Gluu not redirecting back to SP - Unknow Error in logs - after response from IDP

By: Maniganda Prakash Kannan Account Admin 09 Nov 2018 at 12:06 p.m. CST

6 Responses
Maniganda Prakash Kannan gravatar
SP -> Gluu -> IDP -> Gluu -> Displays an error occurred in the UI <u>**What is NOT working?**</u> 1. Enter SP url in the browser 2. Gluu IDP selection page is displayed 3. Select the IDP 4. Input Credentials in IDP page 5. Redirected to Gluu 6. Gluu displays error message 'An error occurred' <u>**What is working?**</u> 7. In the above error page which is also IDP selection page, Click/Select the IDP again 8. Redirected to IDP, as already authenticated an IDP cookie must have been created, so didn't ask for credentials 9. Redirected to Gluu 10. Redirected to SP <u>**Below are the 3 step images:**</u> * https://pasteboard.co/HMoRGeK.png * https://pasteboard.co/HMoRPg9.png * https://pasteboard.co/HMoRYpc.png <u>**IDP settings (salesforce) :**</u> ``` <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://gbt4.my.salesforce.com" validUntil="2028-11-09T17:45:31.616Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAWb1s7KvAAAAAENp+LgwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA4Tm92MjAxOF8yMzQxMjYxGDAWBgNVBAsMDzAwRDFVMDAwMDAwQ3liUTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTgxMTA4MjM0MTI2WhcNMTkxMTA4MTIwMDAwWjCBkDEoMCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMDhOb3YyMDE4XzIzNDEyNjEYMBYGA1UECwwPMDBEMVUwMDAwMDBDeWJRMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOqrwxDDuyx/LPk2phQUpfroKYOEIzVULJxyOom7Tv6PTkYbDIp4gPKAHm/CRPOFyD4HoWSE9Q8jCdgMCCgvkblT1HPBQn90nlXWCuvBvpAIVibEU9X2UCa1544WRAfZhmTo3LMQLARzEU7kSH29zfFtBDPQ99GtPkCiPhuIBG0c4JD05h2V2GMFMAWypsnyf2pY8dOv+bh3hPXt2I00AhjIVSIEauM+ZvmoprbE2XtZlGCwDWgcqkAv7CscehhkbgfuX582F5xeoo7eos1+4jII/uMNqbZxsu73TW0P8u83Y9JDbPu/f9gFofNsH/vMREM9fIM8R4McbgYRyhMuWhECAwEAAaOCAQAwgf0wHQYDVR0OBBYEFEpHSHq7wkjV0YV+NmG+cDn4BlZlMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUSkdIervCSNXRhX42Yb5wOfgGVmWhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA4Tm92MjAxOF8yMzQxMjYxGDAWBgNVBAsMDzAwRDFVMDAwMDAwQ3liUTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFm9bOyrwAAAABDafi4MA0GCSqGSIb3DQEBCwUAA4IBAQAU6Sht9IPfDWGIbaJlu0/1NQCULjUM/ZuJ+7cO8/+PL2KdTmFTq44UaRZXnrqUMdoWTszpfj9jeGQN3Sx81MebU1jl9T4izxZUmJWmR+yMI/qw/6Ypl210xjDQlT9IOe24L1kvR13ZVUrq4F8vuZqxmcKuC5CcNXHqeBX4ozVaIh4X5i1PxUU8HW+uI+BCDYcLQWHTsQw42krQYvpI9yd2tCmB7LNlWCBjTWSoj/Knw8F0ihqXB5mzMfwi7oLgEpsdBm9UxT8flzsaMP3Z52Ino2n+8UDuAnhCK5xA0YuO8KF0lxRWSjDHJCR8ZZI8pB/j+8hojON7YUMXWM8inW6k</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gbt4.my.salesforce.com/idp/endpoint/HttpPost"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://gbt4.my.salesforce.com/idp/endpoint/HttpRedirect"/> </md:IDPSSODescriptor> </md:EntityDescriptor> ``` <u>**passport-saml-config.json**</u> ``` "salesforceInboxbear": { "entryPoint": "https://gbt4.my.salesforce.com/idp/endpoint/HttpPost", "issuer": "https://gtwtdlapfedv01.gbt4.my.salesforce.com", "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "authnRequestBinding": "HTTP-POST", "logo_img":"https://c1.sfdcstatic.com/content/dam/web/en_us/www/images/home/logo-salesforce.svg", "enable":"true", "cert":"MIIErDCCA5SgAwIBAgIOAWb1s7KvAAAAAENp+LgwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA4Tm92MjAxOF8yMzQxMjYxGDAWBgNVBAsMDzAwRDFVMDAwMDAwQ3liUTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTgxMTA4MjM0MTI2WhcNMTkxMTA4MTIwMDAwWjCBkDEoMCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMDhOb3YyMDE4XzIzNDEyNjEYMBYGA1UECwwPMDBEMVUwMDAwMDBDeWJRMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOqrwxDDuyx/LPk2phQUpfroKYOEIzVULJxyOom7Tv6PTkYbDIp4gPKAHm/CRPOFyD4HoWSE9Q8jCdgMCCgvkblT1HPBQn90nlXWCuvBvpAIVibEU9X2UCa1544WRAfZhmTo3LMQLARzEU7kSH29zfFtBDPQ99GtPkCiPhuIBG0c4JD05h2V2GMFMAWypsnyf2pY8dOv+bh3hPXt2I00AhjIVSIEauM+ZvmoprbE2XtZlGCwDWgcqkAv7CscehhkbgfuX582F5xeoo7eos1+4jII/uMNqbZxsu73TW0P8u83Y9JDbPu/f9gFofNsH/vMREM9fIM8R4McbgYRyhMuWhECAwEAAaOCAQAwgf0wHQYDVR0OBBYEFEpHSHq7wkjV0YV+NmG+cDn4BlZlMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUSkdIervCSNXRhX42Yb5wOfgGVmWhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA4Tm92MjAxOF8yMzQxMjYxGDAWBgNVBAsMDzAwRDFVMDAwMDAwQ3liUTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFm9bOyrwAAAABDafi4MA0GCSqGSIb3DQEBCwUAA4IBAQAU6Sht9IPfDWGIbaJlu0/1NQCULjUM/ZuJ+7cO8/+PL2KdTmFTq44UaRZXnrqUMdoWTszpfj9jeGQN3Sx81MebU1jl9T4izxZUmJWmR+yMI/qw/6Ypl210xjDQlT9IOe24L1kvR13ZVUrq4F8vuZqxmcKuC5CcNXHqeBX4ozVaIh4X5i1PxUU8HW+uI+BCDYcLQWHTsQw42krQYvpI9yd2tCmB7LNlWCBjTWSoj/Knw8F0ihqXB5mzMfwi7oLgEpsdBm9UxT8flzsaMP3Z52Ino2n+8UDuAnhCK5xA0YuO8KF0lxRWSjDHJCR8ZZI8pB/j+8hojON7YUMXWM8inW6k", "skipRequestCompression": "true", "reverseMapping": { "email" : "email", "username":"username", "displayName": "name", "id": "id", "name": "name", "givenName":"familyName", "familyName": "familyName", "provider" :"issuer" } } ``` <u>**SAML Response from IDP:**</u> ``` <?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://gtwtdlapfedv01.gbt.gbtad.com/passport/auth/saml/salesforceInboxbear/callback" ID="_f0102d34b93a48658d43b35c8226e1a11541783069809" InResponseTo="_3ce05ca49448c4e38c6f" IssueInstant="2018-11-09T17:04:29.809Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://gbt4.my.salesforce.com </saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_f0102d34b93a48658d43b35c8226e1a11541783069809"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp xs xsi"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>kYHgGM3hu8GHqHMFtSTMvuOD/ II= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> FEF5x0PiK2jGw1Z/kjY1OU2lc/2ajWFjRvvbm4Gs3Q2gDRLv3f9DEJveHSjY0IrOlGVlR2bTVv76 AVSRqMsDd1D9GQ/BZWC7CUotDJdOvj2EjHAvgH+mWTvaiWwhKVHERkB31qRHPtcD/GSd0xp8pSjq tYNgDsOTxW9m1iMh7oxyXJ40Z+BWQ9rQC0b/iI8VqCJXVfOtrh0EC5ErkJOQ46G80oeMSDkz8CPt K/lG4X5WpS0/OZjmmlRNOdEGxXv9nNg7xLQFWW2i218TbyGTSXviL9Q/p5EWoBiPdXvtaN/3P/Uy vD54o7fVZKvXU6HTDsXvnuPOewXrAGR0WQFDGg== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAWb1s7KvAAAAAENp+LgwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM H1NlbGZTaWduZWRDZXJ0XzA4Tm92MjAxOF8yMzQxMjYxGDAWBgNVBAsMDzAwRDFVMDAwMDAwQ3li UTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTgxMTA4MjM0MTI2WhcNMTkxMTA4MTIwMDAwWjCBkDEo MCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMDhOb3YyMDE4XzIzNDEyNjEYMBYGA1UECwwPMDBEMVUw MDAwMDBDeWJRMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAOqrwxDDuyx/LPk2phQUpfroKYOEIzVULJxyOom7Tv6PTkYbDIp4gPKAHm/CRPOFyD4HoWSE 9Q8jCdgMCCgvkblT1HPBQn90nlXWCuvBvpAIVibEU9X2UCa1544WRAfZhmTo3LMQLARzEU7kSH29 zfFtBDPQ99GtPkCiPhuIBG0c4JD05h2V2GMFMAWypsnyf2pY8dOv+bh3hPXt2I00AhjIVSIEauM+ ZvmoprbE2XtZlGCwDWgcqkAv7CscehhkbgfuX582F5xeoo7eos1+4jII/uMNqbZxsu73TW0P8u83 Y9JDbPu/f9gFofNsH/vMREM9fIM8R4McbgYRyhMuWhECAwEAAaOCAQAwgf0wHQYDVR0OBBYEFEpH SHq7wkjV0YV+NmG+cDn4BlZlMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUSkdIervC SNXRhX42Yb5wOfgGVmWhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA4Tm92MjAx OF8yMzQxMjYxGDAWBgNVBAsMDzAwRDFVMDAwMDAwQ3liUTEXMBUGA1UECgwOU2FsZXNmb3JjZS5j b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFm 9bOyrwAAAABDafi4MA0GCSqGSIb3DQEBCwUAA4IBAQAU6Sht9IPfDWGIbaJlu0/1NQCULjUM/ZuJ +7cO8/+PL2KdTmFTq44UaRZXnrqUMdoWTszpfj9jeGQN3Sx81MebU1jl9T4izxZUmJWmR+yMI/qw /6Ypl210xjDQlT9IOe24L1kvR13ZVUrq4F8vuZqxmcKuC5CcNXHqeBX4ozVaIh4X5i1PxUU8HW+u