SAML SSO redirect login screen not the Google Plus screen

By: Noelle Keller user 11 Sep 2015 at 12:34 p.m. CDT

10 Responses
Noelle Keller gravatar
Hello, We have the Google Plus authentication setup on our Gluu server. Using this HOWTO http://www.gluu.org/docs/articles/social-login-google/. When I am in Chrome and logged into to my gmail account I can seamlessly log in to a configured SAML third party site. When I am not logged into gmail it sends a redirect to the Gluu server.... https://ltgluusaml.cloudapp.net/oxauth/login, which does not have the GooglePlus login button. What do I need to change to get it to redirect to....https://ltgluusaml.cloudapp.net/oxauth/auth/gplus/gplus-login, so user can login with Google Plus button? Thanks!
None
closed

Answers

By Michael Schwartz Account Admin 11 Sep 2015 at 12:41 p.m. CDT

Copy
Michael Schwartz gravatar
That's weird. We'll have to take a look at this. It should present the Google login screen because its your default authentication workflow.

By Mohib Zico staff 11 Sep 2015 at 1:05 p.m. CDT

Copy
Mohib Zico gravatar
Looking into it....

By Michael Schwartz Account Admin 11 Sep 2015 at 3:20 p.m. CDT

Copy
Michael Schwartz gravatar
Can you check the logs from `/opt/tomcat/logs/oxauth.log` or `/opt/tomcat/logs/wrapper.log` to see there is any stacktrace when you are redirected? Also, does your application have any logs that indicate a problem?

