Discussion:
Google Apps sso setup
Dave Perry
2014-09-04 14:27:22 UTC
Permalink
Well, this is being tested now and we get the error:
No peer endpoint available to which to send SAML response

I've put the following metadata call in,
<MetadataProvider id="google"
xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" />

And google-metadata.xml has the following:
<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/hull-college.ac.uk/acs" />
</SPSSODescriptor>
</EntityDescriptor>

As per one of the guides previously linked to. Can anyone who's got it going check if I'm missing something please?

Thanks
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *


**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
Cantor, Scott
2014-09-04 14:30:29 UTC
Permalink
As per one of the guides previously linked to. Can anyone who¹s got it
going check if I¹m missing something please?
It's not about something missing, it's that the metadata you used is
wrong. The endpoint isn't what the GAE instance is requesting the IdP
respond to.

-- Scott
--
To unsubscribe from this list send an email to users-***@shibboleth.net
David Gersic
2014-09-04 18:30:42 UTC
Permalink
Your metadata configuration looks right to me, pretty much the same as what I have here (working).

Do you also have the RelyingParty definition:

<rp:RelyingParty id="google.com"
provider="https://idp.niu.edu/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</rp:RelyingParty>

in relying-party.xml ?
Post by Dave Perry
No peer endpoint available to which to send SAML response
I've put the following metadata call in,
<MetadataProvider id="google"
xsi:type="FilesystemMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" />
<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor entityID="google.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDForm
at>
<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/hull-college.ac.uk/acs" />
</SPSSODescriptor>
</EntityDescriptor>
As per one of the guides previously linked to. Can anyone who's got it going
check if I'm missing something please?
Thanks
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group
Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930
* Need a fast reply? Try
**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.
Hull College owns the email infrastructure, including the contents.
Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************
TEXT
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Perry
2014-09-05 10:13:46 UTC
Permalink
Thanks Chuck, I hadn’t seen any mention I needed to add our domain name into the EntityID for the metadata.

I’m waiting to hear back on if this change works, if not I’ll try David G’s one.

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try ***@hull-college.ac.uk<mailto:***@hull-college.ac.uk> *

From: ***@aggiemail.usu.edu [mailto:***@aggiemail.usu.edu] On Behalf Of Chuck Kimber
Sent: 04 September 2014 16:31
To: Dave Perry
Subject: Re: Google Apps sso setup



On Thu, Sep 4, 2014 at 8:27 AM, Dave Perry <***@hull-college.ac.uk<mailto:***@hull-college.ac.uk>> wrote:
And google-metadata.xml has the following:
<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor entityID="google.com<http://google.com>" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

Is that really the entityID for your google apps? Try changing it to:

entityID="google.com<http://google.com/>/a/hull-college.ac.uk<https://www.google.com/a/hull-college.ac.uk/acs>"

This should allow your entityID's to match up with an sp out there in google land.

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
Dave Perry
2014-09-09 09:46:41 UTC
Permalink
Well no combination is working so far. Another blog post I was directed to (which talks about setting up ADFS to SSO to google) said about putting the domain into the relying party entityID and the endpoint too.

And still getting the error that no relying party is configured for google.com.

Time to rope in their support I think.

Thanks for inputs,
Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try ***@hull-college.ac.uk<mailto:***@hull-college.ac.uk> *

From: users-***@shibboleth.net [mailto:users-***@shibboleth.net] On Behalf Of Dave Perry
Sent: 05 September 2014 11:14
To: ***@shibboleth.net
Subject: RE: Google Apps sso setup

Thanks Chuck, I hadn’t seen any mention I needed to add our domain name into the EntityID for the metadata.

I’m waiting to hear back on if this change works, if not I’ll try David G’s one.

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try ***@hull-college.ac.uk<mailto:***@hull-college.ac.uk> *

From: ***@aggiemail.usu.edu<mailto:***@aggiemail.usu.edu> [mailto:***@aggiemail.usu.edu] On Behalf Of Chuck Kimber
Sent: 04 September 2014 16:31
To: Dave Perry
Subject: Re: Google Apps sso setup



On Thu, Sep 4, 2014 at 8:27 AM, Dave Perry <***@hull-college.ac.uk<mailto:***@hull-college.ac.uk>> wrote:
And google-metadata.xml has the following:
<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor entityID="google.com<http://google.com>" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

Is that really the entityID for your google apps? Try changing it to:

entityID="google.com<http://google.com/>/a/hull-college.ac.uk<https://www.google.com/a/hull-college.ac.uk/acs>"

This should allow your entityID's to match up with an sp out there in google land.
________________________________
This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Any views expressed in this message are solely the views of the individual and do not represent the views of the College. Nothing in this message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
________________________________

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
Cantor, Scott
2014-09-09 14:02:20 UTC
Permalink
Post by Dave Perry
Well no combination is working so far. Another blog post I was directed
to (which talks about setting up ADFS to SSO to google) said about
putting the domain into the relying party entityID and the endpoint too.
I piloted a domain years ago. The entityID was google.com and the ACS
looked like:

https://www.google.com/a/gtest.osu.edu/acs


-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Perry
2014-09-09 14:07:27 UTC
Permalink
Bingo - cheers Scott!

Got a new error now, complaining about the email address, but that's progress and it shows on the google side not ours.
Think my boss will be happier now :D

Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org *


-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Cantor, Scott
Sent: 09 September 2014 15:02
To: Shib Users
Subject: Re: Google Apps sso setup
Post by Dave Perry
Well no combination is working so far. Another blog post I was directed
to (which talks about setting up ADFS to SSO to google) said about
putting the domain into the relying party entityID and the endpoint too.
I piloted a domain years ago. The entityID was google.com and the ACS looked like:

https://www.google.com/a/gtest.osu.edu/acs


-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
David Gersic
2014-09-09 19:43:03 UTC
Permalink
I don't know where you're getting stuck, here, but I have a working setup if you need to compare notes with somebody.
Post by Dave Perry
Bingo - cheers Scott!
Got a new error now, complaining about the email address, but that's
progress and it shows on the google side not ours.
Think my boss will be happier now :D
Dave
_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group
Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930
-----Original Message-----
Behalf Of Cantor, Scott
Sent: 09 September 2014 15:02
To: Shib Users
Subject: Re: Google Apps sso setup
Post by Dave Perry
Well no combination is working so far. Another blog post I was directed
to (which talks about setting up ADFS to SSO to google) said about
putting the domain into the relying party entityID and the endpoint too.
https://www.google.com/a/gtest.osu.edu/acs
-- Scott
--
To unsubscribe from this list send an email to
**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.
Hull College owns the email infrastructure, including the contents.
Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************
TEXT
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...