By: Sejako Sejako user 19 Mar 2018 at 4:32 p.m. CDT

13 Responses
Sejako Sejako gravatar
Hello, I have configured an Inbound SAML using the passport module. But when I try to test the configuration using the node.js client I get the following Error : ``` 2018-03-19 21:21:45,202 ERROR [qtp2008017533-19] [xdi.oxauth.authorize.ws.rs.AuthorizeAction] (AuthorizeAction.java:230) - Failed to get CustomScriptConfiguration. auth_step: 1, acr_values: passport ``` The client is making the following call: ``` https://<hostname>/oxauth/authorize?response_mode=query&response_type=code&client_id=@!07C2.4162.2C33.0D2F!0001!5A47.9646!0008!E5D3.16D2.AFEF.7335&scope=openid+profile+email+user_name&redirect_uri=http://passport-saml-demo-app.example.com:3000/profile/&state=eyJzYWx0IjoicnNyRm0iLCJwcm92aWRlciI6ImZyb2NrX2lkcCJ9&nonce=4627409620&acr_values=passport ```

By William Lowe user 19 Mar 2018 at 4:45 p.m. CDT

William Lowe gravatar
The client should be calling : `acr_values=passport_saml` It's currently calling: `acr_values=passport` `acr_values` always corresponds to the **exact** name of the authentication interception script in Gluu. Let us know if that does the trick. Thanks, Will

By Sejako Sejako user 19 Mar 2018 at 6:45 p.m. CDT

Sejako Sejako gravatar
Hi, I have added an acr_value=passport_saml as part of openid connect client. See the screenshot provided. But still when I check the logfile I still see acr_value=passport. Where do I change this to the correct value?

By Thomas Gasmyr Mougang staff 20 Mar 2018 at 3:22 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Sejako**, The node demo App and the documentation has been updated. You have to: 1. Delete the current demo App you have 1. Clone the latest version of the demo App 1. Edit your /etc/hosts: Currently there is an entry `http://passport-saml-demo-app.example.come:3000` Change that to `http://passport-saml-demo-app.example.com:3000` Thanks, Thomas Gasmyr

By Thomas Gasmyr Mougang staff 26 Mar 2018 at 1:56 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Sejako**, Still need assistance?

By Sejako Sejako user 26 Mar 2018 at 2:04 a.m. CDT

Sejako Sejako gravatar
Hi, Apologies, been on leave just came back today. I am still working on this tickect. I have made some changes and there is a progress after using the new client app. Currently I am having issues with attributes that are getting passed. I need to run some tests today and will feedback on the progress. Thanks for the help so far.

By Thomas Gasmyr Mougang staff 27 Mar 2018 at 3:37 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Sejako**, Still need assistance?

By Sejako Sejako user 27 Mar 2018 at 3:44 a.m. CDT

Sejako Sejako gravatar
Hi Thomas, Can we keep until tonight. I'm still doing some tests

By Sejako Sejako user 28 Mar 2018 at 3:01 p.m. CDT

Sejako Sejako gravatar
Hi Thomas Im getting the following error during my integration (The integration consist of 2 Gluu Servers, 1 is configured to use shibboleth idp and the other one is configured to use passport saml). I get the following log messages on the one with passport-saml " {"level":"info","message":"::ffff:127.0.0.1 - - [28/Mar/2018:19:30:58 +0000] \"GET /passport/token HTTP/1.1\" 200 201 \"-\" \"Apache-HttpClient/4.5.3 (Java/1.8.0_112)\"","timestamp":"2018-03-28T19:30:58.694Z"} {"level":"info","message":"::ffff:127.0.0.1 - - [28/Mar/2018:19:30:58 +0000] \"GET /passport/auth/saml/gluu/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiI3YTVmMmM1Zi0wNjU4LTRiMjItYTM3Yi0xMmI5OWVkMmVlOGYiLCJpYXQiOjE1MjIyNjU0NTgsImV4cCI6MTUyMjI2Njg5OH0.3eXv5uAlFkY4u1J3CW6joqqpru_gRYaJhyEYBKXyKFY HTTP/1.1\" 200 1855 \"http://passport-saml-demo-app.example.com:3000/\" \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0\"","timestamp":"2018-03-28T19:30:58.807Z"} tail -f oxauth_script.log 2018-03-28 19:30:57,631 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: Prepare for Step 1 method call 2018-03-28 19:30:57,656 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: session {auth_step: 1, acr: passport_saml, remote_ip: 192.168.8.27, scope: openid profile email user_name, acr_values: passport_saml, response_type: code, redirect_uri: http://passport-saml-demo-app.example.com:3000/profile/, state: eyJzYWx0IjoidHN2N1ciLCJwcm92aWRlciI6ImdsdXUifQ==, nonce: 2318155173, client_id: @!4E0B.9A31.2C06.C718!0001!AF95.7BDA!0008!ADAA.906B.33FD.6A2C, response_mode: query} 2018-03-28 19:30:57,665 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: state is obtained 2018-03-28 19:30:57,871 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - gluu 2018-03-28 19:30:57,880 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - (u'salt', ':', u'tsv7W') 2018-03-28 19:30:57,884 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - (u'provider', ':', u'gluu') 2018-03-28 19:30:58,120 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: url https://jemstep.icurity.lab/passport/token 2018-03-28 19:30:58,754 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: szResponse {"token_":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiI3YTVmMmM1Zi0wNjU4LTRiMjItYTM3Yi0xMmI5OWVkMmVlOGYiLCJpYXQiOjE1MjIyNjU0NTgsImV4cCI6MTUyMjI2Njg5OH0.3eXv5uAlFkY4u1J3CW6joqqpru_gRYaJhyEYBKXyKFY"} 2018-03-28 19:30:58,759 INFO [qtp2008017533-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - Passport-saml: /passport/auth/saml/gluu/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiI3YTVmMmM1Zi0wNjU4LTRiMjItYTM3Yi0xMmI5OWVkMmVlOGYiLCJpYXQiOjE1MjIyNjU0NTgsImV4cCI6MTUyMjI2Njg5OH0.3eXv5uAlFkY4u1J3CW6joqqpru_gRYaJhyEYBKXyKFY" " From the shibboleth idp I get the following " tail -f idp-process.log 2018-03-28 19:31:03,604 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for urn:gluu in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2018-03-28 19:31:03,821 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID urn:gluu) 2018-03-28 19:31:03,897 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration ^C root@gluu:/opt/shibboleth-idp/logs# tail -f idp-warn.log 2018-03-28 19:31:03,821 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID urn:gluu) 2018-03-28 19:31:03,897 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration " I suspect there is something wrong on my idp config.

