid'} }" />

Hopefully I remembered all the steps but I may have missed something.  Hope that helps anyway.

    Thanks,
        Dan Oachs
        Gustavus Adolphus College



On 04/13/2016 05:22 AM, Dave Perry wrote:

I am utterly confused (nothing new there, but I’ll attempt to explain this one).

 

I have a relying-party entry which I believe others have used:

                                <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">

            <property name="profileConfigurations">

                <list>

                        <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:encryptAssertions="false" />

                </list>

            </property>

        </bean>

 

I have a request from google in my log which asks for NameID as unspecified:

<samlp:AuthnRequest

    AssertionConsumerServiceURL=MailScanner has detected a possible fraud attempt from "www.google.com" claiming to be "https://www.google.com/a/hull-college.ac.uk/acs"

    ID="achibhchkpnnlacecgddfgbpfdallakncgfgofab" IsPassive="false"

    IssueInstant="2016-04-13T09:39:51Z"

    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    ProviderName="google.com" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>

    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

</samlp:AuthnRequest>

 

And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of https://accounts.google.com/o/saml2?idpid=C04au2c47

Which specifies emailAddress as the NameID policy (somewhat contradictory to the request the IdP gets):

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

 

My error log says there is no entry to handle entityID google.com in relying-party:

2016-04-13 10:39:52,256 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: google.com

 

Even editing the metadata file they provide, to the following first line:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">

Doesn’t work.

 

Any suggestions appreciated.

 

 

Thanks,

Dav

 

_________________________________________________

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

 

* Need a fast reply? Try [hidden email] *

 


This message is sent in confidence for the addressee� only. �It may contain confidential or sensitive� information. �The contents are not to be disclosed� to anyone other than the addressee. �Unauthorised� recipients are requested to preserve this� confidentiality and to advise us of any errors in� transmission. �Any views expressed in this message� are solely the views of the individual and do not� represent the views of the College. �Nothing in this� message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.





--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Google Apps + v3 Idp (again)

Cantor, Scott E.
In reply to this post by Dave Perry
On 4/13/16, 6:22 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:



>I have a request from google in my log which asks for NameID as unspecified:

The IdP ignores that, as we documented, at length. It doesn't matter that it asks for that, and I believe it's been proven by at least one person that Googles *doesn't* require any given Format at all, so using "unspecified" would be a mistake.

>And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of
>https://accounts.google.com/o/saml2?idpid=C04au2c47

I don't believe that's the relevant metadata. Pretty sure the entityID is google.com (also invalid, but whatever, it is what it is).

>Even editing the metadata file they provide, to the following first line:
><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">
>Doesn’t work.

Given that they don't support encryption, the metadata is simple: use their entityID and insert an AssertionConsumerService that matches the binding and URL they sent you in the AuthnRequest. No KeyDescriptor. That should be it.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: {Disarmed} Re: Google Apps + v3 Idp (again)

Dave Perry
In reply to this post by Dan Oachs

Thanks Dan. What was your metadata file? Scott’s reply suggests their one is overly complicated with things that may as well not be there.

 

 

Dave

 

_________________________________________________

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

 

* Need a fast reply? Try [hidden email] *

 

From: users [mailto:[hidden email]] On Behalf Of Dan Oachs
Sent: 13 April 2016 14:07
To: [hidden email]
Subject: {Disarmed} Re: Google Apps + v3 Idp (again)

 

We recently got idp 3 working for our Google Apps accounts.  Here is what I know:

Added this to relying-party.xml in the shibboleth.RelyingPartyOverrides section.

        <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>


Added this to metadata-providers.xml

    <MetadataProvider id="GoogleMD"
                  xsi:type="FilesystemMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata"
                  metadataFile="%{idp.home}/metadata/google-metadata.xml"/>

Added this to the saml-nameid.xml file in the shibboleth.SAML2NameIDGenerators section

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
            p:attributeSourceIds="#{ {'principal','uid'} }" />

Hopefully I remembered all the steps but I may have missed something.  Hope that helps anyway.

