Configuração do IDP com Google Workspace

<bean id="Google" parent="RelyingPartyByName" c:relyingPartyIds="google.com">
   <property name="profileConfigurations">
        <list>
           <bean parent="SAML2.SSO" p:encryptAssertions="false" p:encryptNameIDs="false" />
        </list>
   </property>
</bean>

<!-- Release to Google an "emailAddress" NameID with the value of Gprincipal -->
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
      p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
      p:attributeSourceIds="#{ {'Gprincipal'} }">
   <property name="activationCondition">
      <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com" />
   </property>
</bean>

<AttributeDefinition xsi:type="Template" id="Gprincipal">
   <InputDataConnector ref="dcLDAP" attributeNames="mail" />
   <Template>
      <![CDATA[
         ${mail}
      ]]>
   </Template>
</AttributeDefinition>

# Gprincipal

id=Gprincipal
transcoder=SAML2StringTranscoder
displayName.en=Username Google
displayName.it=Username Google
description.en=Username for Google
description.it=Username usato da Google
saml2.name=urn:oid:0.9.2342.19200300.100.1.3
saml1.encodeType=false

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<!-- entityID = "google.com" -->
<EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
      <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/$DOMAIN/acs" />
   </SPSSODescriptor>
</EntityDescriptor>

<MetadataProvider id="Google”  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/google-md.xml"/>

<AttributeFilterPolicy id="releaseToGoogle">
  <PolicyRequirementRule xsi:type="OR">
    <Rule xsi:type="Requester" value="google.com/a/$DOMAIN" />
  </PolicyRequirementRule>
  <AttributeRule attributeID="mail">
    <PermitValueRule xsi:type="ANY" />
  </AttributeRule>
</AttributeFilterPolicy>

<!-- G Suite (Google Apps)  -->
<AttributeFilterPolicy id="google.com">
   <PolicyRequirementRule xsi:type="Requester" value="google.com" />
   <AttributeRule attributeID="Gprincipal">
      <PermitValueRule xsi:type="ANY" />
   </AttributeRule>
</AttributeFilterPolicy>

systemctl restart jetty9.service && tail -f /opt/shibboleth-idp/logs/idp-process.log