Internet2 and InCommon Operations jointly run a Google Gateway for select Internet2 services. For example, you can log into the Spaces wiki using your Google account. Choose “Social Providers” and then “Google Sign In” on the Spaces discovery interface. (You may have to delete cookies for spaces.at.internet2.edu to see the discovery interface.)
If your campus is a Google Apps for Education (GAE) campus, you may have more Google accounts than you think. For example, as an Internet2 employee, I can log into the Spaces wiki using either the Internet2 IdP or the Google Gateway since Internet2 is a GAE campus, and moreover, using the Google Gateway, I can log in with my Internet2 credentials or my Google credentials.
Any GAE campus can use their campus credentials with the Google Gateway. When you choose “Google Sign In” on the Spaces discovery interface, one of three things will happen:
You can revoke permission previously given to an app on the Google Permissions page.
Bradley University is a GAE campus. They use CAS to log into Google Apps. A Bradley user has an email address of the form:
user@fsmail.bradley.edu |
When a Bradley user selects "Google Sign In" on the discovery interface and logs in via CAS, the Google Gateway asserts the following attributes:
eduPersonPrincipalName: user+fsmail.bradley.edu@google.incommon.org |
Now suppose Bradley University joins InCommon, partners with an Affiliate, and deploys its own Google Gateway. In this case, a Bradley user selects "Bradley University" on the discovery interface. After logging in via CAS, the Google Gateway asserts the following attributes:
eduPersonPrincipalName: user@bradley.edu |
Note that the ePPN is different. Since Bradley University now owns the Gateway, they can assert their own scoped attributes.
What about eduPersonTargetedID? Even though the Google IdP asserts an opaque, targeted, persistent identifier for the user, the Internet2 Google Gateway with DisplayName "Google Sign In" intentionally does not assert ePTID (since that is a commitment we’re not yet prepared to make). The Bradley University Google Gateway, OTOH, could assert ePTID straightaway, and its value would be exactly what you would expect.
In summary, a GAE campus can deploy a Google Gateway that asserts at least the following attributes out of the box:
The campus can either let Google manage passwords or federate with Google Apps using CAS SAML or some other SAML software.
Everything we’ve said so far about Google Apps for Education is true of any Google Apps account. For example, Cirrus Identity has a Google Apps for Business account, so Cirrus deployed a Google Gateway and registered an IdP in the InCommon Federation. Looking at the Cirrus IdP entity descriptor in metadata, you can’t tell that it’s backed by a Google Gateway; that is, Cirrus IdP metadata looks like any other IdP in metadata.