Google Apps for Education
- Albert Wu
- Jason Rappaport
- Former user (Deleted)
Overview
This will describe how to get Shibboleth 3.4.x working with Google Apps for Education
Shibboleth IDP Configuration
In the code below:
Replace university.edu which your Google Domain.
----------
relying-party.xml
Find the section that says
<util:list id="shibboleth.RelyingPartyOverrides"> . . . </util:list>
And add in between:
<bean parent="RelyingPartyByName" c:relyingPartyIds="google.com/a/university.edu">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" />
</list>
</property>
</bean>
The above turns off encrypted assertions which Google does not support.
Create your google-university-metadata.xml, it should look like this:
<EntityDescriptor entityID="google.com/a/university.edu" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/university.edu/acs" />
</SPSSODescriptor>
</EntityDescriptor>
In your metadata-providers.xml file add the following:
<MetadataProvider id="Google” xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/google-university-metadata.xml"/>
In your attribute-resolver.xml, add the following:
<AttributeDefinition xsi:type="Simple" id="mail">
<InputDataConnector ref="myLDAP" attributeNames="mail"/>
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
</AttributeDefinition>
This is of course, if you have your email address stored in the mail attribute in LDAP.
For instance, mine would be melvin.lasky@university.edu
In your attribute-filter.xml, add the following:
<!-- G Suite (Google Apps) -->
<AttributeFilterPolicy id="google.com/a/university.edu">
<PolicyRequirementRule xsi:type="Requester" value="google.com/a/university.edu" />
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Note: Google does not appear to care what attribute you send for mail, just ensure it is the same in the saml-nameid.xml.
And lastly, in your saml-nameid.xml, uncomment the following beans (they are commented out by default):
.
.
.
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
.
.
.
<bean parent="shibboleth.SAML1AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
------
Now, on your Google Apps for Education Admin portal
Sign In Page:
https://shibserver.university.edu/idp/profile/SAML2/Redirect/SSO
Sign Out Page:
https://shibserver.university.edu/idp/profile/Logout
And make sure “Use a domain specific issuer” is checked.
Also, that verification certificate is your idp-signing.crt
That's it. Once you have completed the above, you should have a working Google Apps for Education instance authenticating off of your Shibboleth server.