SSO and Secondary Domain with Google Apps
2,525 views
Skip to first unread message
Bashrat Din
Apr 8, 2011, 4:17:22 PM4/8/11
to google-app...@googlegroups.com
The primary domain for the client is chace.enfield.sch.uk
we have added a secondary domain called students.chace.enfield.sch.uk
SSO has been implemented using SAML from EasySSO EasyConnect and works fine with the primary domain.
however, when you visit the url mail.google.com/a/students.chace.enfield.sch.uk, your correctly referred to the SSO login page, but once authenticated Google Apps returns and error "invalid email address".
Looking at the server logs we have, it appears that after being authenticated, Google is referring the user to mail.google.com/a/chace.enfield.sch.uk (and should be students.chace.enfied.sch.uk).
of course, the users are created in a secondary domain, so they are rejected as invalid email address.
how do we configure Google Apps SSO to verify the secondary domain correctly?
thanks in advance for your assistance.
we have added a secondary domain called students.chace.enfield.sch.uk
SSO has been implemented using SAML from EasySSO EasyConnect and works fine with the primary domain.
however, when you visit the url mail.google.com/a/students.chace.enfield.sch.uk, your correctly referred to the SSO login page, but once authenticated Google Apps returns and error "invalid email address".
Looking at the server logs we have, it appears that after being authenticated, Google is referring the user to mail.google.com/a/chace.enfield.sch.uk (and should be students.chace.enfied.sch.uk).
of course, the users are created in a secondary domain, so they are rejected as invalid email address.
how do we configure Google Apps SSO to verify the secondary domain correctly?
thanks in advance for your assistance.
Michael Manoochehri
Apr 8, 2011, 5:28:34 PM4/8/11
to google-app...@googlegroups.com
Hi Bashd:
For multidomain SAML-based SSO login, please make sure that your SAML response is returning the secondary domain user's full email address ("username@secondary_domain.com") in the NameId element.
- Michael
ssoeasy
Apr 11, 2011, 9:07:03 AM4/11/11
to google-app...@googlegroups.com
Michael,
That makes sense that the email address should have the proper domain\subdomain identified. For the ACS, would it be the same for both the domain and subdomain (e.g. https//www.google.com/a/domain/acs)? Also would the same issuer be sent in the SAML Request regardless of the domain\subdomain that the user belongs to?
In the Google Apps SSO documentation (http://www.google.com/support/a/bin/answer.py?answer=60224), it states:
The issuer is included in the SAML request to the IdP (Identity Provider). You can choose whether to included a standard or domain specific issuer. When multiple domains are using SSO with the same IdP aggregator, a specific issuer can be parsed by the IdP aggregator to identify the correct domain name for the SAML request. If you don't check the box to enable a domain specific issuer, Google will send the standard issuer (google.com) in the SAML request. If you check the box to enable this feature, Google will send an issuer specific to your domain (google.com/a/your_domain.com), where 'your_domain.com' is replaced with your actual domain name.
When the SAML Request is sent from Google shouldn't the SAML Request have an issuer of google.com/a/your_domain_com if the email is part of the primary domain and an issuer of google.com/a/your_subdomain_com if the email is part of the subdomain?
That makes sense that the email address should have the proper domain\subdomain identified. For the ACS, would it be the same for both the domain and subdomain (e.g. https//www.google.com/a/domain/acs)? Also would the same issuer be sent in the SAML Request regardless of the domain\subdomain that the user belongs to?
In the Google Apps SSO documentation (http://www.google.com/support/a/bin/answer.py?answer=60224), it states:
The issuer is included in the SAML request to the IdP (Identity Provider). You can choose whether to included a standard or domain specific issuer. When multiple domains are using SSO with the same IdP aggregator, a specific issuer can be parsed by the IdP aggregator to identify the correct domain name for the SAML request. If you don't check the box to enable a domain specific issuer, Google will send the standard issuer (google.com) in the SAML request. If you check the box to enable this feature, Google will send an issuer specific to your domain (google.com/a/your_domain.com), where 'your_domain.com' is replaced with your actual domain name.
When the SAML Request is sent from Google shouldn't the SAML Request have an issuer of google.com/a/your_domain_com if the email is part of the primary domain and an issuer of google.com/a/your_subdomain_com if the email is part of the subdomain?
Michael Manoochehri
Apr 18, 2011, 4:17:42 AM4/18/11
to google-app...@googlegroups.com
If you have a single Google Apps account with multiple domains, you shouldn't have to change the issuer value to match your secondary domain. Simply return the full email address in the NameID element of the SAML response (i.e., us...@domain1.com, us...@subdomain.com).