    Thanks,
        Dan Oachs
        Gustavus Adolphus College


On 04/13/2016 05:22 AM, Dave Perry wrote:

I am utterly confused (nothing new there, but I’ll attempt to explain this one).

 

I have a relying-party entry which I believe others have used:

                                <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">

            <property name="profileConfigurations">

                <list>

                        <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:encryptAssertions="false" />

                </list>

            </property>

        </bean>

 

I have a request from google in my log which asks for NameID as unspecified:

<samlp:AuthnRequest

    AssertionConsumerServiceURL=MailScanner has detected a possible fraud attempt from "www.google.com" claiming to be "https://www.google.com/a/hull-college.ac.uk/acs"

    ID="achibhchkpnnlacecgddfgbpfdallakncgfgofab" IsPassive="false"

    IssueInstant="2016-04-13T09:39:51Z"

    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    ProviderName="google.com" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>

    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

</samlp:AuthnRequest>

 

And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of https://accounts.google.com/o/saml2?idpid=C04au2c47

Which specifies emailAddress as the NameID policy (somewhat contradictory to the request the IdP gets):

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

 

My error log says there is no entry to handle entityID google.com in relying-party:

2016-04-13 10:39:52,256 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: google.com

 

Even editing the metadata file they provide, to the following first line:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">

Doesn’t work.

 

Any suggestions appreciated.

 

 

Thanks,

Dav

 

_________________________________________________

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

 

* Need a fast reply? Try [hidden email] *

 


This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Any views expressed in this message are solely the views of the individual and do not represent the views of the College. Nothing in this message should be construed as creating a contract.

 

Hull College Group owns the email infrastructure, including the contents.

 

Hull College Group is committed to sustainability, please reflect before printing this email.




 


This message is sent in confidence for the addressee  only.  It may contain confidential or sensitive  information.  The contents are not to be disclosed  to anyone other than the addressee.  Unauthorised  recipients are requested to preserve this  confidentiality and to advise us of any errors in  transmission.  Any views expressed in this message  are solely the views of the individual and do not  represent the views of the College.  Nothing in this  message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

{Disarmed} Re: Google Apps + v3 Idp (again)

Dan Oachs
I forget exactly where in the Google Apps Admin pages we found a link to the metadata file, but this is what ours looks like.

<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location=MailScanner has detected a possible fraud attempt from "www.google.com" claiming to be "https://www.google.com/a/gustavus.edu/acs" />
    </SPSSODescriptor>
</EntityDescriptor>


    Thanks,
        Dan Oachs
        Gustavus Adolphus College



On 04/13/2016 08:45 AM, Dave Perry wrote:

Thanks Dan. What was your metadata file? Scott’s reply suggests their one is overly complicated with things that may as well not be there.

 

 

Dave

 

_________________________________________________

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

 

* Need a fast reply? Try [hidden email] *

 

From: users [[hidden email]] On Behalf Of Dan Oachs
Sent: 13 April 2016 14:07
To: [hidden email]
Subject: {Disarmed} Re: Google Apps + v3 Idp (again)

 

We recently got idp 3 working for our Google Apps accounts.  Here is what I know:

Added this to relying-party.xml in the shibboleth.RelyingPartyOverrides section.

        <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>


Added this to metadata-providers.xml

    <MetadataProvider id="GoogleMD"
                  xsi:type="FilesystemMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata"
                  metadataFile="%{idp.home}/metadata/google-metadata.xml"/>

Added this to the saml-nameid.xml file in the shibboleth.SAML2NameIDGenerators section

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
            p:attributeSourceIds="#{ {'principal','uid'} }" />

Hopefully I remembered all the steps but I may have missed something.  Hope that helps anyway.

    Thanks,
        Dan Oachs
        Gustavus Adolphus College


On 04/13/2016 05:22 AM, Dave Perry wrote:

I am utterly confused (nothing new there, but I’ll attempt to explain this one).

