Versions Compared

Old Version 6

changes.mady.by.user Melvin Lasky

Saved on

compared with

New Version 7

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Simplification

Overview

This will describe how to get Shibboleth 3.4.x working with Google Apps for Education

...

In the code below:

Replace university.edu which your Google Domain.

...

Code Block
languagexml
titleattribute-resolver.xml
    <AttributeDefinition xsi:type="Simple" id="Gprincipalmail">
        <InputDataConnector ref="myLDAP" attributeNames="mail"/>
        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
    </AttributeDefinition>

...

For instance, mine would be melvin.lasky@university.edu

In your attribute-filter.xml, add the following:

Code Block
languagexml
titleattribute-filter.xml
<!-- G Suite (Google Apps)  -->
<AttributeFilterPolicy id="google.com/a/university.edu">
   <PolicyRequirementRule xsi:type="Requester" value="google.com/a/university.edu" />
      <AttributeRule attributeID="Gprincipalmail">
          <PermitValueRule xsi:type="ANY" />
      </AttributeRule>
</AttributeFilterPolicy>

And lastly, in your saml-nameid.xmlUnder the section, uncomment the following beans (they are commented out by default):

Code Block
languagexml
titlesaml-nameid.xml
.
.
.
 <!-- SAML 2 NameID Generation -->     <util:list id<bean parent="shibboleth.SAML2NameIDGeneratorsSAML2AttributeSourcedGenerator">
. . .     </util:list>

Add:

Code Block
languagexml
titlesaml-nameid.xml
       <!-- NameID for Google Apps -->
       <bean parent="shibboleth.SAML2AttributeSourcedGenerator"p:omitQualifiers="true"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            p:attributeSourceIds="#{ {'Gprincipalmail'} }" />

.
.
.      

  <property name="activationCondition" >      <bean parent="shibboleth.SAML1AttributeSourcedGenerator"
            p:omitQualifiers="true"
         <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com/a/university.edu" />   p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            </property>
p:attributeSourceIds="#{ {'mail'} }" />       </bean>

------

Now, on your Google Apps for Education Admin portal

...

That's it.  Once you have completed the above, you should have a working Google Apps for Education instance authenticating off of your Shibboleth server.

---------------------

I tried using the information below and was unable to get it to work. However, I do not want to remove their information, or create a new page, so I figured I would drop it down to the bottom, and then if we want, we can always remove it, or whatever.

Info
titleediting in progress

This page is being actively updated (for now from UCLA). Stay tuned.

Overview

<todo> write a short paragraph describing the purpose of the service: what is it, who uses it, what versions of SAML does it support, etc. </todo>

Special Considerations when configuring GAE

<todo>

Describe any special considerations your fellow IDP operator should be aware of when configuring IDP for this service. For example:

  • Does this service have special requirements for attributes, i.e., does it require specific attribute/value assertion?
  • Does this service have special requirements for SAML NameID, i.e., does it make assumptions about what a NameID needs to be, or how it will use the NameID beyond the SAML message exchange? For example, does it use the NameID value as a key identifier within its service?
  • Is there any unusual integration restriction with this service, e.g., the service does not support SAML message signature and/or encryption?
  • Is there anything else you'd like to add about this service?

</todo>

Identity Provider Configuration

<todo> Place the relevant configuration snippets in the following sections </todo>

Note: the following samples are placeholders for now. It is also meant to help volunteer contributors understand what they need to extract from configs. For official publication, I think the more descriptive format at https://wiki.shibboleth.net/confluence/display/SHIB2/IdP+Infocard+Configuration works better.

Metadata Configuration

Code Block
languagexml
titleMetadata Provider
<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/Logout"/>
 
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://www.google.com/a/school.edu/acs" />
    </SPSSODescriptor>
</EntityDescriptor>

Relying Party Configuration

...

languagexml
firstline1
titleRelying Party Configuration
linenumberstrue

...

.

...

SAML NameID Configuration

Code Block
languagexml
firstline1
titlesaml-nameid.xml
linenumberstrue
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
            p:attributeSourceIds="#{ {'principal', 'uclaLogonID'} }" />

Attribute Filter Configuation

...

languagexml
firstline1
titleattribute-filter.xml
linenumberstrue

...