- Michael
Bashrat Din
Apr 18, 2011, 5:19:22 AM4/18/11
to google-app...@googlegroups.com, Robert Jones
Thanks Michael
Regards
Bash
Bashrat Din
Zumzum Limited
Tel: +44 (0) 87 080 33133
Mob: +44 (0) 77 748 89570
www.zumzum.biz
DISCLAIMER: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it.
Zumzum Limited is a company registered in England and Wales with the company number 06065672 VAT No. GB 911201194 at Houldsworth Mill, Houldsworth Street, Stockport, SK5 6DA.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
the person setting this up is from EasySSO in the USA so will wait for him to reply to the online post.
Robert, does this mean that we need to ask Chace to being populating the "mail" field in AD?
Regards
Bash
Bashrat Din
Zumzum Limited
Tel: +44 (0) 87 080 33133
Mob: +44 (0) 77 748 89570
www.zumzum.biz
DISCLAIMER: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it.
Zumzum Limited is a company registered in England and Wales with the company number 06065672 VAT No. GB 911201194 at Houldsworth Mill, Houldsworth Street, Stockport, SK5 6DA.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
On 18 April 2011 09:17, Michael Manoochehri <manoo...@google.com> wrote:
If you have a single Google Apps account with multiple domains, you shouldn't have to change the issuer value to match your secondary domain. Simply return the full email address in the NameID element of the SAML response (i.e., us...@domain1.com, us...@subdomain.com).- Michael
--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-saml...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.
ssoeasy
Apr 18, 2011, 6:27:40 AM4/18/11
to SAML-based Single Sign On for Google Apps
Based on Michael's post, it appears that the only option is sending
the email address with the appropriate domain. Therefore, will will
need to populate the "mail" field in AD with the email address.
On Apr 18, 5:19 am, Bashrat Din <b...@zumzum.biz> wrote:
> Thanks Michael
>
> the person setting this up is from EasySSO in the USA so will wait for him
> to reply to the online post.
>
> Robert, does this mean that we need to ask Chace to being populating the
> "mail" field in AD?
>
> Regards
>
> Bash
>
> Bashrat Din
> Zumzum Limited
> Tel: +44 (0) 87 080 33133
> Mob: +44 (0) 77 748 89570www.zumzum.biz
>
> DISCLAIMER: The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you receive this
> message by mistake, you are hereby notified that any disclosure,
> reproduction, distribution or use of this message is strictly prohibited.
> Please inform the sender by reply transmission and delete the message
> without copying or opening it.
>
> Zumzum Limited is a company registered in England and Wales with the company
> number 06065672 VAT No. GB 911201194 at Houldsworth Mill, Houldsworth
> Street, Stockport, SK5 6DA.
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
the email address with the appropriate domain. Therefore, will will
need to populate the "mail" field in AD with the email address.
On Apr 18, 5:19 am, Bashrat Din <b...@zumzum.biz> wrote:
> Thanks Michael
>
> the person setting this up is from EasySSO in the USA so will wait for him
> to reply to the online post.
>
> Robert, does this mean that we need to ask Chace to being populating the
> "mail" field in AD?
>
> Regards
>
> Bash
>
> Bashrat Din
> Zumzum Limited
> Tel: +44 (0) 87 080 33133
> Mob: +44 (0) 77 748 89570www.zumzum.biz
>
> DISCLAIMER: The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you receive this
> message by mistake, you are hereby notified that any disclosure,
> reproduction, distribution or use of this message is strictly prohibited.
> Please inform the sender by reply transmission and delete the message
> without copying or opening it.
>
> Zumzum Limited is a company registered in England and Wales with the company
> number 06065672 VAT No. GB 911201194 at Houldsworth Mill, Houldsworth
> Street, Stockport, SK5 6DA.
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> On 18 April 2011 09:17, Michael Manoochehri <manooche...@google.com> wrote:
>
>
>
>
>
>
>
> > If you have a single Google Apps account with multiple domains, you
> > shouldn't have to change the issuer value to match your secondary domain.
> > Simply return the full email address in the NameID element of the SAML
> > response (i.e., u...@domain1.com, u...@subdomain.com).
>
>
>
>
>
>
>
> > If you have a single Google Apps account with multiple domains, you
> > shouldn't have to change the issuer value to match your secondary domain.
> > Simply return the full email address in the NameID element of the SAML
Reply all
Reply to author
Forward
0 new messages