Problem configuring SSO

By: durgesh tripathi user 17 Jul 2016 at 5:10 a.m. CDT

9 Responses
durgesh tripathi gravatar
Hi Guys, I have configured SSO for gooole apps i am getting following error "This account cannot be accessed because we could not parse the login request" Can anyone comment on this ? Following is the message i get in IDP logs while i request the resource and glu server redirects after authentication. In IDP log messages : 10:05:07.188 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 10:05:07.188 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 10:05:07.188 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 10:05:07.189 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:188] - Incoming request does not contain a login context, processing as first leg of request 10:05:07.189 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' 10:05:07.189 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:76] - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter 10:05:07.189 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:90] - Decoded RelayState: https://www.google.com/a/mydomain.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&ltmpl=default&ltmplcache=2&emr=1&osid=1 10:05:07.189 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:127] - Base64 decoding and inflating SAML message 10:05:07.190 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:183] - Parsing message stream into DOM document 10:05:07.190 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:193] - Unmarshalling message DOM 10:05:07.191 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:205] - Message succesfully unmarshalled 10:05:07.191 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:105] - Decoded SAML message 10:05:07.191 - DEBUG [org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder:112] - Extracting ID, issuer and issue instant from request 10:05:07.191 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.192 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.192 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com 10:05:07.192 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.192 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.192 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com 10:05:07.192 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.193 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.193 - WARN [edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartySecurityPolicyResolver:91] - No metadata for relying party google.com, treating party as anonymous for security policy 10:05:07.193 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartySecurityPolicyResolver:117] - Resolving security policy based on communication profile ID: urn:mace:shibboleth:2.0:profiles:saml2:sso 10:05:07.193 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartySecurityPolicyResolver:121] - No profile configuration resolved for communication profile ID 'urn:mace:shibboleth:2.0:profiles:saml2:sso', returning null security policy 10:05:07.193 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:85] - Successfully decoded message. 10:05:07.193 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:191] - Checking SAML message intended destination endpoint against receiver endpoint 10:05:07.194 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:203] - SAML message intended destination endpoint in message was empty, not required by binding, skipping 10:05:07.194 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:387] - Decoded request from relying party 'google.com' 10:05:07.194 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.194 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.194 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com 10:05:07.194 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.195 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.195 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com 10:05:07.195 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.195 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.195 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for google.com 10:05:07.195 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130] - Custom relying party configuration found for google.com 10:05:07.196 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:226] - Creating login context and transferring control to authentication engine 10:05:07.196 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:181] - Storing LoginContext to StorageService partition loginContexts, key d4f251b2c712c37c87ce22ff7e1708c13d20d6542bd4a4f18fdacbee59e74220 10:05:07.196 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:240] - Redirecting user to authentication engine at https://sso.mydomain.com:443/idp/AuthnEngine 10:05:07.526 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request 10:05:07.527 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:240] - Beginning user authentication process. 10:05:07.528 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:244] - Existing IdP session available for principal durgesh@mydomain.com 10:05:07.528 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:283] - Filtering configured LoginHandlers: {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@34de47b0, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@6d348eed, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@1593a19e} 10:05:07.528 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:464] - Selecting appropriate login handler from filtered set {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@34de47b0, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@6d348eed, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@1593a19e} 10:05:07.528 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:467] - Authenticating user with previous session LoginHandler 10:05:07.528 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:478] - Basing previous session authentication on active authentication method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 10:05:07.529 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler:112] - Using existing IdP session for durgesh@mydomain.com 10:05:07.529 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:144] - Returning control to authentication engine 10:05:07.529 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request 10:05:07.529 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:514] - Completing user authentication process 10:05:07.530 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:585] - Validating authentication was performed successfully 10:05:07.530 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:696] - Updating session information for principal durgesh@mydomain.com 10:05:07.530 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:560] - User durgesh@mydomain.com authenticated with method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 10:05:07.530 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:161] - Returning control to profile handler 10:05:07.531 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:177] - Redirecting user to profile handler at https://sso.mydomain.com:443/idp/profile/SAML2/Redirect/SSO 10:05:07.857 - INFO [Shibboleth-Access:73] - 20160717T100507Z|163.53.85.212|sso.mydomain.com:443|/profile/SAML2/Redirect/SSO| 10:05:07.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 10:05:07.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 10:05:07.