Hi, Rehman. >Where it's asking for an Email. Email must be passed from remote IDP, untill version 3.1.4 it was mandatory requirement. If it's already passing it, you need to look into SAML response it sends and compare attribute names to the mappings you have in `/etc/gluu/conf/passport-saml-config.json` for this remote IDP, it probably can't find anything it can map to "mail" attribute in the response. >Do I need the external IDP user in my gluu server persons database? Yes, Gluu Server requires a local user entry for everybody who needs its services. By default, Passport custom authentication script will enroll a user entry if it's not present automatically. >Can I avoid the above and direct the flow back to my secure website? There is no easy bypass of this requirement, at least it's not something we can discuss within the scope of Community support.

Thanks for the reply, I'll look at the attributes coming back from the external IDP. > Can I avoid the above and direct the flow back to my secure website? > > There is no easy bypass of this requirement, at least it's not something we can discuss within the scope of Community support. If I understand correctly, if the Email/ and local entry was there then it would automatically go to the secure site and not present this Email page right?

>If I understand correctly, if the Email/ and local entry was there then it would automatically go to the secure site and not present this Email page right? It would look like that for end-user, yes. Technically though it would enroll a new user entry locally (or update an existing one, if needed) using attributes received from remote IDP, establish a session for this user locally (so it won't need to go through authentication again when it will receive another request like that, thus achieving SSO experience), and then would serve initial request from the secure web site which started this flow using this session context and user entry with all gathered attributes in it.

Thanks again for the quick replies, we're almost there - I just need to make sure that the external IDP is sending the attributes I need. I copied the sample config from the Inbound SAML page.... reverseMapping": { "email": "email", "username": "urn:oid:0.9.2342.19200300.100.1.1", "displayName": "urn:oid:2.16.840.1.113730.3.1.241", "id": "urn:oid:0.9.2342.19200300.100.1.1", "name": "urn:oid:2.5.4.42", "givenName": "urn:oid:2.5.4.42", "familyName": "urn:oid:2.5.4.4", "provider": "issuer" } The left hand column (email, username, givenName..) those are the attribute names we should be receiving from the external IDP for this to map/work?