[Shib-Users] Google SSO

[Nickles, Brent]

We are attempting to bring Google Mail under our shibboleth applications    Following a “cookbook” from University of Southern California, we are now able to authenticate into the application.  However, SSO into our other applications does not work and users are forced to re-authenticate.   The strange part is that if you authenticate into another application FIRST, SSO into Google works fine. 

 

Any clues as to where the breakdown may be?

 

Thanks all.

 

 

[Chad La Joie]

The first step, as always, is to turn your logs on debug and look at
them to see whats going on.

--
Chad La Joie
http://itumi.biz
trusted identities, delivered

[Nickles, Brent]

Sorry if I'm missing something obvious here....but here are the logs when first authN into google, then trying to go somewhere else that is protected by shib. We followed documentation on how to get authN working(from USC https://shibboleth.usc.edu/docs/google-apps/ ), it seemed strange that we didn't get their metadata, which I figured would be needed.

The documentation states this:
<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/YOURDOMAIN.COM/acs" />
</SPSSODescriptor>
</EntityDescriptor>

the IDP logs are here:

15:53:43.654 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:105] - Attempting to retrieve IdP session cookie.
15:53:43.656 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:111] - Found IdP session cookie.
15:53:43.658 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:71] - Updating IdP session activity time and adding session object to the request
15:53:43.659 - INFO [Shibboleth-Access:72] - 20110208T205343Z|10.227.10.86|devshibboleth.umaryland.edu:443|/profile/Shibboleth/SSO|
15:53:43.659 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:85] - shibboleth.HandlerManager: Looking up profile handler for request path: /Shibboleth/SSO
15:53:43.660 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler
15:53:43.661 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:113] - Processing incoming request
15:53:43.661 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:119] - Incoming request does not contain a login context, processing as first leg of request
15:53:43.662 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler:185] - Decoding message with decoder binding urn:mace:shibboleth:1.0:profiles:AuthnRequest
15:53:43.663 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:72] - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
15:53:43.664 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:194] - Checking child metadata provider for entity descriptor with entity ID: https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.665 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:206] - Searching for entity descriptor with an entity ID of https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.666 - TRACE [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:210] - Entity descriptor for the ID https://devpilot.blackboard.umaryland.edu/SP1 was found in index cache, returning
15:53:43.667 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:126] - Looking up relying party configuration for https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.667 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:132] - No custom relying party configuration found for https://devpilot.blackboard.umaryland.edu/SP1, looking up configuration based on metadata groups.
15:53:43.668 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:194] - Checking child metadata provider for entity descriptor with entity ID: https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.669 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:206] - Searching for entity descriptor with an entity ID of https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.670 - TRACE [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:210] - Entity descriptor for the ID https://devpilot.blackboard.umaryland.edu/SP1 was found in index cache, returning
15:53:43.671 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:155] - No custom or group-based relying party configuration found for https://devpilot.blackboard.umaryland.edu/SP1. Using default relying party configuration.
15:53:43.672 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:82] - Evaluating security policy of type 'edu.internet2.middleware.shibboleth.common.security.ShibbolethSecurityPolicy' for decoded message
15:53:43.672 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:94] - Successfully decoded message.
15:53:43.673 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:194] - Checking child metadata provider for entity descriptor with entity ID: https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.674 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:206] - Searching for entity descriptor with an entity ID of https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.674 - TRACE [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:210] - Entity descriptor for the ID https://devpilot.blackboard.umaryland.edu/SP1 was found in index cache, returning
15:53:43.675 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:126] - Looking up relying party configuration for https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.676 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:132] - No custom relying party configuration found for https://devpilot.blackboard.umaryland.edu/SP1, looking up configuration based on metadata groups.
15:53:43.677 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:194] - Checking child metadata provider for entity descriptor with entity ID: https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.677 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:206] - Searching for entity descriptor with an entity ID of https://devpilot.blackboard.umaryland.edu/SP1
15:53:43.678 - TRACE [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:210] - Entity descriptor for the ID https://devpilot.blackboard.umaryland.edu/SP1 was found in index cache, returning
15:53:43.679 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:155] - No custom or group-based relying party configuration found for https://devpilot.blackboard.umaryland.edu/SP1. Using default relying party configuration.
15:53:43.680 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:262] - Processing incoming request
15:53:43.681 - TRACE [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:162] - Login context retrieved from HTTP request attribute
15:53:43.681 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:292] - Beginning user authentication process.
15:53:43.682 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:296] - Existing IdP session available for principal 000021
15:53:43.683 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:351] - Filtering configured login handlers by requested athentication methods.
15:53:43.684 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:352] - Configured LoginHandlers: {urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@fe9ad1, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@fe9ad1, urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@1662250}
15:53:43.685 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:353] - Requested authentication methods: org.opensaml.xml.util.LazyList@192563a
15:53:43.686 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:300] - Possible authentication handlers for this request: {urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@fe9ad1}
15:53:43.687 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:313] - Possible authentication handlers after filtering: {urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@fe9ad1}
15:53:43.688 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:326] - Authenticating user with login handler of type edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler
15:53:43.689 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler:75] - Redirecting to https://devshibboleth.umaryland.edu:443/idp/Authn/UserPassword

When first getting into blackboard, then SSO into google it works fine.

Again, any help is greatly appreciated.

Brent