 

I have a relying-party entry which I believe others have used:

                                <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">

            <property name="profileConfigurations">

                <list>

                        <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:encryptAssertions="false" />

                </list>

            </property>

        </bean>

 

I have a request from google in my log which asks for NameID as unspecified:

<samlp:AuthnRequest

    AssertionConsumerServiceURL=MailScanner has detected a possible fraud attempt from "www.google.com" claiming to be "https://www.google.com/a/hull-college.ac.uk/acs"

    ID="achibhchkpnnlacecgddfgbpfdallakncgfgofab" IsPassive="false"

    IssueInstant="2016-04-13T09:39:51Z"

    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    ProviderName="google.com" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>

    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

</samlp:AuthnRequest>

 

And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of https://accounts.google.com/o/saml2?idpid=C04au2c47

Which specifies emailAddress as the NameID policy (somewhat contradictory to the request the IdP gets):

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

 

My error log says there is no entry to handle entityID google.com in relying-party:

2016-04-13 10:39:52,256 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: google.com

 

Even editing the metadata file they provide, to the following first line:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">

Doesn’t work.

 

Any suggestions appreciated.

 

 

Thanks,

Dav

 

_________________________________________________

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

 

* Need a fast reply? Try [hidden email] *

 


This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Any views expressed in this message are solely the views of the individual and do not represent the views of the College. Nothing in this message should be construed as creating a contract.

 

Hull College Group owns the email infrastructure, including the contents.

 

Hull College Group is committed to sustainability, please reflect before printing this email.




 


This message is sent in confidence for the addressee  only.  It may contain confidential or sensitive  information.  The contents are not to be disclosed  to anyone other than the addressee.  Unauthorised  recipients are requested to preserve this  confidentiality and to advise us of any errors in  transmission.  Any views expressed in this message  are solely the views of the individual and do not  represent the views of the College.  Nothing in this  message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.





--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: {Disarmed} Re: Google Apps + v3 Idp (again)

Dave Perry

I was offered a metadata download on the SSO Settings page. But that was the bloated one.

 

That is soooo much better thanks!

 

BUT it is failing to generate a NameID.

 

I can confirm that the attribute I set it to use (mail) is getting a value from LDAP:

2016-04-13 15:11:17,421 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:247] - Attribute Definition 'mail': produced an attribute with the following values [StringAttributeValue{value=[hidden email]}]

 

But it doesn’t seem to like that when it comes to packaging it…

2016-04-13 15:11:17,573 - DEBUG [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:183] - Checking for source attribute mail

2016-04-13 15:11:17,574 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:213] - Attribute sources [mail] did not produce a usable identifier

2016-04-13 15:11:17,574 - DEBUG [org.opensaml.saml.saml2.profile.AbstractSAML2NameIDGenerator:92] - No identifier to use

2016-04-13 15:11:17,575 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:341] - Profile Action AddNameIDToSubjects: Unable to generate a NameID, leaving empty

 

Should I be adding anything in attribute-filter, or is NameID sufficient (when it behaves)?

 

_________________________________________________

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

 

* Need a fast reply? Try [hidden email] *

 

From: users [mailto:[hidden email]] On Behalf Of Dan Oachs
Sent: 13 April 2016 14:50
To: Shib Users
Subject: {Disarmed} Re: Google Apps + v3 Idp (again)

 

I forget exactly where in the Google Apps Admin pages we found a link to the metadata file, but this is what ours looks like.

<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location=MailScanner has detected a possible fraud attempt from "www.google.com" claiming to be "https://www.google.com/a/gustavus.edu/acs" />
    </SPSSODescriptor>
</EntityDescriptor>


    Thanks,
        Dan Oachs
        Gustavus Adolphus College


On 04/13/2016 08:45 AM, Dave Perry wrote:

Thanks Dan. What was your metadata file? Scott’s reply suggests their one is overly complicated with things that may as well not be there.

 

 

Dave

 

_________________________________________________

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

 

* Need a fast reply? Try [hidden email] *

 

From: users [[hidden email]] On Behalf Of Dan Oachs
Sent: 13 April 2016 14:07
To: [hidden email]
Subject: {Disarmed} Re: Google Apps + v3 Idp (again)

 

We recently got idp 3 working for our Google Apps accounts.  Here is what I know:

Added this to relying-party.xml in the shibboleth.RelyingPartyOverrides section.

