By: Eduardo Martinez user 07 Aug 2019 at 12:01 p.m. CDT

9 Responses
Eduardo Martinez gravatar
Hello When i'm trying to add a new trust relationship, entity type SP, and metadata via URL, i'm getting a proxy error after 5 minutes of waiting. i have checked that the server that i want to add and my gluu instance has communication between each other. The error is "the Proxy Server received an invalid response form an upstream server. The proxy server could not handle the request POST/identity/trustmanager/add" Reason: Error reading from remote server. i have checked identity logs but could not find anything relevant. please i need your help since this is a blocker for us

By Michael Schwartz staff 07 Aug 2019 at 1:31 p.m. CDT

Michael Schwartz gravatar
Which logs did you check? I would look at the oxtrust logs, because it seems like there is an error with the form. You can try to turn up the log level for oxtrust too. You don't need to wait 5 minutes, because the xml is not rendering. If you want to decrease the wait time in general, you can set this in the shibboleth xml settings.

By Aliaksandr Samuseu staff 07 Aug 2019 at 1:48 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Eduardo. Do you get the error when you still trying to add in via web UI, or later, when you sent to IDP during SAML flow? Please follow Michael's suggestion and gather some logs. If I got you right, it's web UI that fails in your case, so you need to check `/opt/gluu/jetty/identity/logs/oxtrust.log` for any related errors and warnings. As you supply your SP's metadata by url, I would say it's very likely oxTrust can't use this url to fetch it. Could you try to download the metadata manually, and provide it using "File" method instead? If it will work, then we'll be able to confirm it's true. If there still will be the same error when providing it with "File" method, I would try to check whether you have enough memory assigned for JVMs first. This is especially true if you try to create TR with some federation metadata, which is usually very heavy to process. - For web UI: `/etc/default/identity` file - for IDP: `/etc/default/idp` file You'll see line like this in both: `JAVA_OPTIONS="-server -Xms256m -Xmx636m -XX:MaxMetaspaceSize=273m -XX:+DisableExplicitGC -Dgluu.base=/etc/gluu -Dserver.base=/opt/gluu/jetty/identity -Dlog.base=/opt/gluu/jetty/identity -Dpython.home=/opt/jython -Dorg.eclipse.jetty.server.Request.maxFormContentSize=50000000"` Make sure that `-Xms` is at 512m, and `-Xmx` is at 1024 at least (better 1536m or 2048m). If you'll have to change it, restart "identity" and "idp" services in the end.

By Aliaksandr Samuseu staff 09 Aug 2019 at 3:51 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Eduardo. Any updates on this one?

By Eduardo Martinez user 09 Aug 2019 at 4:30 p.m. CDT

Eduardo Martinez gravatar
Hello Aliaksandr i have checked oxtrust logs after i clicked on the "add" button, and the only error i'm getting is this: "2019-08-09 21:13:04,437 ERROR [Thread-60556] [org.gluu.oxtrust.ldap.service.EntityIDMonitoringService] (EntityIDMonitoringService.java:92) - Exception happened while monitoring EntityId java.lang.NullPointerException: null" nothing else. Also, i have tried local file instead of URI and i got the same result. FInally i have changed identity and idp files with recommended values, but still got the same result. Thanks in advance for any help you can give me

By Aliaksandr Samuseu staff 11 Aug 2019 at 2:16 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Eduardo. Please share the metadata file with us so we could try to reproduce it.