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:588] - Unbinding LoginContext 10:05:07.858 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:614] - Expiring LoginContext cookie 10:05:07.858 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:625] - Removed LoginContext, with key d4f251b2c712c37c87ce22ff7e1708c13d20d6542bd4a4f18fdacbee59e74220, from StorageService partition loginContexts 10:05:07.858 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:172] - Incoming request contains a login context and indicates principal was authenticated, processing second leg of request 10:05:07.858 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.858 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.859 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com 10:05:07.859 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.859 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.859 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com 10:05:07.859 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.860 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.860 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.860 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.860 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com 10:05:07.860 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.860 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.861 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com 10:05:07.861 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com 10:05:07.861 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com 10:05:07.861 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for google.com 10:05:07.861 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130] - Custom relying party configuration found for google.com 10:05:07.862 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: https://sso.mydomain.com/idp/shibboleth 10:05:07.862 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of https://sso.mydomain.com/idp/shibboleth 10:05:07.863 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:99] - Filtering peer endpoints. Supported peer endpoint bindings: [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact] 10:05:07.863 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:69] - Selecting endpoint by ACS URL 'https://www.google.com/a/mydomain.com/acs' and protocol binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' for request 'bpkalfhbdbkpgjggmhbjlkcdcojdaginmnmgfmmb' from entity 'google.com' 10:05:07.864 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:478] - Resolving attributes for principal 'durgesh@mydomain.com' for SAML request from relying party 'google.com' 10:05:07.864 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver resolving attributes for principal durgesh@mydomain.com 10:05:07.864 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal durgesh@mydomain.com were not requested, resolving all attributes. 10:05:07.864 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute principal for principal durgesh@mydomain.com 10:05:07.865 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principal containing 1 values 10:05:07.865 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute principal has 1 values after post-processing 10:05:07.865 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver resolved, for principal durgesh@mydomain.com, the attributes: [principal] 10:05:07.865 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:71] - shibboleth.AttributeFilterEngine filtering 1 attributes for principal durgesh@mydomain.com 10:05:07.865 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy SiteApp1 is active for principal durgesh@mydomain.com 10:05:07.865 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy SiteApp1 is not active for principal durgesh@mydomain.com 10:05:07.866 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy SiteApp2 is active for principal durgesh@mydomain.com 10:05:07.866 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy SiteApp2 is active for principal durgesh@mydomain.com 10:05:07.866 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute mail for principal durgesh@mydomain.com 10:05:07.866 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106] - Removing attribute from return set, no more values: principal 10:05:07.866 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal durgesh@mydomain.com. The following attributes remain: [] 10:05:07.867 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505] - Creating attribute statement in response to SAML request 'bpkalfhbdbkpgjggmhbjlkcdcojdaginmnmgfmmb' from relying party 'google.com' 10:05:07.867 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:129] - No attributes remained after encoding and filtering by value, no attribute statement built 10:05:07.867 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:505] - No attributes for principal 'durgesh@mydomain.com' support encoding into a supported name identifier format for relying party 'google.com' 10:05:07.868 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:572] - Determining if SAML assertion to relying party 'google.com' should be signed 10:05:07.868 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:653] - IdP relying party configuration 'google.com' indicates to sign assertions: false 10:05:07.868 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:660] - Entity metadata for relying party 'google.com 'indicates to sign assertions: false 10:05:07.868 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:797] - Encoding response to SAML request bpkalfhbdbkpgjggmhbjlkcdcojdaginmnmgfmmb from relying party google.com 10:05:07.868 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:49] - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter 10:05:07.869 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:124] - Invoking Velocity template to create POST body 10:05:07.869 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:158] - Encoding action url of 'https://www.google.com/a/mydomain.com/acs' with encoded value 'https://www.google.com/a/mydomain.com/acs' 10:05:07.869 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:162] - Marshalling and Base64 encoding SAML message 10:05:07.869 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:97] - Marshalling message 10:05:07.872 - WARN [org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder:134] - Relay state exceeds 80 bytes, some application may not support this. 10:05:07.872 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:185] - Setting RelayState parameter to: 'https://www.google.com/a/mydomain.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&ltmpl=default&ltmplcache=2&emr=1&osid=1', encoded as 'https://www.google.com/a/mydomain.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&ltmpl=default&ltmplcache=2&emr=1&osid=1' 10:05:07.876 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:56] - Successfully encoded message. 10:05:07.876 - INFO [Shibboleth-Audit:1028] - 20160717T100507Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|bpkalfhbdbkpgjggmhbjlkcdcojdaginmnmgfmmb|google.com|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://sso.mydomain.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_1f11f80cb989eba5af305280acb08807|durgesh@mydomain.com|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|||_05fbbc2d20ed50f2d566b4bf90d7406f,|
U1404
closed

Answers

By Mohib Zico staff 17 Jul 2016 at 5:59 a.m. CDT

Copy
Mohib Zico gravatar
Hi Durgesh, Please feel free to check other tickets on Google SSO available in our support portal; hopefully those will help you to resolve your issue; if not.. feel free to let us know.