        <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>


Added this to metadata-providers.xml

    <MetadataProvider id="GoogleMD"
                  xsi:type="FilesystemMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata"
                  metadataFile="%{idp.home}/metadata/google-metadata.xml"/>

Added this to the saml-nameid.xml file in the shibboleth.SAML2NameIDGenerators section

        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
            p:attributeSourceIds="#{ {'principal','uid'} }" />

Hopefully I remembered all the steps but I may have missed something.  Hope that helps anyway.

    Thanks,
        Dan Oachs
        Gustavus Adolphus College

On 04/13/2016 05:22 AM, Dave Perry wrote:

I am utterly confused (nothing new there, but I’ll attempt to explain this one).

 

I have a relying-party entry which I believe others have used:

                                <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com">

            <property name="profileConfigurations">

                <list>

                        <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:encryptAssertions="false" />

                </list>

            </property>

        </bean>

 

I have a request from google in my log which asks for NameID as unspecified:

<samlp:AuthnRequest

    AssertionConsumerServiceURL=MailScanner has detected a possible fraud attempt from "www.google.com" claiming to be "https://www.google.com/a/hull-college.ac.uk/acs"

    ID="achibhchkpnnlacecgddfgbpfdallakncgfgofab" IsPassive="false"

    IssueInstant="2016-04-13T09:39:51Z"

    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    ProviderName="google.com" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>

    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

</samlp:AuthnRequest>

 

And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of https://accounts.google.com/o/saml2?idpid=C04au2c47

Which specifies emailAddress as the NameID policy (somewhat contradictory to the request the IdP gets):

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

 

My error log says there is no entry to handle entityID google.com in relying-party:

2016-04-13 10:39:52,256 - DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver:334] - Metadata backing store does not contain any EntityDescriptors with the ID: google.com

 

Even editing the metadata file they provide, to the following first line:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com" validUntil="2021-04-12T08:53:16.000Z">

Doesn’t work.

 

Any suggestions appreciated.

 

 

Thanks,

Dav

 

_________________________________________________

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

 

* Need a fast reply? Try [hidden email] *

 


This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Any views expressed in this message are solely the views of the individual and do not represent the views of the College. Nothing in this message should be construed as creating a contract.

 

Hull College Group owns the email infrastructure, including the contents.

 

Hull College Group is committed to sustainability, please reflect before printing this email.


 

 


This message is sent in confidence for the addressee  only.  It may contain confidential or sensitive  information.  The contents are not to be disclosed  to anyone other than the addressee.  Unauthorised  recipients are requested to preserve this  confidentiality and to advise us of any errors in  transmission.  Any views expressed in this message  are solely the views of the individual and do not  represent the views of the College.  Nothing in this  message should be construed as creating a contract.

 

Hull College Group owns the email infrastructure, including the contents.

 

Hull College Group is committed to sustainability, please reflect before printing this email.




 


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: {Disarmed} Re: Google Apps + v3 Idp (again)

Cantor, Scott E.
On 4/13/16, 10:34 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:



>Should I be adding anything in attribute-filter, or is NameID sufficient (when it behaves)?

As documented, the default generation process for a custom Format is to allow only released attributes to be sourced. You can bypass that if you choose.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: {Disarmed} Re: Google Apps + v3 Idp (again)

Dave Perry
OK thanks for that.
The Response it sends back to google includes my email address in the nameID. Hurrah.
It also sends the mail attribute in a separate part of it (AttributeStatement), but still the same error.


_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try [hidden email] *


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: 13 April 2016 15:45
To: Shib Users
Subject: Re: {Disarmed} Re: Google Apps + v3 Idp (again)

On 4/13/16, 10:34 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:



>Should I be adding anything in attribute-filter, or is NameID sufficient (when it behaves)?

As documented, the default generation process for a custom Format is to allow only released attributes to be sourced. You can bypass that if you choose.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]

**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: {Disarmed} Re: Google Apps + v3 Idp (again)

Cantor, Scott E.
On 4/13/16, 11:18 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:



>OK thanks for that.
>The Response it sends back to google includes my email address in the nameID. Hurrah.
>It also sends the mail attribute in a separate part of it (AttributeStatement), but still the same error.

