Overview
This will describe how to get Shibboleth 3.4.x working with Google Apps for Education
...
In the code below:
Replace university.edu which your Google Domain.
...
Code Block | ||||
---|---|---|---|---|
| ||||
<AttributeDefinition xsi:type="Simple" id="Gprincipalmail"> <InputDataConnector ref="myLDAP" attributeNames="mail"/> <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" /> <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" /> </AttributeDefinition> |
...
For instance, mine would be melvin.lasky@university.edu
In your attribute-filter.xml, add the following:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- G Suite (Google Apps) --> <AttributeFilterPolicy id="google.com/a/university.edu"> <PolicyRequirementRule xsi:type="Requester" value="google.com/a/university.edu" /> <AttributeRule attributeID="Gprincipalmail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> |
And lastly, in your saml-nameid.xmlUnder the section, uncomment the following beans (they are commented out by default):
Code Block | ||||
---|---|---|---|---|
| ||||
. . . <!-- SAML 2 NameID Generation --> <util:list id<bean parent="shibboleth.SAML2NameIDGeneratorsSAML2AttributeSourcedGenerator"> . . . </util:list> |
Add:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- NameID for Google Apps --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator"p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'Gprincipalmail'} }" /> . . . <property name="activationCondition" > <bean parent="shibboleth.SAML1AttributeSourcedGenerator" p:omitQualifiers="true" <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com/a/university.edu" /> p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" </property> p:attributeSourceIds="#{ {'mail'} }" /> </bean> |
------
Now, on your Google Apps for Education Admin portal
...
That's it. Once you have completed the above, you should have a working Google Apps for Education instance authenticating off of your Shibboleth server.
---------------------
I tried using the information below and was unable to get it to work. However, I do not want to remove their information, or create a new page, so I figured I would drop it down to the bottom, and then if we want, we can always remove it, or whatever.
Info | ||
---|---|---|
| ||
This page is being actively updated (for now from UCLA). Stay tuned. |
Overview
<todo> write a short paragraph describing the purpose of the service: what is it, who uses it, what versions of SAML does it support, etc. </todo>
Special Considerations when configuring GAE
<todo>
Describe any special considerations your fellow IDP operator should be aware of when configuring IDP for this service. For example:
- Does this service have special requirements for attributes, i.e., does it require specific attribute/value assertion?
- Does this service have special requirements for SAML NameID, i.e., does it make assumptions about what a NameID needs to be, or how it will use the NameID beyond the SAML message exchange? For example, does it use the NameID value as a key identifier within its service?
- Is there any unusual integration restriction with this service, e.g., the service does not support SAML message signature and/or encryption?
- Is there anything else you'd like to add about this service?
</todo>
Identity Provider Configuration
<todo> Place the relevant configuration snippets in the following sections </todo>
Note: the following samples are placeholders for now. It is also meant to help volunteer contributors understand what they need to extract from configs. For official publication, I think the more descriptive format at https://wiki.shibboleth.net/confluence/display/SHIB2/IdP+Infocard+Configuration works better.
Metadata Configuration
Code Block | ||||
---|---|---|---|---|
| ||||
<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/Logout"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/school.edu/acs" />
</SPSSODescriptor>
</EntityDescriptor> |
Relying Party Configuration
...
language | xml |
---|---|
firstline | 1 |
title | Relying Party Configuration |
linenumbers | true |
...
.
...
SAML NameID Configuration
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
p:attributeSourceIds="#{ {'principal', 'uclaLogonID'} }" /> |
Attribute Filter Configuation
...
language | xml |
---|---|
firstline | 1 |
title | attribute-filter.xml |
linenumbers | true |
...