This guide is a work in progress! |
Google Workspace is popular amongst schools, particularly smaller schools, and we often receive the question: "Does the Google IdP work for Skolverket's DNP?"
To begin answering the question, you need to understand that both Skolverket, in their role as the service provider, and Skolfederation have requirements on what a SAML IdP should be capable of to conform with technical and security requirements.
In Skolverket's case, an IdP should have at least the below abilities (simplified):
Check Skolverket's technical requirements for more details.
In Skolfederation, an IdP should conform with the technical requirements set in Skolfederation's Technical Profile.
The Google IdP does not conform with the above requirements on (at least) the below abilities:
Furthermore, the Google IdP is not developed for usage in a federation. We do not see any signs of Google adapting their IdP to conform to widely regarded SAML WebSSO federation standards.
This means that in order to get your IdP working in a federation, you need to be aware of the limitations and the uncertainty of how Google chooses to provide their IdP service now and in the future.
There are two ways of using Google for logon for DNP:
A SAML/IdP proxy is a federation software that sits between your IdP (i.e. Google) and the services in a federation. By using a capable proxy, you will be able to use your "normal" Google sign-on and still be able to conform with the technical requirements provided by the federation.
Different proxy solutions provide different support and abilities, why it is important to choose a proxy that has a declared or generally recognized support for Skolfederation, and/or SAML 2.0 WebSSO identity federation, and/or DNP.
By connecting the Google IdP directly to the federation, the school needs to be aware of Google not conforming with the above listed technical requirements, and will need to work around these issues.
Internetstiftelsen does not recommend using the Google IdP and connecting it directly to the federation due to the above reasons, but there may be resource or economical limitations that does not allow the school to choose another IdP solution. With that in mind, we have provided a step by step guide in how you can configure your Google IdP directly below.
Please make sure you have read the previous chapter on the limitations of using the Google Workspace IdP and connecting it directly to Skolfederation before proceeding. |
We are not Google experts. Internetstiftelsen or Skolfederation are not held reliable for any errors or damage caused by using the guide below. Use caution and if possible consult a professional. |
To successfully configure and test your Google Workspace IdP to work with Skolverket's DNP, you need to perform the following steps:
Skolverket's technical verification test: logon without e-id
Skolverket's technical verification test: logon with e-id "step-up"
If your organization already is a member of Skolfederation, you may proceed to the next step.
If you are not already a member, become a member by following the information provided here.
Login to https://admin.google.com with admin credentials. Proceed to the next step.
If you already have ePPN set up for your users, you may proceed to the next step.
Below is a method to manually add the ePPN attribute to your users. Other methods, such as a directory sync, is not covered here.
In the menu to your left, go to Directory > Users
Open the drop down menu More options and select Manage custom attributes
Select ADD CUSTOM ATTRIBUTE
Add attribute
Fill in the form as follows:
Then click ADD
Go to Directory > Users
Click on the user you want to add the EPPN attribute to.
Expand User information by clicking it. By expanding the list all user attributes will be shown.
In the list eduPersonPrincipalName should be present under the Skolfederation category. Select Add eduPersonPrincipalName
Add ePPN for the user and click Save. This user now has an ePPN that can be used for DNP.
Repeat from step Add ePPN to users for all users that needs the ePPN attribute set.
Read more on creating ePPN in the Guide: eduPersonPrincipalName (ePPN) |
Go to Apps > Web and mobile apps
Navigate to Add app and select Add custom SAML app
Name your app, perhaps "DNP verification test", and click CONTINUE
Under Option 1: Download IdP metadata, select DOWNLOAD METADATA. This will be use in a later step. Continue.
Add the service provider details
Add the following details for Skolverket's technical verification test service. Note! This is not a step that you would have to do with a federation capable IdP.
Select CONTINUE
Under Attributes, select ADD MAPPING. Here you configure your IdP to release the ePPN attribute to the Skolverket SP.
Note! If you recall, a limitation in the Google IdP is the inability to send a correct NameFormat for attributes. Usually, you would have to send the App attribute as the above listed urn:oid string. In this case, we have to workaround it. Do not add the urn:oid value as App attribute as the Skolverket service currently does not support this value without a correct NameFormat.
Then select FINISH
Activate the service for your users. On the service screen that should appear, click on User access
Select ON for everyone, then SAVE
Now the Skolverket verification test SP is set up in your Google IdP, and configured to send ePPN as an attribute. Proceed to the next step.
Now that the Google IdP is configured for the DNP technical verification test, you need to upload the Google IdP metadata to Skolfederation. Before doing so, you need to add missing metadata information to the file downloaded in the previous step.
Go to https://gidp.swefed.se/. Perform the steps under "Metadataverktyg för Google IdP" and "Komplettering".
Under Metadataverktyg för Google IdP, click on Ladda upp
Select the metadata file downloaded in the previous step "Option 1: Download IdP metadata".
The metadata will be presented.
Scroll down to Komplettering and add information as described in the guide, example below.
The info is then added to your metadata as shown in the previous view
Click on Ladda ner to download the new metadata file with the added changes.
To be able to upload the metadata to Skolfederation, you have to be the organization's technical contact, or a technical agent added in Federationsadmin by the technical contact. |
Login to Federationsadmin here with e-id.
Follow the five Metadata steps in the Federationsadmin user guide (in Swedish) to upload your metadata to the federation.
The first time a metadata is uploaded, the federation operator will review your metadata. If metadata is OK, it will be published to the federation. If there are any changes to be made before publishing, you will receive an email with what changes need to be made.
When the metadata is published, the metadata needs to be updated in Skolfederation, and Skolverket needs to retrieve the latest changes before you can proceed with the verification tests. This is usually done within two hours.
Follow the steps at Skolverket's technical verification test login without e-id
Follow the steps at Skolverket's technical verification test login with e-id