You can prevent the duplication if it matters (one way being just turning includeAttributeStatement off for that RP), but it generally doesn't.

You never said what the error was, but since I'm sure it's coming from Google, that isn't really for me to diagnose.


-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: {Disarmed} Re: Google Apps + v3 Idp (again)

Dave Perry
Oops my bad. The error is:
This account cannot be accessed because the login credentials could not be verified.

(I tried the includeAttributeStatement=false thing, but like you thought it made no difference to the end result).

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try [hidden email] *


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: 13 April 2016 16:22
To: Shib Users
Subject: Re: {Disarmed} Re: Google Apps + v3 Idp (again)

On 4/13/16, 11:18 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:



>OK thanks for that.
>The Response it sends back to google includes my email address in the nameID. Hurrah.
>It also sends the mail attribute in a separate part of it (AttributeStatement), but still the same error.

You can prevent the duplication if it matters (one way being just turning includeAttributeStatement off for that RP), but it generally doesn't.

You never said what the error was, but since I'm sure it's coming from Google, that isn't really for me to diagnose.


-- Scott

--
To unsubscribe from this list send an email to [hidden email]

**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: {Disarmed} Re: Google Apps + v3 Idp (again)

Cantor, Scott E.
On 4/13/16, 11:35 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:



>Oops my bad. The error is:
>This account cannot be accessed because the login credentials could not be verified.

I think that means it's not finding the username, so I guess you could switch it back to "unspecified" as a Format and try that.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Google Apps + v3 Idp (again)

Dan Oachs
In reply to this post by Dave Perry
Pretty sure that is the exact error we were seeing until we added the
bean for nameid-format:unspecified in the saml-nameid.xml file.

In case it helps, here are the important bits in our attribute-filter.xml

     <AttributeFilterPolicy id="releaseToAnyone">
         <PolicyRequirementRule xsi:type="ANY" />
         <AttributeRule attributeID="uid">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
         <AttributeRule attributeID="mail">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
         <AttributeRule attributeID="principal">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>


     Thanks,
         Dan Oachs
         Gustavus Adolphus College


On 04/13/2016 10:35 AM, Dave Perry wrote:

> Oops my bad. The error is:
> This account cannot be accessed because the login credentials could not be verified.
>
> (I tried the includeAttributeStatement=false thing, but like you thought it made no difference to the end result).
>
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
>
> * Need a fast reply? Try [hidden email] *
>
>
> -----Original Message-----
> From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
> Sent: 13 April 2016 16:22
> To: Shib Users
> Subject: Re: {Disarmed} Re: Google Apps + v3 Idp (again)
>
> On 4/13/16, 11:18 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:
>
>
>
>> OK thanks for that.
>> The Response it sends back to google includes my email address in the nameID. Hurrah.
>> It also sends the mail attribute in a separate part of it (AttributeStatement), but still the same error.
> You can prevent the duplication if it matters (one way being just turning includeAttributeStatement off for that RP), but it generally doesn't.
>
> You never said what the error was, but since I'm sure it's coming from Google, that isn't really for me to diagnose.
>
>
> -- Scott
>


--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Google Apps + v3 Idp (again)

Dave Perry
Thanks.

I have this in the saml-nameid.xml file:
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
            p:attributeSourceIds="#{ {'mail'} }" />

I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
But changing that to 2.0 didn't work either.

Their support chat people are denying that they have any access to SAML logs. These non-standard software types, grr.

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try [hidden email] *


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Dan Oachs
Sent: 13 April 2016 16:43
To: Shib Users
Subject: Re: Google Apps + v3 Idp (again)

Pretty sure that is the exact error we were seeing until we added the bean for nameid-format:unspecified in the saml-nameid.xml file.

