Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 9 Next »

Introduction

For the Google SSO integration we configure Google to point to our IdP's.

Google Domain

IdP

gdev.yale.edu

auth-dev.yale.edu

gtst.yale.edu

auth-test.yale.edu

yale.edu

auth.yale.edu

Since Google does not sign there Authentication Requests we do not need a copy of their metadata. We do have to register our metadata with google. If we used the netid as the username are google, there would be no IdP side configuration, BUT since we want the username to be the primary alias (first.last@yale.edu) we must send that information over to google in the nameId. Below is how we do it.

attribute-resolver.xml

	<!-- This data connector sets the static failover for Google App Username -->
	<resolver:DataConnector id="googleStatic"
		xsi:type="dc:Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
		<dc:Attribute id="GOOGLE_USERNAME">
			<dc:Value>unavailable</dc:Value>
		</dc:Attribute>
	</resolver:DataConnector>
...
	<!-- This data connector returns the primary email alias for google username -->
	<resolver:DataConnector id="email.alias.dc"
		xsi:type="RelationalDatabase" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
		<resolver:FailoverDataConnector ref="googleStatic" />
		<dc:ContainerManagedConnection resourceName="java:jdbc/idm_db" />
		<dc:QueryTemplate>
            <![CDATA[
				SELECT DISTINCT decode(logical_status, 'available', substr(account_key, 0, instr(account_key, '@') -1), '<non-active-user>') google_username
				FROM email_aliases_v
				WHERE provider_type = 'Google' 
				AND net_id = '$requestContext.principalName'
            ]]>
		</dc:QueryTemplate>
	</resolver:DataConnector>
...
	<!-- The google username is the first.last of the user's primary email alias -->
	<resolver:AttributeDefinition id="googleNameID"
		xsi:type="Simple" sourceAttributeID="GOOGLE_USERNAME" 
		xmlns="urn:mace:shibboleth:2.0:resolver:ad">
		<resolver:Dependency ref="email.alias.dc" />
		<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier"
			xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
		<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
			xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
	</resolver:AttributeDefinition>
attribute-filter.xml
...
    <afp:AttributeFilterPolicy id="releaseToGoogle">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" />
        <afp:AttributeRule attributeID="googleNameID"><afp:PermitValueRule xsi:type="basic:ANY" /></afp:AttributeRule>
    </afp:AttributeFilterPolicy>
...
  • No labels