By: Martin MD user 21 May 2018 at 6:28 a.m. CDT

8 Responses
Martin MD gravatar
Hi, I've been playing around with the Gluu Server and Passport Inbound SAML. I've managed to configure everything and I'm able to use the Third-Party IdP. The SAML Provisioning is working fine, meaning the account that does not exist in Gluu LDAP is created and later on you can use either Form Authentication or External Provider. I'm experiencing problem with the existing users, when using the External Provider I'm getting that the user account is not existing. From the logs I see that there are two queries made the first one works fine and returns a result while the second one is returning null. When I checked with the users, the existing ones do not have in their profile as attribute the 'Authentication Method' setting while the ones who are created via SAML Provisioning it has them. My question is how I can add the 'Authentication Method' attribute to the existing users to enable logging via External Providers? Regards, Martin D.

By Thomas Gasmyr Mougang staff 21 May 2018 at 6:39 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi, The issue description is not clear enough. You should also provide logs file that can help troubleshoot the issue.

By Martin MD user 21 May 2018 at 7:45 a.m. CDT

Martin MD gravatar
Here are more details about the trouble. Logs authentication for existing user that was not SAML Provisioned. ``` 18-05-21 08:35:40,605 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'mail', attributeValue = 'md@mydomain' 2018-05-21 08:35:40,619 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:203) - Found '1' entries 2018-05-21 08:35:40,619 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'oxExternalUid', attributeValue = 'passport-saml:md@mydomain' 2018-05-21 08:35:40,623 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:203) - Found '0' entries 2018-05-21 08:35:40,623 DEBUG [qtp1744347043-9] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:265) - Authentication result for user 'null'. auth_step: '1', result: 'false', credentials: '2131578714' 2018-05-21 08:35:40,624 INFO [qtp1744347043-9] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:164) - Authentication failed for 'null' 2018-05-21 08:35:40,631 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!1D0B.1BF8.E522.BBA2!0001!97FA.EC09!0008!A210.18C9 2018-05-21 08:35:40,632 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!1D0B.1BF8.E522.BBA2!0001!97FA.EC09!0008!A210.18C9 2018-05-21 08:35:45,824 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-05-21 08:35:45,826 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.ConfigurationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-05-21 08:35:45,829 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-05-21 08:35:45,836 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-05-21 08:35:45,838 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.LdapStatusEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-05-21 08:35:45,852 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-05-21 08:35:45,906 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-05-21 08:35:45,907 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.oxauth.service.cdi.event.AuthConfigurationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] ``` Logs from SAML Provisioned User ``` 2018-05-21 08:37:05,122 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'mail', attributeValue = 'ja@mydomain' 2018-05-21 08:37:05,131 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:203) - Found '1' entries 2018-05-21 08:37:05,131 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'oxExternalUid', attributeValue = 'passport-saml:ja@mydomain' 2018-05-21 08:37:05,137 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:203) - Found '1' entries 2018-05-21 08:37:05,156 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:299) - Authenticating user with LDAP: username: 'ja@mydomain', credentials: '2131578714' 2018-05-21 08:37:05,156 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:87) - Getting user information from LDAP: userId = ja@mydomain 2018-05-21 08:37:05,165 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:96) - Found 1 entries for user id = ja@mydomain 2018-05-21 08:37:05,181 DEBUG [qtp1744347043-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:265) - Authentication result for user 'ja@mydomain'. auth_step: '1', result: 'true', credentials: '2131578714' 2018-05-21 08:37:05,183 DEBUG [qtp1744347043-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:354) - Sending event to trigger user redirection: 'ja@mydomain ``` ![enter image description here](https://i.imgur.com/wDcxTUz.png "Existing User") ![enter image description here](https://i.imgur.com/kWhAJkP.png "SAML Provisioned User") I'm not sure how I can manually add the Authentication Methods as well for the Test user, as from the logs I can see that is searching for oxExternalUid. ``` 2018-05-21 08:35:40,619 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'oxExternalUid', attributeValue = 'passport-saml:md@mydomain' ``` How can I update this value for the users who do not have this already. Regards,

By Thomas Gasmyr Mougang staff 21 May 2018 at 12:52 p.m. CDT

Thomas Gasmyr Mougang gravatar
Hi Martin, > The SAML Provisioning is working fine, meaning the account that does not exist in Gluu LDAP is created and later on you can use either Form Authentication or External Provider. I think you are missing the way inbound saml works. I'm going to explained that here, but noted that if User A was Authenticated by the external IDP then it is not possible yet to have the same user login gluu using the standard authentication method(username/password). Also the external IDP authentication process will fail if a different user exist in the Gluu LDAP server with the same email as the one of the current user doing authentication. Thanks, Gasmyr.

By Martin MD user 21 May 2018 at 3:24 p.m. CDT

Martin MD gravatar
Thank you for the explanation and the answer. > if User A was Authenticated by the external IDP then it is not possible yet to have the same user login gluu using the standard authentication method(username/password). I will retest this tomorrow and I'll let you know about the output. I think I somehow managed to login both ways for the same user which I did found strange. Will let you know about that part. My next question is, how will I migrate the existing Gluu LDAP users to be using the External IdP? Is there a way? Thank you, Martin D.

By Thomas Gasmyr Mougang staff 21 May 2018 at 4:11 p.m. CDT

Thomas Gasmyr Mougang gravatar
> My next question is, how will I migrate the existing Gluu LDAP users to be using the External IdP? **Why do you want to do that?** Users should be store in Gluu LDAP, those who are in the external IDP are also store in Gluu LDAP after a successful inbound SAML flow. https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/

By Martin MD user 21 May 2018 at 4:27 p.m. CDT

Martin MD gravatar
I think we are misunderstanding each other. Let me put it this way, I have a gluu server with 10 users. We decide to enable Passport Inbound SAML so users will login to Gluu server via External Provider. Any user who doesn't exist in the LDAP and is logged in via the External Provider will continue successfully authenticating using the External Provider. So my users i.e second@user.com already exists in the Gluu LDAP, however when I try to authenticate via External Provider it fails, this is due to the fact that didn't went trough the inbound SAML flow and the is matching a record that already in the LDAP that exists, correct? If so, how can I enable this user to be able to authenticate via External Provider instead of form based authentication? Do I need to delete and recreate(SAML Provisioning) the user? Sorry for the trouble but I'm really confused at this point. To simplify the question how can I enable old users to use Passport inbound SAML authentication once enabled.

By Thomas Gasmyr Mougang staff 22 May 2018 at 3:38 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hello Martin, It is clear now. > So my users i.e second@user.com already exists in the Gluu LDAP, however when I try to authenticate via External Provider it fails, this is due to the fact that didn't went trough the inbound SAML flow and the is matching a record that already in the LDAP that exists, correct? **Yes.** > If so, how can I enable this user to be able to authenticate via External Provider instead of form based authentication? Do I need to delete and recreate(SAML Provisioning) the user? **Yes, but don't delete the admin account. ** > To simplify the question how can I enable old users to use Passport inbound SAML authentication once enabled. **Delete them from gluu LDAP and let them use the inbound flow to authenticate. ** Thanks, Gasmyr.

By Thomas Gasmyr Mougang staff 28 May 2018 at 1:23 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi Martin, Still need assistance on this ticket?