In case it helps, here are the important bits in our attribute-filter.xml

     <AttributeFilterPolicy id="releaseToAnyone">
         <PolicyRequirementRule xsi:type="ANY" />
         <AttributeRule attributeID="uid">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
         <AttributeRule attributeID="mail">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
         <AttributeRule attributeID="principal">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>


     Thanks,
         Dan Oachs
         Gustavus Adolphus College


On 04/13/2016 10:35 AM, Dave Perry wrote:

> Oops my bad. The error is:
> This account cannot be accessed because the login credentials could not be verified.
>
> (I tried the includeAttributeStatement=false thing, but like you thought it made no difference to the end result).
>
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG Extension 2230 /
> Direct Dial 01482 381930
>
> * Need a fast reply? Try [hidden email] *
>
>
> -----Original Message-----
> From: users [mailto:[hidden email]] On Behalf Of Cantor,
> Scott
> Sent: 13 April 2016 16:22
> To: Shib Users
> Subject: Re: {Disarmed} Re: Google Apps + v3 Idp (again)
>
> On 4/13/16, 11:18 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:
>
>
>
>> OK thanks for that.
>> The Response it sends back to google includes my email address in the nameID. Hurrah.
>> It also sends the mail attribute in a separate part of it (AttributeStatement), but still the same error.
> You can prevent the duplication if it matters (one way being just turning includeAttributeStatement off for that RP), but it generally doesn't.
>
> You never said what the error was, but since I'm sure it's coming from Google, that isn't really for me to diagnose.
>
>
> -- Scott
>



**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Google Apps + v3 Idp (again)

Dan Oachs
I don't think they want you to send a full email address.  Just a
username.  At least that is what worked for us.

     Thanks,
         Dan Oachs

On 04/13/2016 11:06 AM, Dave Perry wrote:

> Thanks.
>
> I have this in the saml-nameid.xml file:
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>              p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
>              p:attributeSourceIds="#{ {'mail'} }" />
>
> I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
>          <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
> But changing that to 2.0 didn't work either.
>
> Their support chat people are denying that they have any access to SAML logs. These non-standard software types, grr.
>
> _________________________________________________
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
>
> * Need a fast reply? Try [hidden email] *
>
>
> -----Original Message-----
> From: users [mailto:[hidden email]] On Behalf Of Dan Oachs
> Sent: 13 April 2016 16:43
> To: Shib Users
> Subject: Re: Google Apps + v3 Idp (again)
>
> Pretty sure that is the exact error we were seeing until we added the bean for nameid-format:unspecified in the saml-nameid.xml file.
>
> In case it helps, here are the important bits in our attribute-filter.xml
>
>       <AttributeFilterPolicy id="releaseToAnyone">
>           <PolicyRequirementRule xsi:type="ANY" />
>           <AttributeRule attributeID="uid">
>               <PermitValueRule xsi:type="ANY" />
>           </AttributeRule>
>           <AttributeRule attributeID="mail">
>               <PermitValueRule xsi:type="ANY" />
>           </AttributeRule>
>           <AttributeRule attributeID="principal">
>               <PermitValueRule xsi:type="ANY" />
>           </AttributeRule>
>       </AttributeFilterPolicy>
>
>
>       Thanks,
>           Dan Oachs
>           Gustavus Adolphus College
>
>
> On 04/13/2016 10:35 AM, Dave Perry wrote:
>> Oops my bad. The error is:
>> This account cannot be accessed because the login credentials could not be verified.
>>
>> (I tried the includeAttributeStatement=false thing, but like you thought it made no difference to the end result).
>>
>> _________________________________________________
>> Dave Perry
>> eLearning Technologist, Hull College Group
>>
>> Room L34 - Queens Gardens Library
>> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG Extension 2230 /
>> Direct Dial 01482 381930
>>
>> * Need a fast reply? Try [hidden email] *
>>
>>
>> -----Original Message-----
>> From: users [mailto:[hidden email]] On Behalf Of Cantor,
>> Scott
>> Sent: 13 April 2016 16:22
>> To: Shib Users
>> Subject: Re: {Disarmed} Re: Google Apps + v3 Idp (again)
>>
>> On 4/13/16, 11:18 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:
>>
>>
>>
>>> OK thanks for that.
>>> The Response it sends back to google includes my email address in the nameID. Hurrah.
>>> It also sends the mail attribute in a separate part of it (AttributeStatement), but still the same error.
>> You can prevent the duplication if it matters (one way being just turning includeAttributeStatement off for that RP), but it generally doesn't.
>>
>> You never said what the error was, but since I'm sure it's coming from Google, that isn't really for me to diagnose.
>>
>>
>> -- Scott
>>
>
>
> **********************************************************************
> This message is sent in confidence for the addressee
> only. It may  contain confidential or sensitive
> information.  The contents are not to be disclosed
> to anyone other than the addressee.  Unauthorised
> recipients are requested to preserve this
> confidentiality and to advise us of any errors in
> transmission.  Any views expressed in this message
> are solely the views of the individual and do not
> represent the views of the College.  Nothing in this
> message should be construed as creating a contract.
>
> Hull College Group owns the email infrastructure, including the contents.
>
> Hull College Group is committed to sustainability, please reflect before printing this email.
> **********************************************************************
>
> TEXT