By Michael Schwartz Account Admin 17 Jul 2016 at 9:44 a.m. CDT

Copy
Michael Schwartz gravatar
Also [review the docs](https://gluu.org/docs/integrate/google-saml/) to make sure you didn't miss anything.

By durgesh tripathi user 18 Jul 2016 at 12:43 a.m. CDT

Copy
durgesh tripathi gravatar
Hi Michael, I have followed the same document you are referring to. I have also tried searching through already open tickets for similar kind of problems. Are you able to see any configuration issue in logs ? Can you please just point out that so i can work in that direction.

By Mohib Zico staff 18 Jul 2016 at 1:21 a.m. CDT

Copy
Mohib Zico gravatar
Durgesh, I am exactly not sure what you are trying achieve? What Michael pointed is the doc of using google+ account for authentication but I have a feeling like you are trying to SSO google apps. Can you please confirm?

By durgesh tripathi user 18 Jul 2016 at 2:17 a.m. CDT

Copy
durgesh tripathi gravatar
Hi Mohib, I am trying to achieve SSO with gmail using gluu server as identity provider. I have configured the Gluu server as identiy provider and gmail as service provider so that gmail redirects login request to Gluu (Shibobleth) for authentication.. User is authenticated from gluu's DS and redirected back to gmail with SAML token. Now gmail is saying that there was problem parsing response and user is not able to login. I am looking forward to integrate gmail for SSO using Gluu server.

By Mohib Zico staff 18 Jul 2016 at 6:41 a.m. CDT

Copy
Mohib Zico gravatar
>> DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:505] - No attributes for principal 'durgesh@mydomain.com' support encoding into a supported name identifier format for relying party 'google.com' That's the problem. NameID not working...

By durgesh tripathi user 18 Jul 2016 at 2:48 p.m. CDT

Copy
durgesh tripathi gravatar
Do i need to take a look to my attribute resolver and attribute filter ? I am also attaching it here may be you can suggest something. Please suggest attribute-filter.xml --------------------------------- <AttributeFilterPolicy> <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" /> <AttributeRule attributeID="principal"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> ---------------------------------------------------- attribute-resolver.xml ---------------------------------------------------- <?xml version="1.0" encoding="UTF-8"?> <resolver:AttributeResolver xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd"> <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <resolver:AttributeDefinition id="principal" xsi:type="PrincipalName" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <!-- Example Static Connector --> <!-- LDAP Connector --> <resolver:DataConnector id="siteLDAP" xsi:type="dc:LDAPDirectory" ldapURL="ldaps://localhost:1636" baseDN="o=gluu" principal="cn=Directory Manager" principalCredential="Welcome1"> <dc:FilterTemplate> <![CDATA[ (|(uid=$requestContext.principalName)(mail=$requestContext.principalName)) ]]> </dc:FilterTemplate> </resolver:DataConnector> <!--resolver:DataConnector xsi:type="dc:ComputedId" id="computedID" generatedAttributeID="computedID" sourceAttributeID="uid" salt="ufujAWGSuzbCtRRcMYpnCujW0r8+55jE8Ez64AO7NV1"> <resolver:Dependency ref="siteLDAP" /> </resolver:DataConnector--> <!-- ========================================== --> <!-- Principal Connectors --> <!-- ========================================== --> <resolver:PrincipalConnector xsi:type="pc:Transient" id="shibTransient" nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier" /> <resolver:PrincipalConnector xsi:type="pc:Transient" id="saml1Unspec" nameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> <resolver:PrincipalConnector xsi:type="pc:Transient" id="saml2Transient" nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </resolver:AttributeResolver> -------------------------------------

By Mohib Zico staff 22 Jul 2016 at 4:51 a.m. CDT

Copy
Mohib Zico gravatar
Hi Durgesh, Please compare your configuration with: - [Google SSO](https://gluu.org/docs/integrate/google-saml/) doc. - [Ticket](https://support.gluu.org/integrations/google-sso-relationship-2571) There are few more community tickets available in support portal, feel free to check those as well.

By durgesh tripathi user 23 Jul 2016 at 11:49 a.m. CDT

Copy
durgesh tripathi gravatar
Thank You Mohib, I have followed same document, I will go through this doc again to verify and will go through ticket to and will update you.

Post an answer