I+BCDYcLQWHTsQw42krQYvpI9yd2tCmB7LNlWCBjTWSoj/Knw8F0ihqXB5mzMfwi7oLgEpsdBm9U xT8flzsaMP3Z52Ino2n+8UDuAnhCK5xA0YuO8KF0lxRWSjDHJCR8ZZI8pB/j+8hojON7YUMXWM8i nW6k</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_572d0f99801a093af9b30f593021b5f91541783069811" IssueInstant="2018-11-09T17:04:29.811Z" Version="2.0"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://gbt4.my.salesforce.com </saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_572d0f99801a093af9b30f593021b5f91541783069811"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>NsjMMfsJIN3MPqIBQGjCdLXP+ w8= </ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> d23UQ6N7sNSmhjlSs4b2Hqr+AzaZTcq6nrUXsQBlV319nGjb2IY0E6NSRJgx1BhZiGUEgGQz3EKb 70DQJXo4+wa3tN5nhvyl1Z2JlzJ+O8MP9kn8Tfj0IKmqY4T0R19LDcqo1Z8fyMQ3RK6LOFn+sTjy XjY/+k7S7NBtmVM3Ix2nLld28i+ddIo/NZOhLlwW3+239ZUU3C5gnujefUZ14tAXAf1ZtYiSVMwG 1xoz4jp7IkKPcv10VTQ5hHgM5+Y6yA2cBQZTl91P4YtIOrGuZS+3sD4pqwHNquTIc7Z3A6YASWCr Bq5KdZ9FBpJH+ Fg6cgWKBG539yfHTAim0zySuw== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAWb1s7KvAAAAAENp+LgwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM H1NlbGZTaWduZWRDZXJ0XzA4Tm92MjAxOF8yMzQxMjYxGDAWBgNVBAsMDzAwRDFVMDAwMDAwQ3li UTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTgxMTA4MjM0MTI2WhcNMTkxMTA4MTIwMDAwWjCBkDEo MCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMDhOb3YyMDE4XzIzNDEyNjEYMBYGA1UECwwPMDBEMVUw MDAwMDBDeWJRMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAOqrwxDDuyx/LPk2phQUpfroKYOEIzVULJxyOom7Tv6PTkYbDIp4gPKAHm/CRPOFyD4HoWSE 9Q8jCdgMCCgvkblT1HPBQn90nlXWCuvBvpAIVibEU9X2UCa1544WRAfZhmTo3LMQLARzEU7kSH29 zfFtBDPQ99GtPkCiPhuIBG0c4JD05h2V2GMFMAWypsnyf2pY8dOv+bh3hPXt2I00AhjIVSIEauM+ ZvmoprbE2XtZlGCwDWgcqkAv7CscehhkbgfuX582F5xeoo7eos1+4jII/uMNqbZxsu73TW0P8u83 Y9JDbPu/f9gFofNsH/vMREM9fIM8R4McbgYRyhMuWhECAwEAAaOCAQAwgf0wHQYDVR0OBBYEFEpH SHq7wkjV0YV+NmG+cDn4BlZlMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUSkdIervC SNXRhX42Yb5wOfgGVmWhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA4Tm92MjAx OF8yMzQxMjYxGDAWBgNVBAsMDzAwRDFVMDAwMDAwQ3liUTEXMBUGA1UECgwOU2FsZXNmb3JjZS5j b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFm 9bOyrwAAAABDafi4MA0GCSqGSIb3DQEBCwUAA4IBAQAU6Sht9IPfDWGIbaJlu0/1NQCULjUM/ZuJ +7cO8/+PL2KdTmFTq44UaRZXnrqUMdoWTszpfj9jeGQN3Sx81MebU1jl9T4izxZUmJWmR+yMI/qw /6Ypl210xjDQlT9IOe24L1kvR13ZVUrq4F8vuZqxmcKuC5CcNXHqeBX4ozVaIh4X5i1PxUU8HW+u I+BCDYcLQWHTsQw42krQYvpI9yd2tCmB7LNlWCBjTWSoj/Knw8F0ihqXB5mzMfwi7oLgEpsdBm9U xT8flzsaMP3Z52Ino2n+8UDuAnhCK5xA0YuO8KF0lxRWSjDHJCR8ZZI8pB/j+8hojON7YUMXWM8i nW6k</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">amexgbt@inboxbear.com </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_3ce05ca49448c4e38c6f" NotOnOrAfter="2018-11-09T17:09:29.818Z" Recipient="https://gtwtdlapfedv01.gbt.gbtad.com/passport/auth/saml/salesforceInboxbear/callback"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2018-11-09T17:03:59.818Z" NotOnOrAfter="2018-11-09T17:09:29.818Z"> <saml:AudienceRestriction> <saml:Audience>https://gtwtdlapfedv01.gbt4.my.salesforce.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2018-11-09T17:04:29.812Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">0051U000000HtEE </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">amexgbt@inboxbear.com </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">amexgbt@inboxbear.com </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="is_portal_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">false </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="familyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">Amex GBT </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">0051U000000HtEE </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> ``` <u>**Passport