Page History

InCommon Operations runs a Google Gateway for internal use. Currently the Gateway is integrated with the following Internet2 services:

* [InCommon Federation

 Manager|https://incommon.org/federation/info/entity.html?entityID=https%3A%2F%2Ffm.incommon.org%2Fsp]
* [Collaboration Wiki Spaces at Internet2|https://incommon.org/federation/info/entity.html?entityID=https%3A%2F%2Fspaces.at.internet2.edu%2Fshibboleth] (commonly called the “Spaces Wiki”)
* [Multi-Factor Authentication (MFA) Cohortium Registry|https://incommon.org/federation/info/entity.html?entityID=https%3A%2F%2Fregistry.cohortium.internet2.edu%2Fshibboleth]
* [Multi-Factor Authentication (MFA) Cohortium Wiki|https://incommon.org/federation/info/entity.html?entityID=https%3A%2F%2Fwiki.cohortium.internet2.edu%2Fshibboleth]

Over time, other Internet2 services will be integrated with the Google Gateway.

{warning}The Google Gateway is *not* a centralized service for all InCommon participants. For now, the Gateway is for internal use only.{warning}

h3. Federation Manager

The term [Delegated Administration] refers to the ability of a Site Administrator to delegate responsibility for administering SP metadata to another administrator called a _Delegated Administrator_. A Delegated Administrator (DA) logs into the [Federation Manager] (FM) with a federated password, that is, the DA must have an account on an InCommon IdP. InCommon Operations does not issue passwords to DAs. If a site wishes to use the Delegated Administration feature of the FM, that site must deploy an IdP or use the Google Gateway.

{div:style=float:right;margin-left:1em;margin-bottom:1ex}{note}Browse a static [demo of Google login|socialid:Demo Google Login] in the FM{note}{div}

In the eyes of a Delegated Administrator, the Google Gateway is just another IdP. Specifically, a DA sees an IdP called “Google Sign In” on the FM’s discovery interface. If the DA chooses to sign in with Google, the FM redirects the DA’s browser to the Google IdP via the Google Gateway.

h3. Gateway Attributes

The current version of the Google Gateway asserts the following attributes:

* {{eduPersonPrincipalName}}
* {{mail}}
* {{givenName}}
* {{sn}} (surName)

The {{mail}}, {{givenName}}, and {{sn}} attributes always pass through the Gateway as-is. The value of the {{eduPersonPrincipalName}} ({{ePPN}}) attribute is computed as shown in the following example.

*Example*. Suppose the Google IdP asserts the following email address:

{{user@gmail.com}}

The Gateway is configured to compute {{ePPN}} as follows:

{{ePPN}}: {{user+gmail.com@gateway.incommon.org

}}

It is important to note that Google email addresses do not always end in “@gmail.com”. In fact, a Google email address can be virtually anything since Google Apps accounts are based on arbitrary DNS domains.

On the other hand, the Gateway asserts an {{ePPN}} with a fixed scope (“@gateway.incommon.org”). No configuration at the SP is necessary since by default the SP performs scoped attribute checking based on a fixed set of {{<shibmd: Scope>}} elements in Gateway metadata. In the above example, there will be one such {{<shibmd: Scope>}} element in [Gateway metadata|https://wayf.incommonfederation.org/InCommon/incommon.org-metadata.xml], namely:

{{<shibmd:Scope regexp="false">gateway.incommon.org</shibmd:Scope>

}}

and so the {{ePPN}} shown above will be accepted by the SP (unless the SP has been configured otherwise).

----

The Google Gateway is an instance of [simpleSAMLphp|http://simplesamlphp.org/] deployed in the Amazon cloud. The Gateway is built and maintained by [Cirrus Identity|http://cirrusidentity.com/].