Shibboleth IdP (v3) with Google Apps
Configuring Shibboleth IdP v3 when accessing Google Apps is similar to IdP v2, there are minor differences.
1. Relying-party.xml
<util:list id="shibboleth.RelyingPartyOverrides"> <bean parent="RelyingPartyByName" c:relyingPartyIds="google.com/a/my.edu.ie"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" p:encryptAssertions="false" /> </list> </property> </bean> </util:list>
2. saml-nameid.xml
<util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" p:attributeSourceIds="#{ {'Gprincipal'} }" /> </util:list>
3. Where Gprincipal is a simple attribute generated in attribute-resolver.xml, I used a template attribute definition but other attribute types could be used
<resolver:AttributeDefinition id="Gprincipal" xsi:type="ad:Template"> <resolver:Dependency ref="myLDAP" /> <ad:Template> <![CDATA[ ${uid}@my.edu.ie ]]> </ad:Template> <ad:SourceAttribute>uid</ad:SourceAttribute> </resolver:AttributeDefinition>
4. Ensure you release the attribute to Google, this allows it to be encoded correctly.
<afp:AttributeFilterPolicy> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/my.edu.ie" /> <afp:AttributeRule attributeID="Gprincipal"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>