logs:**</u> ``` -bash-4.2# tail -0f /opt/gluu/node/passport/server/logs/passport-2018-11-09.log 2018-11-09T09:32:50-0800 [VERBOSE] Issuing token 2018-11-09T09:32:50-0800 [INFO] ::ffff:127.0.0.1 - - [09/Nov/2018:17:32:50 +0000] "GET /passport/token HTTP/1.1" 200 201 "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_181)" 2018-11-09T09:32:50-0800 [INFO] ::ffff:127.0.0.1 - - [09/Nov/2018:17:32:50 +0000] "GET /passport/auth/saml/salesforceInboxbear/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiJiMmU2YjI0Yi01ZDhkLTRiNjctOWIzMi02YzI5Y2YzMzQ4MzAiLCJpYXQiOjE1NDE3ODQ3NzAsImV4cCI6MTU0MTc4NDg5MH0.EyreCMPl8bRTMGj54ErZ5IhXghX0326WWDkSuw5ftGI HTTP/1.1" 200 1938 "https://gtwtdlapfedv01.gbt.gbtad.com/oxauth/auth/passport/passportlogin.htm" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 2018-11-09T09:33:17-0800 [VERBOSE] getStrategies called 2018-11-09T09:33:17-0800 [INFO] getStrategies. Passport strategies were received 2018-11-09T09:33:17-0800 [VERBOSE] getStrategies. Content: { "passportStrategies" : { } } 2018-11-09T09:33:17-0800 [VERBOSE] Generating metadata for SAML provider "salesforceInboxbear" 2018-11-09T09:33:17-0800 [DEBUG] Metadata is: <?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://gtwtdlapfedv01.gbt4.my.salesforce.com" ID="https___gtwtdlapfedv01_gbt4_my_salesforce_com"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDeDCCAmACCQCJCKldjilK9DANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJV UzELMAkGA1UECAwCQVoxDDAKBgNVBAcMA1BoeDEMMAoGA1UECgwDR0JUMRIwEAYD VQQDDAlsb2NhbGhvc3QxMjAwBgkqhkiG9w0BCQEWI21hbmlnYW5kYXByYWthc2gu a2FubmFuQGFtZXhnYnQuY29tMB4XDTE4MTEwNzIwMzk1MloXDTE5MTEwNzIwMzk1 MlowfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkFaMQwwCgYDVQQHDANQaHgxDDAK BgNVBAoMA0dCVDESMBAGA1UEAwwJbG9jYWxob3N0MTIwMAYJKoZIhvcNAQkBFiNt YW5pZ2FuZGFwcmFrYXNoLmthbm5hbkBhbWV4Z2J0LmNvbTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBANpru8h1l7WPkdha3rqJacAA3JL+83uASO09wH7a wE2LKAPjcRzALoziClD6NRzaq3bdOzQpWD4KVon4J3fwDfQE247cNxHlLdvK+X/x VRsYtckXWxGVpeknXyXKBuw+e5mC1y+osWj3VPq4rDXmk6/CMxGGzTPj4hVEZmLA toy+Tdy0Or0mfTp12xR4ph842SRb6pJgzWVKtjXxI8WHKmHinanYShxw5494042h wlqmkFnXNTjadsjxJHy6I3LVEYnodYXJZXnebjWtN+La4ShW9th3mHLafVpuMVsl aXShVx4EFOyqrbRK4t3pQlWEVr8UlRHKqyaf/oJrlF6+rr8CAwEAATANBgkqhkiG 9w0BAQUFAAOCAQEAgDFjx2qvFPuaGYRvTdkfEMX0k07DOaknUXKzpmVqnSFPnpBC DD77VwhofrOB36rXUhOfoszri9QdNd/ElBrTx2oe9B1H3jbM5vyOxtAwFC8Xz0+m RHoYKyOFzEcUjJePLrdfqRY3Mrc82PCiclIx4tWbciiEEAn1uOFe86J/0J5SKYFp pH2h3sEqgVJN/X8mqLEh1EKfCfAKZQOpUl4TSZ2DXHqzJ06wedToFaNuuABdVaEA 2Hc+F2jmLx49/bMro3iwPPC/s4iICSwCgxLfkQB2/jbAtn7mXEB9TJGS8zmcaYNZ ITHD8DjCp5b8YSbKuoFIqOHNxvT11Sm8uf7EnA== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gtwtdlapfedv01.gbt.gbtad.com/passport/auth/saml/salesforceInboxbear/callback"/> </SPSSODescriptor> </EntityDescriptor> 2018-11-09T09:33:17-0800 [VERBOSE] Generating metadata for SAML provider "salesforce" 2018-11-09T09:33:17-0800 [DEBUG] Metadata is: <?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://gbt1.my.salesforce.com" ID="https___gbt1_my_salesforce_com"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDeDCCAmACCQCJCKldjilK9DANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJV UzELMAkGA1UECAwCQVoxDDAKBgNVBAcMA1BoeDEMMAoGA1UECgwDR0JUMRIwEAYD VQQDDAlsb2NhbGhvc3QxMjAwBgkqhkiG9w0BCQEWI21hbmlnYW5kYXByYWthc2gu a2FubmFuQGFtZXhnYnQuY29tMB4XDTE4MTEwNzIwMzk1MloXDTE5MTEwNzIwMzk1 MlowfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkFaMQwwCgYDVQQHDANQaHgxDDAK BgNVBAoMA0dCVDESMBAGA1UEAwwJbG9jYWxob3N0MTIwMAYJKoZIhvcNAQkBFiNt YW5pZ2FuZGFwcmFrYXNoLmthbm5hbkBhbWV4Z2J0LmNvbTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBANpru8h1l7WPkdha3rqJacAA3JL+83uASO09wH7a