By Christian Magdaong user 14 Aug 2019 at 8:28 a.m. CDT

Christian Magdaong gravatar
Hi Aliaksandr, Thank you for the help. Below is the metadata you requested from Eduardo. ``` <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://jira.test.euc1.apcela.net"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIID7TCCAtWgAwIBAgIJAMcsf4R7oVMZMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJTjELMAkGA1UECAwCTUgxDTALBgNVBAcMBFBVTkUxEzARBgNVBAoMCk1JTklPUkFOR0UxEzARBgNVBAsMCk1JTklPUkFOR0UxEzARBgNVBAMMCk1JTklPUkFOR0UxIjAgBgkqhkiG9w0BCQEWE2luZm9AbWluaW9yYW5nZS5jb20wHhcNMTUxMDMwMTA1NDQ4WhcNMjAxMDI4MTA1NDQ4WjCBjDELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAk1IMQ0wCwYDVQQHDARQVU5FMRMwEQYDVQQKDApNSU5JT1JBTkdFMRMwEQYDVQQLDApNSU5JT1JBTkdFMRMwEQYDVQQDDApNSU5JT1JBTkdFMSIwIAYJKoZIhvcNAQkBFhNpbmZvQG1pbmlvcmFuZ2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsxulwAiXvaJvT6JEckasFcHY7eME2hjClXPKtGJ6okiPOPQjMAv+zYxZ2beAUPWxg1pfE7HIdTLh6A0yD2Afnw9ayKmCGiq6rX8TqXzEo8J01M/zGRBXxw+QCjB7BpWpHUVcdfagUEJrURHRcx6VXXf/9xprbtv7Wsx/WVhqGl6MCtj4m5tTsHyYD9BOawxtmaq7dNSECkt9qNUfu+EvTYk3LHI3IoJR4HcMTsYjTbJo6lHNT18FQqReWcjNXCTvH17Zit4MaH8WGlL32KV62EyTPZwjqrmUHqoXfj87e+1XOpYk+Z/dApMC47I6++yq+FlyvVne0w48SAHYt4M1rQIDAQABo1AwTjAdBgNVHQ4EFgQUyihK6rNyl3Sx9Onzzup0qko7z7QwHwYDVR0jBBgwFoAUyihK6rNyl3Sx9Onzzup0qko7z7QwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAPnp6Q5jfZ33/0hbeeVr+ts5PTxKKdPakoGJWAbgqXzf4h8TuCZMjPBE6g7jk1JqvRFWxg7zx+qhvlWRnwfWl9yAffY0TbBx+EU3kyTYBg2UnffUaSvoko1UzFK1v4dOP2u+wTP8nM/I+HxBjVVcgT+7zOK9Y6GXe1spjdQb2ELdBQ2p7NFXFF4uy6jzN9yw2xBid7ZLkJwGeOykZrrd1YJzGZJoGedpTxrkqbIqRUFnCqKRgB5IzhXO1Xj+xgv8qr0KNJ4oqf58OEHnx2XF21RY0F9vpQ6/BPQKqO4pWjEuWanV36AZ5nHw6PeJXEsK2RUnABeA/xzjxH/NT6Fh3dQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://jira.test.euc1.apcela.net/plugins/servlet/saml/logout"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://jira.test.euc1.apcela.net/plugins/servlet/saml/logout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://jira.test.euc1.apcela.net/plugins/servlet/saml/auth" index="1"/></md:SPSSODescriptor><md:Organization><md:OrganizationName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">miniOrange</md:OrganizationName><md:OrganizationDisplayName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">miniOrange</md:OrganizationDisplayName><md:OrganizationURL xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">http://miniorange.com</md:OrganizationURL></md:Organization><md:ContactPerson contactType="technical"><md:GivenName>Xecurify</md:GivenName><md:EmailAddress>info@xecurify.com</md:EmailAddress></md:ContactPerson><md:ContactPerson contactType="support"><md:GivenName>Xecurify</md:GivenName><md:EmailAddress>info@xecurify.com</md:EmailAddress></md:ContactPerson></md:EntityDescriptor> ``` Let us know if you need more info.

By Christian Magdaong user 19 Aug 2019 at 5:47 a.m. CDT

Christian Magdaong gravatar
Hi Aliaksandr, Any updates on this one? Let me know if you need more information. Thank you.

By Aliaksandr Samuseu staff 22 Aug 2019 at 7:07 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Christian. Sorry for the delayed response. It turns out we can't reproduce this issue. TR created with this metadata passes validation in my local instance. As you are using OpenLDAP-based package, I would suggest to make sure db's size limit hasn't been reached: 1. Inside container, open `/opt/symas/etc/openldap/slapd.conf` file and find out what `maxsize` is set for "o=gluu" context in it; it's around 1GB by default 2. Check size of db file on disk: `# ls -alh /opt/gluu/data/main_db/data.mdb` If the limit is reached, you'll need to increase it and restart the service.

By Aliaksandr Samuseu staff 26 Sep 2019 at 4:54 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Christian. Closing for now. You can still post here, if your issue persists.