By Thomas Gasmyr Mougang staff 29 Mar 2018 at 2:45 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hello **Sejako**, If this is a different issue, please open a separate ticket for that and provide log files.

By Sejako Sejako user 29 Mar 2018 at 3 a.m. CDT

Sejako Sejako gravatar
Hi Thomas, I am happy to close the ticket and open a new one.

By Sejako Sejako user 03 Apr 2018 at 4:22 a.m. CDT

Sejako Sejako gravatar
Hi Thomas can we reopen this ticket. I did some tests and fixed the earlier issue that had to do with mappings. Now I get the following error after authenticating for my IDP " {"name":"StatusCodeError","statusCode":401,"message":"401 - \"{\\\"error\\\":\\\"invalid_client\\\",\\\"error_description\\\":\\\"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.\\\"}\"","error":"{\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.\"}","options":{"method":"POST","uri":"https://jemstep.icurity.lab/oxauth/restv1/token","headers":{"Authorization":"Basic QCE0RTBCLjlBMzEuMkMwNi5DNzE4ITAwMDEhQUY5NS43QkRBITAwMDghMjVBNy5DOEUxLkJBMzMuQzFCQjolbHV1QGRtaW4xMjM=","content-type":"application/x-www-form-urlencoded"},"form":{"grant_type":"authorization_code","code":"40e72e2c-fc0b-4c22-9314-6acbe87ce04b","redirect_uri":"http://passport-saml-demo-app.example.com:3000/profile/"},"resolveWithFullResponse":true,"simple":true,"transform2xxOnly":false},"response":{"statusCode":401,"body":"{\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.\"}","headers":{"date":"Tue, 03 Apr 2018 09:11:20 GMT","server":"Jetty(9.3.15.v20161220)","x-xss-protection":"1; mode=block","x-content-type-options":"nosniff","strict-transport-security":"max-age=31536000; includeSubDomains","www-authenticate":"Basic realm=\"oxAuth\"","content-type":"application/json;charset=iso-8859-1","connection":"close","transfer-encoding":"chunked"},"request":{"uri":{"protocol":"https:","slashes":true,"auth":null,"host":"jemstep.icurity.lab","port":443,"hostname":"jemstep.icurity.lab","hash":null,"search":null,"query":null,"pathname":"/oxauth/restv1/token","path":"/oxauth/restv1/token","href":"https://jemstep.icurity.lab/oxauth/restv1/token"},"method":"POST","headers":{"Authorization":"Basic QCE0RTBCLjlBMzEuMkMwNi5DNzE4ITAwMDEhQUY5NS43QkRBITAwMDghMjVBNy5DOEUxLkJBMzMuQzFCQjolbHV1QGRtaW4xMjM=","content-type":"application/x-www-form-urlencoded","content-length":152}}}} " I have attached the log file

By Thomas Gasmyr Mougang staff 03 Apr 2018 at 4:44 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi Sejako, Ticket reopened.

By Thomas Gasmyr Mougang staff 04 Apr 2018 at 2:54 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Sejako**, The log provide don't have any information about the error. Also the ticket is confusing that is why you may open a new ticket. Please describe your setup and provide all logs files related to the issue. Thanks, Gasmyr.