wE2LKAPjcRzALoziClD6NRzaq3bdOzQpWD4KVon4J3fwDfQE247cNxHlLdvK+X/x VRsYtckXWxGVpeknXyXKBuw+e5mC1y+osWj3VPq4rDXmk6/CMxGGzTPj4hVEZmLA toy+Tdy0Or0mfTp12xR4ph842SRb6pJgzWVKtjXxI8WHKmHinanYShxw5494042h wlqmkFnXNTjadsjxJHy6I3LVEYnodYXJZXnebjWtN+La4ShW9th3mHLafVpuMVsl aXShVx4EFOyqrbRK4t3pQlWEVr8UlRHKqyaf/oJrlF6+rr8CAwEAATANBgkqhkiG 9w0BAQUFAAOCAQEAgDFjx2qvFPuaGYRvTdkfEMX0k07DOaknUXKzpmVqnSFPnpBC DD77VwhofrOB36rXUhOfoszri9QdNd/ElBrTx2oe9B1H3jbM5vyOxtAwFC8Xz0+m RHoYKyOFzEcUjJePLrdfqRY3Mrc82PCiclIx4tWbciiEEAn1uOFe86J/0J5SKYFp pH2h3sEqgVJN/X8mqLEh1EKfCfAKZQOpUl4TSZ2DXHqzJ06wedToFaNuuABdVaEA 2Hc+F2jmLx49/bMro3iwPPC/s4iICSwCgxLfkQB2/jbAtn7mXEB9TJGS8zmcaYNZ ITHD8DjCp5b8YSbKuoFIqOHNxvT11Sm8uf7EnA== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gtwtdlapfedv01.gbt.gbtad.com/passport/auth/saml/salesforce/callback"/> </SPSSODescriptor> </EntityDescriptor> 2018-11-09T09:33:17-0800 [VERBOSE] Generating metadata for SAML provider "ssocircle" 2018-11-09T09:33:17-0800 [DEBUG] Metadata is: <?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="gtwtdlapfedv01.gbt.gbtad.com" ID="gtwtdlapfedv01_gbt_gbtad_com"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDeDCCAmACCQCJCKldjilK9DANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJV UzELMAkGA1UECAwCQVoxDDAKBgNVBAcMA1BoeDEMMAoGA1UECgwDR0JUMRIwEAYD VQQDDAlsb2NhbGhvc3QxMjAwBgkqhkiG9w0BCQEWI21hbmlnYW5kYXByYWthc2gu a2FubmFuQGFtZXhnYnQuY29tMB4XDTE4MTEwNzIwMzk1MloXDTE5MTEwNzIwMzk1 MlowfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkFaMQwwCgYDVQQHDANQaHgxDDAK BgNVBAoMA0dCVDESMBAGA1UEAwwJbG9jYWxob3N0MTIwMAYJKoZIhvcNAQkBFiNt YW5pZ2FuZGFwcmFrYXNoLmthbm5hbkBhbWV4Z2J0LmNvbTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBANpru8h1l7WPkdha3rqJacAA3JL+83uASO09wH7a wE2LKAPjcRzALoziClD6NRzaq3bdOzQpWD4KVon4J3fwDfQE247cNxHlLdvK+X/x VRsYtckXWxGVpeknXyXKBuw+e5mC1y+osWj3VPq4rDXmk6/CMxGGzTPj4hVEZmLA toy+Tdy0Or0mfTp12xR4ph842SRb6pJgzWVKtjXxI8WHKmHinanYShxw5494042h wlqmkFnXNTjadsjxJHy6I3LVEYnodYXJZXnebjWtN+La4ShW9th3mHLafVpuMVsl aXShVx4EFOyqrbRK4t3pQlWEVr8UlRHKqyaf/oJrlF6+rr8CAwEAATANBgkqhkiG 9w0BAQUFAAOCAQEAgDFjx2qvFPuaGYRvTdkfEMX0k07DOaknUXKzpmVqnSFPnpBC DD77VwhofrOB36rXUhOfoszri9QdNd/ElBrTx2oe9B1H3jbM5vyOxtAwFC8Xz0+m RHoYKyOFzEcUjJePLrdfqRY3Mrc82PCiclIx4tWbciiEEAn1uOFe86J/0J5SKYFp pH2h3sEqgVJN/X8mqLEh1EKfCfAKZQOpUl4TSZ2DXHqzJ06wedToFaNuuABdVaEA 2Hc+F2jmLx49/bMro3iwPPC/s4iICSwCgxLfkQB2/jbAtn7mXEB9TJGS8zmcaYNZ ITHD8DjCp5b8YSbKuoFIqOHNxvT11Sm8uf7EnA== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gtwtdlapfedv01.gbt.gbtad.com/passport/auth/saml/ssocircle/callback"/> </SPSSODescriptor> </EntityDescriptor> 2018-11-09T09:33:17-0800 [INFO] reloadConfiguration. Passport strategies have been parsed 2018-11-09T09:33:17-0800 [INFO] /opt/gluu/node/passport/server/idp-metadata/ssocircle.xml saved successfully 2018-11-09T09:33:17-0800 [INFO] /opt/gluu/node/passport/server/idp-metadata/ssocircle.xml saved successfully 2018-11-09T09:33:17-0800 [INFO] /opt/gluu/node/passport/server/idp-metadata/ssocircle.xml saved successfully 2018-11-09T09:33:36-0800 [ERROR] Unknown Error: {} 2018-11-09T09:33:36-0800 [INFO] ::ffff:127.0.0.1 - - [09/Nov/2018:17:33:36 +0000] "POST /passport/auth/saml/salesforceInboxbear/callback HTTP/1.1" 302 74 "https://gbt4.my.salesforce.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 2018-11-09T09:33:37-0800 [INFO] ::ffff:127.0.0.1 - - [09/Nov/2018:17:33:37 +0000] "GET /passport/login HTTP/1.1" 302 246 "https://gbt4.my.salesforce.