Multiple Google Apps Domains

253 views
Skip to first unread message

Victor

unread,
Nov 14, 2011, 3:54:15 PM11/14/11
to simpleSAMLphp
I've tried searching the mailing list for this and it seems that it
should be possible but I think I'm missing something.

I want to use a single simplesamlphp server to work as my SSO server
for multiple google apps domains. Everything works correctly for a
single domain, but I cannot get it to work correctly for multiple
domains. Are there docs somewhere on how I could configure this?

My saml20-sp-remote.php currently looks like this:


$metadata['google.com/a/domain1.com'] = array(
'AssertionConsumerService' => 'https://www.google.com/a/
domain1.com/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-
format:email',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
);

$metadata['google.com/a/domain2.com'] = array(
'AssertionConsumerService' => 'https://www.google.com/a/
domain2.com/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-
format:email',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
);

$metadata['google.com/a/domain3.com'] = array(
'AssertionConsumerService' => 'https://www.google.com/a/
domain3.com/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-
format:email',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
);

but I get an error that I am missing a metadata entry for google.com

if I add one for google.com, what ACS am I supposed to use if it's
different for each domain?

I'm just starting to learn how this works so any information would be
extremely helpful.

Thanks,
Victor

Olav Morken

unread,
Nov 15, 2011, 7:18:30 AM11/15/11
to simple...@googlegroups.com

Apparently the entityID that Google Apps uses ("google.com") does not
match the entity you have added ("google.com/a/domain{1,2,3].com").
Does Google have an option to allow you to add multiple SPs to a single
IdP?

> if I add one for google.com, what ACS am I supposed to use if it's
> different for each domain?

You can add multiple AssertionConsumerService endpoints to a single SP,
however I do not know if the Google SAML 2.0 SP supports this. If it
did, the configuration would be something like:

'AssertionConsumerService' => array(
array(
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://www.google.com/a/domain1.com/acs',
'index' => 0,
),
array(
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://www.google.com/a/domain2.com/acs',
'index' => 1,
),
array(
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://www.google.com/a/domain3.com/acs',
'index' => 2,
),
),

But: I have no idea what 'index' should be in this case... Also, this
will not work with IdP-initiated SSO. (Not that I know if Google Apps
supports that.)

Regards,
Olav Morken
UNINETT / Feide

Jacob Christiansen

unread,
Nov 21, 2011, 5:01:27 AM11/21/11
to simple...@googlegroups.com
Hi.

Google always use google.com as entityID, no matter what domain your are using. On way to do this is to create one instance of metadata with multiple ACS endpoints.

I.e.

$metadata['google.com'] => array(
'AssertionConsumeService' => array(
0 => array(
'Location' => 'https://www.google.com/a/DOMAIN1',
'index' => '0',
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
1 => array(
'Location' => 'https://www.google.com/a/DOMAIN2',
'index' => '1',
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
2 => array(
'Location' => 'https://www.google.com/a/DOMAIN3',
'index' => '2',
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
),
),


Regards / Med venlig hilsen

Jacob Christiansen
System Developer
WAYF

Phone/Tlf: +45 31313631
Mail: ja...@wayf.dk
Skype: jacchristiansen

H. C. Andersens Boulevard 2
DK-1553 København V

> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
>


Victor

unread,
Dec 6, 2011, 1:48:16 PM12/6/11
to simpleSAMLphp
I just wanted to update this thread since the solution for this is
actually very simple now that it's properly supported by Google. From
the Google Apps cPanel you need to enable

"Use a domain specific issuer"

With this enabled, the issuer value sent in the SAML request will be
google.com/a/YourDomain instead of simply google.com which allows the
saml20-sp-remote.php that I added above to work without any problems.
On Nov 21, 2:01 am, Jacob Christiansen <j...@wayf.dk> wrote:
> Hi.
>
> Googlealways usegoogle.com as entityID, no matter what domain your are using. On way to do this is to create one instance of metadata withmultipleACS endpoints.

> Mail:           j...@wayf.dk


> Skype:          jacchristiansen
>
> H. C. Andersens Boulevard 2
> DK-1553 København V
>
> On Nov 14, 2011, at 9:54 PM, Victor wrote:
>
>
>
>
>
>
>
> > I've tried searching the mailing list for this and it seems that it
> > should be possible but I think I'm missing something.
>
> > I want to use a single simplesamlphp server to work as my SSO server

> > formultiplegoogleappsdomains. Everything works correctly for a

> > if I add one forgoogle.com, what ACS am I supposed to use if it's


> > different for each domain?
>
> > I'm just starting to learn how this works so any information would be
> > extremely helpful.
>
> > Thanks,
> > Victor
>
> > --

> > You received this message because you are subscribed to theGoogleGroups "simpleSAMLphp" group.

Reply all
Reply to author
Forward
0 new messages