Versions Compared

Version Old Version 10 New Version 11
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Since Google does not sign there Authentication Requests we do not need a copy of their metadata. We do have to register our metadata with google. If we used the netid as the username are google, there would be no IdP side configuration, BUT since we want the username to be the primary alias (first.last@yale.edu) we must send that information over to google in the nameId. Below is how we do it.

Code Block
xmlxml
titleattribute-resolver.xml
xml

	<!-- This data connector sets the static failover for Google App Username -->
	<resolver:DataConnector id="googleStatic"
		xsi:type="dc:Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
		<dc:Attribute id="GOOGLE_USERNAME">
			<dc:Value>unavailable</dc:Value>
		</dc:Attribute>
	</resolver:DataConnector>
...
	<!-- This data connector returns the primary email alias for google username -->
	<resolver:DataConnector id="email.alias.dc"
		xsi:type="RelationalDatabase" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
		<resolver:FailoverDataConnector ref="googleStatic" />
		<dc:ContainerManagedConnection resourceName="java:jdbc/idm_db" />
		<dc:QueryTemplate>
            <![CDATA[
				SELECT DISTINCT decode(logical_status, 'available', substr(account_key, 0, instr(account_key, '@') -1), '<non-active-user>') google_username
				FROM email_aliases_v
				WHERE provider_type = 'Google' 
				AND net_id = '$requestContext.principalName'
            ]]>
		</dc:QueryTemplate>
	</resolver:DataConnector>
...
	<!-- The google username is the first.last of the user's primary email alias -->
	<resolver:AttributeDefinition id="googleNameID"
		xsi:type="Simple" sourceAttributeID="GOOGLE_USERNAME" 
		xmlns="urn:mace:shibboleth:2.0:resolver:ad">
		<resolver:Dependency ref="email.alias.dc" />
		<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
			xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
		<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
			xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
	</resolver:AttributeDefinition>
xml
Code Block
xml
titleattribute-filter.xml
xml
...
    <afp:AttributeFilterPolicy id="releaseToGoogle">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" />
        <afp:AttributeRule attributeID="googleNameID"><afp:PermitValueRule xsi:type="basic:ANY" /></afp:AttributeRule>
    </afp:AttributeFilterPolicy>
...