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" 2018-11-09T09:33:39-0800 [INFO] ::ffff:127.0.0.1 - - [09/Nov/2018:17:33:39 +0000] "GET /passport/saml_config HTTP/1.1" 200 1249 "https://gtwtdlapfedv01.gbt.gbtad.com/oxauth/auth/passport/passportlogin.htm?failure=An%20error%20occurred" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" ^C -bash-4.2# ``` <u>**oxAuth logs:**</u> ``` bash-4.2# tail -0f 2018_11_09.jetty.log 2018-11-09 09:33:36,255 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-11-09 09:33:36,255 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.ConfigurationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-11-09 09:33:36,255 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-11-09 09:33:36,259 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-11-09 09:33:36,259 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.LoggerUpdateEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-11-09 09:33:36,259 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-11-09 09:33:36,266 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-11-09 09:33:36,266 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.LdapStatusEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-11-09 09:33:36,266 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-11-09 09:33:36,302 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-11-09 09:33:36,302 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.oxauth.service.cdi.event.AuthConfigurationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-11-09 09:33:36,302 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-11-09 09:33:37,685 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,686 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,686 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,686 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,686 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,687 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,687 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,687 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,688 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,688 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,689 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:37,689 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!14D8.9F6D.6836.B721!0001!5573.2513!0008!6B4D.DDBC 2018-11-09 09:33:38,670 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-11-09 09:33:38,670 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.UpdateScriptEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-11-09 09:33:38,685 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-11-09 09:33:51,258 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-11-09 09:33:51,259 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.LoggerUpdateEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-11-09 09:33:51,259 DEBUG [oxAuthScheduler_Worker-4] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended ^C -bash-4.2# ``` <u>**oxAuth_script.log:**</u> ``` -bash-4.2# tail -0f oxauth_script.log 2018-11-09 09:32:49,783 DEBUG [qtp1094834071-143] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:171) - Executing python 'authenticate' authenticator method 2018-11-09 09:32:49,784 INFO [qtp1094834071-143] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. authenticate called 1 2018-11-09 09:32:49,784 INFO [qtp1094834071-143] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. authenticate for step 1. Retrying step 1 2018-11-09 09:32:49,785 DEBUG [qtp1094834071-143] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:269) - Executing python 'getApiVersion' authenticator method 2018-11-09 09:32:49,785 DEBUG [qtp1094834071-143] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:185) - Executing python 'getNextStep' authenticator method 2018-11-09 09:32:49,786 DEBUG [qtp1094834071-143] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:241) - Executing python 'getExtraParametersForStep' authenticator method 2018-11-09 09:32:49,786 INFO [qtp1094834071-143] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. getExtraParametersForStep called 2018-11-09 09:32:49,786 DEBUG [qtp1094834071-143] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:157) - Executing python 'getCountAuthenticationSteps' authenticator method 2018-11-09 09:32:49,786 INFO [qtp1094834071-143] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. getCountAuthenticationSteps called 2018-11-09 09:32:49,786 DEBUG [qtp1094834071-143] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:255) - Executing python 'getPageForStep' authenticator method 2018-11-09 09:32:49,787 DEBUG [qtp1094834071-143] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:241) - Executing python 'getExtraParametersForStep' authenticator method 2018-11-09 09:32:49,787 INFO [qtp1094834071-143] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. getExtraParametersForStep called 2018-11-09 09:32:50,173 DEBUG [qtp1094834071-14] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:362) - Validating acr_values: 'passport_saml' 2018-11-09 09:32:50,173 DEBUG [qtp1094834071-14] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:129) - Executing python 'isValidAuthenticationMethod' authenticator method 2018-11-09 09:32:50,174 DEBUG [qtp1094834071-14] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:227) - Executing python 'prepareForStep' authenticator method 2018-11-09 09:32:50,174 INFO [qtp1094834071-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. prepareForStep called 1 2018-11-09 09:32:50,174 INFO [qtp1094834071-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. parseProviderConfigs. Adding SAML IDPs 2018-11-09 09:32:50,180 INFO [qtp1094834071-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. getPassportRedirectUrl. Obtaining token from passport at https://gtwtdlapfedv01.gbt.gbtad.com/passport/token 2018-11-09 09:32:50,231 INFO [qtp1094834071-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. getPassportRedirectUrl. Response was 200 2018-11-09 09:32:50,232 DEBUG [qtp1094834071-14] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:241) - Executing python 'getExtraParametersForStep' authenticator method 2018-11-09 09:32:50,233 INFO [qtp1094834071-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. getExtraParametersForStep called 2018-11-09 09:33:37,675 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:362) - Validating acr_values: 'passport_saml' 2018-11-09 09:33:37,675 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:129) - Executing python 'isValidAuthenticationMethod' authenticator method 2018-11-09 09:33:37,675 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:227) - Executing python 'prepareForStep' authenticator method 2018-11-09 09:33:37,676 INFO [qtp1094834071-7357] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. prepareForStep called 1 2018-11-09 09:33:37,677 INFO [qtp1094834071-7357] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. parseProviderConfigs. Adding SAML IDPs 2018-11-09 09:33:37,678 INFO [qtp1094834071-7357] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. prepareForStep. A page to manually select an identity provider will be shown 2018-11-09 09:33:37,678 DEBUG [qtp1094834071-7357] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:241) - Executing python 'getExtraParametersForStep' authenticator method 2018-11-09 09:33:37,678 INFO [qtp1094834071-7357] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. getExtraParametersForStep called ^C -bash-4.2# ```
Rhel 7.5
closed

