Hi Chris, Can you try using this [Google+](https://gluu.org/docs/ce/3.1.2/authn-guide/google/) document instead? Thanks, Will

Hi Will, I have tried following the Google+ OAuth 2.0 Login document (Gluu v3.1.2) instead and am now requesting help about that :) I've setup the Gluu and Google ends and tried testing. One comment about the documentation here. Normally, it's pretty good at telling you to navigate > here > then there. For this bit, I was able to see the screenshot as a way to navigate. However, my installation has 2 settings: Default acr: oxTrust acr: Does "Default" essentially mean any authentication other than oxTrust, and oxTrust is the Gluu GUI? Also, what is "acr"? At any rate, I configured oxTrust acr for my new method (google_oauth) and opened a new private browser window and went to my Gluu server home page. I ended up at: https://<GLUU_SERVER>/oxauth/error Error Encountered login.errorSessionInvalidMessage oxauth.log: 2018-02-13 19:57:28,364 ERROR [qtp212628335-11] [xdi.oxauth.authorize.ws.rs.AuthorizeAction] (AuthorizeAction.java:230) - Failed to get CustomScriptConfiguration. auth_step: 1, acr_values: google_oauth The same kind of thing happens if I configure the Default acr to use google_oauth. Thanks for any help on this. (edit 2) Now that I have found: /opt/gluu/jetty/oxauth/logs/oxauth_script.log I have more to add: 2018-02-13 19:21:15,899 INFO [oxAuthScheduler_Worker-4] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Google+ PrepareAttributesMapping. The number of attributes in remoteAttributesList and localAttributesList isn't equal 2018-02-13 19:21:15,899 INFO [oxAuthScheduler_Worker-4] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Google+ Initialization. The attributes mapping isn't valid Note, the documentation for the custom attributes included this: gplus_remote_attributes_list: email, given_name, family_name, and locale gplus_local_attributes_list: uid, mail, givenName, sn, cn, preferredLanguage I *did* drop the "and" word from the remote_attributes_list, but did wonder if they needed to match up somehow. Is this where we need to focus? (edit 3) I changed the script attributes to the (probably not ideal) following in order to test further: gplus_local_attributes_list: mail, givenName, sn, preferredLanguage gplus_remote_attributes_list: email, given_name, family_name, locale That wasn't right :) PrepareAttributesMapping. There is no mapping to mandatory 'uid' attribute Ok, so we need 'uid' on local. I read case #4162. @Zamil - can you list a recommended mapping? The image link showed (local) uid <-> (remote) given_name and later has (local) givenName.

> Does "Default" essentially mean any authentication other than oxTrust Learn more about default authentication [here](https://gluu.org/docs/ce/3.1.2/admin-guide/oxtrust-ui/#default-authentication-method). > Also, what is "acr"? ACR is an OpenID Connect term that stands for Authentication Context Class Reference. This value is used to tell the OP what type of authentication mechanism to present. ------------- oxTrust ACR is used to set the authentication method used to access the admin UI. Default ACR is used to set the authentication method for any other applications that leverage your server for authentication. I think those points are pretty well explained [in the docs](https://gluu.org/docs/ce/3.1.2/authn-guide/intro/#default-authentication-mechanism).

Hi, Chris. First, I would like to comment on this, as seems like there may be sort of confusion: >Now, when I try to access my webapp, I'm still redirected to Gluu (end up at https://MY_GLUU_SERVER/oxauth/login) with a SAML AuthnRequest. I was expecting to end up at a Google page. You need to understand those are 2 completely different processes, and Gluu serves two different roles in them. When you access your web app (SAML SP), it will request your personal data from Gluu (which serves as SAML IDP in this case) using some SAML flow. It's not aware (and doesn't care) how IDP will handle this request. When user is redirected and hits Gluu's SAML IDP endpoints, it detects that they don't yet have a session at Gluu, thus it will redirect them to oxAuth (its core component) for authentication. Inbound SAML method you tried to use initially, and Gplus auth method suggested by William are just different kinds of authentication oxAuth supports. Starting from there behavior will differ, depending on the method, but Gluu will now serve as requesting party. When authentication is done, it will return execution back to its IDP component and it will respond to SP. So a general flow in this case will be: SP -> Gluu IDP -> Gluu oxAuth -> some remote party doing actual authentication -> Gluu oxAuth -> Gluu IDP -> SP >Note, the documentation for the custom attributes included this: gplus_remote_attributes_list: email, given_name, family_name, and locale gplus_local_attributes_list: uid, mail, givenName, sn, cn, preferredLanguage >I did drop the "and" word from the remote_attributes_list, but did wonder if they needed to match up somehow. Is this where we need to focus? Those 2 properties set mappings between attributes' names sent from remote party to attributes' names used by Gluu. You need to ensure that at least `uid` and `email` attributes of local entries are assigned some value. >[org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Google+ PrepareAttributesMapping. The number of attributes in remoteAttributesList and localAttributesList isn't equal This doesn't seem right to me. Try to ensure there is one to one mapping in those two properties from before.

Thanks for the responses so far. It's starting to make more sense to me. I'm able to now see the Gluu form for the Google login after modifying the attributes further to this (I hope this is valid). gplus_local_attributes_list uid, mail, givenName, sn, preferredLanguage gplus_remote_attributes_list email, email, given_name, family_name, locale Now what I am experiencing is that Gluu seems to only be checking it's local LDAP for the user (and if those credentials are found), I'm successfully authenticated at the SP. I do *not* see any traffic from Gluu to Google and if I enter a valid Google credentials, I am given "Incorrect username or password." and oxauth.log shows: [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:164) - Authentication failed for 'christopher@example.com' At this point, I did expect to see Gluu take my user and pass and send it over to Google for verification, right? (edit 2) So a big part of my problem was self-inflicted. I had clicked on the Login button instead of the G-Sign In button. From there, I was eventually to get things to work as I had hoped.

Hi Christopher, Do you still need assistance? Also feel free to share your point of view about the documentation. That may need some update.

Hi **Christopher**, We are closing this ticket for inactivity reason. Feel free to reopen it if your issue is still not fixed.

Thanks. It looks like you have updated and improved the doc for that guide.

Yes, documentation has been updated for [using Google as an external IDP](https://gluu.org/docs/ce/3.1.2/authn-guide/google/). If you run into any other issues with this, feel free to open a new ticket. Thanks, Chris! Will

Hi Bill, I am trying to set up Google as external IDP to Gluu Server. I followed the instructions in the document you mentioned. I am getting the error {"error":"unsupported_response_type","error_description":"The authorization server does not support obtaining an access token using this method.","state":"fl50eu"} P.S. The gluu server is a local setup, and the urls are not accessible from outside our firewall. It iwas working correctly in dynamic registration mode with gluu server as the IDP. I tried adding google as the external IDP and it is failing. The query is: https://mohan1.ipac.caltech.edu/oxauth/restv1/authorize?response_type=token id_token&scope=openid profile email&nonce=6cbpm&client_id=@!E607.BCBA.F19B.BFB6!0001!934F.FCBA!0008!8976.C0A0.A8A6.9F60&redirect_uri=https://mohan.ipac.caltech.edu/euclid/tos.html&state=1aqy9bl Thanks in advance for your help. Mohan.

Hi, Mohan. This ticket was closed a year ago. Please create a new ticket for your issue.