By: Christopher Palmer user 12 Feb 2018 at 12:32 p.m. CST

9 Responses
Christopher Palmer gravatar

Hi there, We currently have a SAML Outbound trust relationship setup between Gluu (as an IdP) and a SP web app for SSO. This works fine. What I am trying to setup now, is that we want to leverage accounts that exist in Google's G-suite business, and be able to authenticate with the Google accounts.

I took the path of setting up Inbound SAML using Passport on the Gluu server and we've setup the Google side as an IdP.

Now, when I try to access my webapp, I'm still redirected to Gluu (end up at https://MY_GLUU_SERVER/oxauth/login) with a SAML AuthnRequest. I was expecting to end up at a Google page. Can you help me troubleshoot this? Thanks!

By William Lowe staff 12 Feb 2018 at 12:34 p.m. CST

William Lowe gravatar

Hi Chris,

Can you try using this Google+ document instead?

Thanks,
Will

By Christopher Palmer user 13 Feb 2018 at 2:03 p.m. CST

Christopher Palmer gravatar

Hi Will, I have tried following the Google+ OAuth 2.0 Login document (Gluu v3.1.2) instead and am now requesting help about that :)

I've setup the Gluu and Google ends and tried testing. One comment about the documentation here. Normally, it's pretty good at telling you to navigate > here > then there. For this bit, I was able to see the screenshot as a way to navigate. However, my installation has 2 settings: Default acr: oxTrust acr: Does "Default" essentially mean any authentication other than oxTrust, and oxTrust is the Gluu GUI? Also, what is "acr"?

At any rate, I configured oxTrust acr for my new method (google_oauth) and opened a new private browser window and went to my Gluu server home page. I ended up at: https://<GLUU_SERVER>/oxauth/error Error Encountered login.errorSessionInvalidMessage

oxauth.log: 2018-02-13 19:57:28,364 ERROR [qtp212628335-11] [xdi.oxauth.authorize.ws.rs.AuthorizeAction] (AuthorizeAction.java:230) - Failed to get CustomScriptConfiguration. auth_step: 1, acr_values: google_oauth

The same kind of thing happens if I configure the Default acr to use google_oauth. Thanks for any help on this.

(edit 2) Now that I have found: /opt/gluu/jetty/oxauth/logs/oxauth_script.log I have more to add:

2018-02-13 19:21:15,899 INFO [oxAuthScheduler_Worker-4] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Google+ PrepareAttributesMapping. The number of attributes in remoteAttributesList and localAttributesList isn't equal 2018-02-13 19:21:15,899 INFO [oxAuthScheduler_Worker-4] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Google+ Initialization. The attributes mapping isn't valid

Note, the documentation for the custom attributes included this: gplus_remote_attributes_list: email, given_name, family_name, and locale gplus_local_attributes_list: uid, mail, givenName, sn, cn, preferredLanguage

I did drop the "and" word from the remote_attributes_list, but did wonder if they needed to match up somehow. Is this where we need to focus?

(edit 3) I changed the script attributes to the (probably not ideal) following in order to test further: gplus_local_attributes_list: mail, givenName, sn, preferredLanguage gplus_remote_attributes_list: email, given_name, family_name, locale

That wasn't right :)

PrepareAttributesMapping. There is no mapping to mandatory 'uid' attribute

Ok, so we need 'uid' on local. I read case #4162. @Zamil - can you list a recommended mapping? The image link showed (local) uid <-> (remote) given_name and later has (local) givenName.

By William Lowe staff 14 Feb 2018 at 9:53 a.m. CST

William Lowe gravatar

Does "Default" essentially mean any authentication other than oxTrust

Learn more about default authentication here.

Also, what is "acr"?

ACR is an OpenID Connect term that stands for Authentication Context Class Reference. This value is used to tell the OP what type of authentication mechanism to present.


oxTrust ACR is used to set the authentication method used to access the admin UI.

Default ACR is used to set the authentication method for any other applications that leverage your server for authentication.

