G Suite for Education (formally Google Apps) includes a limited SAML identity provider. Because SAFIRE is a hub-and-spoke federation, this can be configured to work as an identity provider within SAFIRE — the federation will do the work of integrating service providers, avoiding the need to add each one individually. Note that we use G Suite’s Primary Email for eduPersonPrincipalName (and Name ID) because it corresponds to the username people log in with.…