Google Gateway
InCommon Operations runs a Google Gateway for internal use. Currently the Gateway is integrated with the following Internet2 services:
- InCommon Federation Manager
- Collaboration Wiki Spaces at Internet2 (commonly called the “Spaces Wiki”)
- Multi-Factor Authentication (MFA) Cohortium Registry
- Multi-Factor Authentication (MFA) Cohortium Wiki
Over time, other Internet2 services will be integrated with the Google Gateway.
The Google Gateway is not a centralized service for all InCommon participants. For now, the Gateway is for internal use only.
See the Google Gateway FAQ for more information.
Attribute Release
The current version of the Google Gateway asserts the following attributes:
eduPersonPrincipalName
mail
givenName
sn
(surName)
The mail
, givenName
, and sn
attributes are obtained from Google and always pass through the Gateway as-is.
Extra attributes are ignored
At most the mail
, givenName
, and sn
attributes will transit the Gateway. Any other attribute that Google chooses to assert is routinely dropped on the Gateway floor, that is, any extra attributes are totally ignored by the Gateway.
The value of the eduPersonPrincipalName
(ePPN
) attribute is computed as shown in the following example.
Example. Suppose the Google IdP asserts the following email address:
user@gmail.com
The Gateway is configured to compute the corresponding ePPN
as follows:
user+gmail.com@gateway.incommon.org
In other words, the value of the ePPN
attribute is completely dependent on the email address obtained from Google.
Google email addresses
Google email addresses do not always end in “@gmail.com”. In fact, a Google email address can be virtually anything since Google Apps accounts are based on arbitrary DNS domains.
On the other hand, the Gateway asserts an ePPN
with a fixed scope (“@gateway.incommon.org”). No configuration at the SP is necessary since by default the SP performs scoped attribute checking based on a fixed set of <shibmd:Scope>
elements in Gateway metadata. In fact, there is one such <shibmd:Scope>
element in Gateway metadata, namely:
<shibmd:Scope regexp="false">gateway.incommon.org</shibmd:Scope>
and so the ePPN
shown above will be accepted by the SP by default. The acceptance of any other ePPN
is left entirely to the discretion of the SP.
Privacy
The Google Gateway provides the following privacy-enhancing features:
- Google requires explicit user consent for each and every transaction.
- Only three user attributes are allowed to transit the Gateway: email, first name, and last name. Any other attributes are totally ignored by the Gateway.
- The Gateway is stateless, that is, no user information is stored at the Gateway.
- Since Google transacts with the Gateway only, the browsing habits of users are hidden from Google.
Applications
The following web applications are integrated with the Google Gateway.
Federation Manager
View a static demo of a Google login to the FM
The InCommon Federation Manager uses the Google Gateway to authenticate a class of users called Delegated Administrators. The term Delegated Administration refers to the ability of a Site Administrator (who is a privileged user) to delegate responsibility for administering SP metadata to another administrator called a Delegated Administrator. A Delegated Administrator (DA) logs into the Federation Manager (FM) with a federated password, that is, the DA must have an account on an InCommon IdP. (InCommon Operations does not issue passwords to DAs.) If a site wishes to use the Delegated Administration feature of the FM, that site must deploy an IdP or use the Google Gateway.
In the eyes of a Delegated Administrator, the Google Gateway is just another IdP. Specifically, a DA sees an IdP called “Google Sign In” on the FM’s discovery interface. If the DA chooses to sign in with Google, the FM redirects the DA’s browser to the Google IdP via the Google Gateway.
The Google Gateway is an instance of simpleSAMLphp deployed in the Amazon cloud. The Gateway is built and maintained by Cirrus Identity.