I think those points are pretty well explained in the docs.

By Aliaksandr Samuseu staff 14 Feb 2018 at 10:48 a.m. CST

Aliaksandr Samuseu gravatar

Hi, Chris.

First, I would like to comment on this, as seems like there may be sort of confusion:

Now, when I try to access my webapp, I'm still redirected to Gluu (end up at https://MY_GLUU_SERVER/oxauth/login) with a SAML AuthnRequest. I was expecting to end up at a Google page.

You need to understand those are 2 completely different processes, and Gluu serves two different roles in them. When you access your web app (SAML SP), it will request your personal data from Gluu (which serves as SAML IDP in this case) using some SAML flow. It's not aware (and doesn't care) how IDP will handle this request. When user is redirected and hits Gluu's SAML IDP endpoints, it detects that they don't yet have a session at Gluu, thus it will redirect them to oxAuth (its core component) for authentication.

Inbound SAML method you tried to use initially, and Gplus auth method suggested by William are just different kinds of authentication oxAuth supports. Starting from there behavior will differ, depending on the method, but Gluu will now serve as requesting party. When authentication is done, it will return execution back to its IDP component and it will respond to SP.

So a general flow in this case will be: SP -> Gluu IDP -> Gluu oxAuth -> some remote party doing actual authentication -> Gluu oxAuth -> Gluu IDP -> SP

Note, the documentation for the custom attributes included this: gplus_remote_attributes_list: email, given_name, family_name, and locale gplus_local_attributes_list: uid, mail, givenName, sn, cn, preferredLanguage

I did drop the "and" word from the remote_attributes_list, but did wonder if they needed to match up somehow. Is this where we need to focus?

Those 2 properties set mappings between attributes' names sent from remote party to attributes' names used by Gluu. You need to ensure that at least uid and email attributes of local entries are assigned some value.

[org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Google+ PrepareAttributesMapping. The number of attributes in remoteAttributesList and localAttributesList isn't equal

This doesn't seem right to me. Try to ensure there is one to one mapping in those two properties from before.

By Christopher Palmer user 14 Feb 2018 at 11:31 a.m. CST

Christopher Palmer gravatar

Thanks for the responses so far. It's starting to make more sense to me. I'm able to now see the Gluu form for the Google login after modifying the attributes further to this (I hope this is valid).

gplus_local_attributes_list uid, mail, givenName, sn, preferredLanguage

gplus_remote_attributes_list email, email, given_name, family_name, locale

Now what I am experiencing is that Gluu seems to only be checking it's local LDAP for the user (and if those credentials are found), I'm successfully authenticated at the SP. I do not see any traffic from Gluu to Google and if I enter a valid Google credentials, I am given "Incorrect username or password." and oxauth.log shows: [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:164) - Authentication failed for 'christopher@example.com'

At this point, I did expect to see Gluu take my user and pass and send it over to Google for verification, right?

(edit 2) So a big part of my problem was self-inflicted. I had clicked on the Login button instead of the G-Sign In button. From there, I was eventually to get things to work as I had hoped.

By Thomas Gasmyr Mougang staff 16 Feb 2018 at 1:46 a.m. CST

Thomas Gasmyr Mougang gravatar

Hi Christopher,

Do you still need assistance?

Also feel free to share your point of view about the documentation. That may need some update.

By Thomas Gasmyr Mougang staff 19 Feb 2018 at 11:24 a.m. CST

Thomas Gasmyr Mougang gravatar

Hi Christopher,

We are closing this ticket for inactivity reason.

Feel free to reopen it if your issue is still not fixed.

By Christopher Palmer user 21 Feb 2018 at 12:12 p.m. CST

Christopher Palmer gravatar

Thanks. It looks like you have updated and improved the doc for that guide.

By William Lowe staff 21 Feb 2018 at 12:15 p.m. CST

William Lowe gravatar

Yes, documentation has been updated for using Google as an external IDP.

If you run into any other issues with this, feel free to open a new ticket.

Thanks, Chris!

Will