--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Google Apps + v3 Idp (again)

Greg Haverkamp

On Wed, Apr 13, 2016 at 9:09 AM, Dan Oachs <[hidden email]> wrote:
I don't think they want you to send a full email address.  Just a username.  At least that is what worked for us.

They accept a full email address and have for years.  (At one point, their documentation had said that they would eventually require it, but that disappeared a couple of years ago.)  If you have secondary domains, those do require the full email address. 

Greg 

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Google Apps + v3 Idp (again)

Cantor, Scott E.
In reply to this post by Dave Perry
On 4/13/16, 12:06 PM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:



>Thanks.
>
>I have this in the saml-nameid.xml file:
><bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
>            p:attributeSourceIds="#{ {'mail'} }" />

That's wrong.

>
>I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
>        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
>But changing that to 2.0 didn't work either.

That Format does not exist. It's 1.1

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Google Apps + v3 Idp (again)

Greg Haverkamp
In reply to this post by Cantor, Scott E.
On Wed, Apr 13, 2016 at 6:33 AM, Cantor, Scott <[hidden email]> wrote:
On 4/13/16, 6:22 AM, "users on behalf of Dave Perry" <[hidden email] on behalf of [hidden email]> wrote:



>I have a request from google in my log which asks for NameID as unspecified:

The IdP ignores that, as we documented, at length. It doesn't matter that it asks for that, and I believe it's been proven by at least one person that Googles *doesn't* require any given Format at all, so using "unspecified" would be a mistake.

That's been our experience.  In fact, not one of the services that previously used unspecified actually required it; after you had mentioned in passing testing it, I ran through and removed all of our unspecifieds during our v3 upgrade.  Nor did a recent vendor that came to us saying they required it actually require it when challenged.  (They didn't need a tailored NameID at all, it turned out, and lived just fine off of an attribute.)

We use:

and this:
        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:attributeSourceIds="#{ {'googlePrincipal'} }" />

(Due to our secondary domains, and the fact that the email addresses clash with the official, "advertised" email address, we store the Google account in a separate attribute.)

 

>And google’s own metadata download (taken from the GA admin control panel) which has a weird entityID of
>https://accounts.google.com/o/saml2?idpid=C04au2c47

I don't believe that's the relevant metadata. Pretty sure the entityID is google.com (also invalid, but whatever, it is what it is).

That's for Google's SAML IdP service.
 
Greg

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Google Apps + v3 Idp (again)

Andrew Morgan
In reply to this post by Dave Perry
On Wed, 13 Apr 2016, Dave Perry wrote:

> Thanks.
>
> I have this in the saml-nameid.xml file:
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
>            p:attributeSourceIds="#{ {'mail'} }" />
>
> I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
>        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
> But changing that to 2.0 didn't work either.
>
> Their support chat people are denying that they have any access to SAML
> logs. These non-standard software types, grr.