Answers

By Aliaksandr Samuseu staff 09 Nov 2018 at 12:23 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Maniganda. I can actually confirm something like this happens for me as well, from time to time (the flow fails with ambiguous error, returning you to IDP selection page, but works the 2nd time). Thanks for the detailed report, we'll try to look into it.

By Aliaksandr Samuseu staff 09 Nov 2018 at 12:24 p.m. CST

Copy
Aliaksandr Samuseu gravatar
A quick question: are you sure you have clocks at your Gluu Server host properly syncronized? Do you have ntpd running there, for example?

By Maniganda Prakash Kannan Account Admin 09 Nov 2018 at 12:34 p.m. CST

Copy
Maniganda Prakash Kannan gravatar
> A quick question: are you sure you have clocks at your Gluu Server host properly syncronized? Do you have ntpd running there, for example? Nope, ntpd is not running, my company doesn't allow that.

By Aliaksandr Samuseu staff 09 Nov 2018 at 12:55 p.m. CST

Copy
Aliaksandr Samuseu gravatar
It's my suspicion that it can be related to time sync issues. For example, I had this issue today on a vm I'd just waked up, but after I restarted ntpd and re-synced time I couldn't reproduce it anymore. Having clocks in perfect sync is a mandatory requirement for authentication-related flows, usually. Even if policies forbid you to use external services from regular machine, your company probably has your own internal NTP server you could use? I can't imagine how you manage to keep everything in sync otherwise.

By Maniganda Prakash Kannan Account Admin 09 Nov 2018 at 1:07 p.m. CST

Copy
Maniganda Prakash Kannan gravatar
Will check and get back to you how our server clocks are synched.

By Maniganda Prakash Kannan Account Admin 09 Nov 2018 at 2:01 p.m. CST

Copy
Maniganda Prakash Kannan gravatar
Perfect, that solved the issue.<br> `ntpd` wasn't running in the VM, it was restarted.<br> As you mentioned, it connects to my company's NTP server not external. Thanks.

Post an answer