The client should be calling : `acr_values=passport_saml` It's currently calling: `acr_values=passport` `acr_values` always corresponds to the **exact** name of the authentication interception script in Gluu. Let us know if that does the trick. Thanks, Will

Hi, I have added an acr_value=passport_saml as part of openid connect client. See the screenshot provided. But still when I check the logfile I still see acr_value=passport. Where do I change this to the correct value?

Hi **Sejako**, The node demo App and the documentation has been updated. You have to: 1. Delete the current demo App you have 1. Clone the latest version of the demo App 1. Edit your /etc/hosts: Currently there is an entry `http://passport-saml-demo-app.example.come:3000` Change that to `http://passport-saml-demo-app.example.com:3000` Thanks, Thomas Gasmyr

Hi **Sejako**, Still need assistance?

Hi, Apologies, been on leave just came back today. I am still working on this tickect. I have made some changes and there is a progress after using the new client app. Currently I am having issues with attributes that are getting passed. I need to run some tests today and will feedback on the progress. Thanks for the help so far.

Hi **Sejako**, Still need assistance?

Hi Thomas, Can we keep until tonight. I'm still doing some tests

Hi Thomas Im getting the following error during my integration (The integration consist of 2 Gluu Servers, 1 is configured to use shibboleth idp and the other one is configured to use passport saml). I get the following log messages on the one with passport-saml " {"level":"info","message":"::ffff:127.0.0.1 - - [28/Mar/2018:19:30:58 +0000] \"GET /passport/token HTTP/1.1\" 200 201 \"-\" \"Apache-HttpClient/4.5.3 (Java/1.8.0_112)\"","timestamp":"2018-03-28T19:30:58.694Z"} {"level":"info","message":"::ffff:127.0.0.1 - - [28/Mar/2018:19:30:58 +0000] \"GET /passport/auth/saml/gluu/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiI3YTVmMmM1Zi0wNjU4LTRiMjItYTM3Yi0xMmI5OWVkMmVlOGYiLCJpYXQiOjE1MjIyNjU0NTgsImV4cCI6MTUyMjI2Njg5OH0.3eXv5uAlFkY4u1J3CW6joqqpru_gRYaJhyEYBKXyKFY HTTP/1.1\" 200 1855 \"http://passport-saml-demo-app.example.com:3000/\" \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0\"","timestamp":"2018-03-28T19:30:58.807Z"} tail -f oxauth_script.log 2018-03-28 19:30:57,631 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: Prepare for Step 1 method call 2018-03-28 19:30:57,656 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: session {auth_step: 1, acr: passport_saml, remote_ip: 192.168.8.27, scope: openid profile email user_name, acr_values: passport_saml, response_type: code, redirect_uri: http://passport-saml-demo-app.example.com:3000/profile/, state: eyJzYWx0IjoidHN2N1ciLCJwcm92aWRlciI6ImdsdXUifQ==, nonce: 2318155173, client_id: @!4E0B.9A31.2C06.C718!0001!AF95.7BDA!0008!ADAA.906B.33FD.6A2C, response_mode: query} 2018-03-28 19:30:57,665 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: state is obtained 2018-03-28 19:30:57,871 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - gluu 2018-03-28 19:30:57,880 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - (u'salt', ':', u'tsv7W') 2018-03-28 19:30:57,884 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - (u'provider', ':', u'gluu') 2018-03-28 19:30:58,120 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: url https://jemstep.icurity.lab/passport/token 2018-03-28 19:30:58,754 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: szResponse {"token_":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiI3YTVmMmM1Zi0wNjU4LTRiMjItYTM3Yi0xMmI5OWVkMmVlOGYiLCJpYXQiOjE1MjIyNjU0NTgsImV4cCI6MTUyMjI2Njg5OH0.3eXv5uAlFkY4u1J3CW6joqqpru_gRYaJhyEYBKXyKFY"} 2018-03-28 19:30:58,759 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: /passport/auth/saml/gluu/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiI3YTVmMmM1Zi0wNjU4LTRiMjItYTM3Yi0xMmI5OWVkMmVlOGYiLCJpYXQiOjE1MjIyNjU0NTgsImV4cCI6MTUyMjI2Njg5OH0.3eXv5uAlFkY4u1J3CW6joqqpru_gRYaJhyEYBKXyKFY" " From the shibboleth idp I get the following " tail -f idp-process.log 2018-03-28 19:31:03,604 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for urn:gluu in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2018-03-28 19:31:03,821 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID urn:gluu) 2018-03-28 19:31:03,897 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration ^C root@gluu:/opt/shibboleth-idp/logs# tail -f idp-warn.log 2018-03-28 19:31:03,821 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID urn:gluu) 2018-03-28 19:31:03,897 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration " I suspect there is something wrong on my idp config.

Hello **Sejako**, If this is a different issue, please open a separate ticket for that and provide log files.

Hi Thomas, I am happy to close the ticket and open a new one.

Hi Thomas can we reopen this ticket. I did some tests and fixed the earlier issue that had to do with mappings. Now I get the following error after authenticating for my IDP " {"name":"StatusCodeError","statusCode":401,"message":"401 - \"{\\\"error\\\":\\\"invalid_client\\\",\\\"error_description\\\":\\\"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.\\\"}\"","error":"{\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.\"}","options":{"method":"POST","uri":"https://jemstep.icurity.lab/oxauth/restv1/token","headers":{"Authorization":"Basic QCE0RTBCLjlBMzEuMkMwNi5DNzE4ITAwMDEhQUY5NS43QkRBITAwMDghMjVBNy5DOEUxLkJBMzMuQzFCQjolbHV1QGRtaW4xMjM=","content-type":"application/x-www-form-urlencoded"},"form":{"grant_type":"authorization_code","code":"40e72e2c-fc0b-4c22-9314-6acbe87ce04b","redirect_uri":"http://passport-saml-demo-app.example.com:3000/profile/"},"resolveWithFullResponse":true,"simple":true,"transform2xxOnly":false},"response":{"statusCode":401,"body":"{\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.\"}","headers":{"date":"Tue, 03 Apr 2018 09:11:20 GMT","server":"Jetty(9.3.15.v20161220)","x-xss-protection":"1; mode=block","x-content-type-options":"nosniff","strict-transport-security":"max-age=31536000; includeSubDomains","www-authenticate":"Basic realm=\"oxAuth\"","content-type":"application/json;charset=iso-8859-1","connection":"close","transfer-encoding":"chunked"},"request":{"uri":{"protocol":"https:","slashes":true,"auth":null,"host":"jemstep.icurity.lab","port":443,"hostname":"jemstep.icurity.lab","hash":null,"search":null,"query":null,"pathname":"/oxauth/restv1/token","path":"/oxauth/restv1/token","href":"https://jemstep.icurity.lab/oxauth/restv1/token"},"method":"POST","headers":{"Authorization":"Basic QCE0RTBCLjlBMzEuMkMwNi5DNzE4ITAwMDEhQUY5NS43QkRBITAwMDghMjVBNy5DOEUxLkJBMzMuQzFCQjolbHV1QGRtaW4xMjM=","content-type":"application/x-www-form-urlencoded","content-length":152}}}} " I have attached the log file

Hi Sejako, Ticket reopened.

Hi **Sejako**, The log provide don't have any information about the error. Also the ticket is confusing that is why you may open a new ticket. Please describe your setup and provide all logs files related to the issue. Thanks, Gasmyr.