Dave,

Here is our working configuration for Google.

saml-nameid.xml:

         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
             p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
             p:attributeSourceIds="#{ {'google-principal'} }">
             <property name="activationCondition">
                 <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com/a/oregonstate.edu" />
             </property>
         </bean>


relying-party.xml:

         <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'google.com/a/oregonstate.edu'}}">
             <property name="profileConfigurations">
                 <list>
                     <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />
                 </list>
             </property>
         </bean>


attribute-resolver.xml:

     <!-- Google oregonstate.edu NameID attribute -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="google-principal" sourceAttributeID="googlePrincipalName">
         <resolver:Dependency ref="ONIDLDAP" />
     </resolver:AttributeDefinition>


attribute-filter.xml:

     <!-- Google oregonstate.edu principal -->
     <AttributeFilterPolicy id="google-orst-principal">
         <PolicyRequirementRule xsi:type="Requester" value="google.com/a/oregonstate.edu" />
         <AttributeRule attributeID="google-principal">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>


metadata/google-orst.xml:

<EntityDescriptor entityID="google.com/a/oregonstate.edu" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
         <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
                 <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/oregonstate.edu/acs" />
         </SPSSODescriptor>
</EntityDescriptor>


Make sure you don't release ANY attributes to Google.  They don't want any
attributes.  If you look closely, you'll see that we don't have any
encoders on the google-principal attribute, so it can never be released as
an attribute.

  Andy
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Google Apps + v3 Idp (again)

Dave Perry
That (with the odd change) has got me to the same point I reached yesterday - I have a SAML response which has my email address in the NameID, in the right format according to DEBUG. But google is still rejecting it. No attribute beyond the nameID being released.

Would you be willing to share a response, with your certificate element snipped, for me to compare to.


Thanks,
Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try [hidden email] *

-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Andrew Morgan
Sent: 13 April 2016 18:46
To: Shib Users
Subject: RE: Google Apps + v3 Idp (again)

On Wed, 13 Apr 2016, Dave Perry wrote:

> Thanks.
>
> I have this in the saml-nameid.xml file:
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
>            p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
>            p:attributeSourceIds="#{ {'mail'} }" />
>
> I noticed that the metadata has SAML 1.1 mentioned in the appropriate line:
>        
> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</N
> ameIDFormat> But changing that to 2.0 didn't work either.
>
> Their support chat people are denying that they have any access to
> SAML logs. These non-standard software types, grr.

Dave,

Here is our working configuration for Google.

saml-nameid.xml:

         <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
             p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
             p:attributeSourceIds="#{ {'google-principal'} }">
             <property name="activationCondition">
                 <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com/a/oregonstate.edu" />
             </property>
         </bean>


relying-party.xml:

         <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'google.com/a/oregonstate.edu'}}">
             <property name="profileConfigurations">
                 <list>
                     <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />
                 </list>
             </property>
         </bean>


attribute-resolver.xml:

     <!-- Google oregonstate.edu NameID attribute -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="google-principal" sourceAttributeID="googlePrincipalName">
         <resolver:Dependency ref="ONIDLDAP" />
     </resolver:AttributeDefinition>


attribute-filter.xml:

     <!-- Google oregonstate.edu principal -->
     <AttributeFilterPolicy id="google-orst-principal">
         <PolicyRequirementRule xsi:type="Requester" value="google.com/a/oregonstate.edu" />
         <AttributeRule attributeID="google-principal">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>


metadata/google-orst.xml:

<EntityDescriptor entityID="google.com/a/oregonstate.edu" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
         <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
                 <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/oregonstate.edu/acs" />
         </SPSSODescriptor>
</EntityDescriptor>


Make sure you don't release ANY attributes to Google.  They don't want any attributes.  If you look closely, you'll see that we don't have any encoders on the google-principal attribute, so it can never be released as an attribute.

  Andy
--
To unsubscribe from this list send an email to [hidden email]

**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Google Apps + v3 Idp (again)

Cantor, Scott E.
> That (with the odd change) has got me to the same point I reached yesterday
> - I have a SAML response which has my email address in the NameID, in the
> right format according to DEBUG. But google is still rejecting it. No attribute
> beyond the nameID being released.

And you're 100% sure that the user accounts in Google are identified with the full address? What happens if you pass only the username?

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
12