Shibboleth IdP (v3) with Google Apps

Configuring Shibboleth IdP v3 when accessing Google Apps is similar to IdP v2, there are minor differences.

1. Relying-party.xml

<util:list id="shibboleth.RelyingPartyOverrides">
       <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com/a/my.edu.ie">
           <property name="profileConfigurations">
               <list>
                   <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" p:encryptAssertions="false" /> 
               </list>
           </property>
       </bean>
</util:list>

2. saml-nameid.xml

<util:list id="shibboleth.SAML2NameIDGenerators">
       <ref bean="shibboleth.SAML2TransientGenerator" />
       <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
           p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
           p:attributeSourceIds="#{ {'Gprincipal'} }" />
   </util:list>

3. Where Gprincipal is a simple attribute generated in attribute-resolver.xml, I used a template attribute definition but other attribute types could be used

<resolver:AttributeDefinition id="Gprincipal" xsi:type="ad:Template">
        <resolver:Dependency ref="myLDAP" />
<ad:Template>
<![CDATA[
${uid}@my.edu.ie
]]>
</ad:Template>
<ad:SourceAttribute>uid</ad:SourceAttribute>
</resolver:AttributeDefinition>

4. Ensure you release the attribute to Google, this allows it to be encoded correctly.

<afp:AttributeFilterPolicy>
 <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/my.edu.ie" />
  <afp:AttributeRule attributeID="Gprincipal">
   <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>