By Noelle Keller user 11 Sep 2015 at 3:48 p.m. CDT

Copy
Noelle Keller gravatar
Unfortunately I don't have access to the application we are trying to connect but the admin on their end did not see any errors. Here is the entry from oxauth.log when attempting to authenticate without being logged into Google, which opens to https://ltgluusaml.cloudapp.net/oxauth/login and below that is the log entry from idp-process.log showing some redirects being done too. **oxauth.log** 2015-09-11 20:39:09,044 TRACE [org.xdi.oxauth.service.SessionIdService] Found session_id cookie: '8f745796-cbaa-4cfc-b28c-cf84431225b5' 2015-09-11 20:39:09,056 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: 8f745796-cbaa-4cfc-b28c-cf84431225b5 ... 2015-09-11 20:39:09,056 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=8f745796-cbaa-4cfc-b28c-cf84431225b5,ou=session,o=@!E57E.88D3.9FEC.1FE7!0001!5511.6479,o=gluu 2015-09-11 20:39:09,056 TRACE [org.xdi.oxauth.auth.Authenticator] authenticateBySessionId, sessionId = '8f745796-cbaa-4cfc-b28c-cf84431225b5', session = 'SessionId [dn=uniqueIdentifier=8f745796-cbaa-4cfc-b28c-cf84431225b5,ou=session,o=@!E57E.88D3.9FEC.1FE7!0001!5511.6479,o=gluu, id=8f745796-cbaa-4cfc-b28c-cf84431225b5, lastUsedAt=Fri Sep 11 20:38:52 UTC 2015, userDn=null, authenticationTime=Fri Sep 11 20:38:52 UTC 2015, state=unauthenticated, permissionGranted=null, permissionGrantedMap=null, sessionAttributes={response_type=code id_token, scope=openid profile email user_name, nonce=nonce, redirect_uri=https://ltgluusaml.cloudapp.net/idp/auth-code.jsp, client_id=@!E57E.88D3.9FEC.1FE7!0008!D8C2.5989}]', state= 'unauthenticated' 2015-09-11 20:39:09,059 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: 8f745796-cbaa-4cfc-b28c-cf84431225b5 ... 2015-09-11 20:39:09,059 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=8f745796-cbaa-4cfc-b28c-cf84431225b5,ou=session,o=@!E57E.88D3.9FEC.1FE7!0001!5511.6479,o=gluu 2015-09-11 20:39:09,067 TRACE [org.xdi.oxauth.service.SessionIdService] Generated new session, id = 'efe227fa-afe3-472f-8ee3-6c61fc7cfede', state = 'unauthenticated', persisted = 'false' 2015-09-11 20:39:09,069 TRACE [xdi.oxauth.authorize.ws.rs.AuthorizeAction] Session 'efe227fa-afe3-472f-8ee3-6c61fc7cfede' persisted to LDAP 2015-09-11 20:39:09,112 TRACE [org.xdi.oxauth.service.SessionIdService] Found session_id cookie: 'efe227fa-afe3-472f-8ee3-6c61fc7cfede' 2015-09-11 20:39:09,115 TRACE [org.xdi.oxauth.service.SessionIdService] Try to get session by id: efe227fa-afe3-472f-8ee3-6c61fc7cfede ... 2015-09-11 20:39:09,116 TRACE [org.xdi.oxauth.service.SessionIdService] Session dn: uniqueIdentifier=efe227fa-afe3-472f-8ee3-6c61fc7cfede,ou=session,o=@!E57E.88D3.9FEC.1FE7!0001!5511.6479,o=gluu 2015-09-11 20:39:09,135 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!E57E.88D3.9FEC.1FE7!0008!D8C2.5989,ou=clients,o=@!E57E.88D3.9FEC.1FE7!0001!5511.6479,o=gluu' 2015-09-11 20:39:09,135 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!E57E.88D3.9FEC.1FE7!0008!D8C2.5989 2015-09-11 20:39:09,145 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!E57E.88D3.9FEC.1FE7!0008!D8C2.5989,ou=clients,o=@!E57E.88D3.9FEC.1FE7!0001!5511.6479,o=gluu' 2015-09-11 20:39:09,145 DEBUG [org.xdi.oxauth.service.ClientService] Found 1 entries for client id = @!E57E.88D3.9FEC.1FE7!0008!D8C2.5989 2015-09-11 20:39:09,145 TRACE [org.xdi.oxauth.service.ClientService] Get client from cache by Dn 'inum=@!E57E.88D3.9FEC.1FE7!0008!D8C2.5989,ou=clients,o=@!E57E.88D3.9FEC.1FE7!0001!5511.6479,o=gluu' **idp-process.log** 20:43:09.843 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 20:45:37.689 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 20:45:37.690 - INFO [Shibboleth-Access:73] - 20150911T204537Z|159.238.159.228|ltgluusaml.cloudapp.net:443|/profile/SAML2/Redirect/SSO| 20:45:37.690 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 20:45:37.691 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the followin g type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 20:45:37.691 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key 28c096b668dc9a009e5ecc62ff1b80b482b6390e5e 4b7e5eb392f4267ab807c8 from StorageService parition: loginContexts 20:45:37.691 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] - Retrieved LoginContext with key 28c096b668dc9a009e5ecc62ff1b80b482b6390e5e4 b7e5eb392f4267ab807c8 from StorageService parition: loginContexts 20:45:37.691 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:588] - Unbinding LoginContext 20:45:37.691 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:614] - Expiring LoginContext cookie 20:45:37.692 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:625] - Removed LoginContext, with key 28c096b668dc9a009e5ecc62ff1b80b482b6390e5e4b 7e5eb392f4267ab807c8, from StorageService partition loginContexts 20:45:37.692 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:183] - Incoming request contains a login context but principal was not au thenticated, processing first leg of request 20:45:37.692 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0 :bindings:HTTP-Redirect' 20:45:37.700 - DEBUG [PROTOCOL_MESSAGE:113] - <?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://www.securitymentor.co m/simplesaml/module.php/saml/sp/saml2-acs.php/wyotest-sp" Destination="https://ltgluusaml.cloudapp.net/idp/profile/SAML2/Redirect/SSO" ID="_d18eb065427a3fdfe7deaafd42f adefdf59d8881d7" IssueInstant="2015-09-11T20:45:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML :2.0:assertion"> <saml:Issuer>https://www.securitymentor.com/simplesaml/module.php/saml/sp/metadata.php/wyotest-sp</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest> 20:45:37.701 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for https://www.securitymentor.com/simplesaml/module.php/saml/sp/metadata.php/wyotest-sp 20:45:37.701 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130] - Custom relying party configuration found for https://www.securitymentor.com/simplesaml/module.php/saml/sp/metadata.php/wyotest-sp 20:45:37.702 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:387] - Decoded request from relying party 'https://www.securitymentor.com/simplesaml/module.php/saml/sp/metadata.php/wyotest-sp' 20:45:37.702 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for https://www.securitymentor.com/simplesaml/module.php/saml/sp/metadata.php/wyotest-sp 20:45:37.702 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:130] - Custom relying party configuration found for https://www.securitymentor.com/simplesaml/module.php/saml/sp/metadata.php/wyotest-sp 20:45:37.702 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:226] - Creating login context and transferring control to authentication engine 20:45:37.703 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:181] - Storing LoginContext to StorageService partition loginContexts, key 81a0bae256147ae32a2495a231a78a93c04b6d5488f6013108f8cb72d27a157f 20:45:37.704 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:240] - Redirecting user to authentication engine at https://ltgluusaml.cloudapp.net:443/idp/AuthnEngine 20:45:37.742 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. 20:45:37.742 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request 20:45:37.742 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:349] - Looking up LoginContext with key 81a0bae256147ae32a2495a231a78a93c04b6d5488f6013108f8cb72d27a157f from StorageService parition: loginContexts 20:45:37.743 - TRACE [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:355] - Retrieved LoginContext with key 81a0bae256147ae32a2495a231a78a93c04b6d5488f6013108f8cb72d27a157f from StorageService parition: loginContexts 20:45:37.745 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:240] - Beginning user authentication process. 20:45:37.746 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:283] - Filtering configured LoginHandlers: {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@6cb735c7, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@702bd393, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@4d4f916d} 20:45:37.746 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:332] - Filtering out previous session login handler because there is no existing IdP session 20:45:37.746 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:464] - Selecting appropriate login handler from filtered set {urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@702bd393, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler@4d4f916d} 20:45:37.746 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:497] - Authenticating user with login handler of type edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler 20:45:37.746 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler:66] - Redirecting to https://ltgluusaml.cloudapp.net:443/idp/Authn/RemoteUser

By Noelle Keller user 11 Sep 2015 at 4:42 p.m. CDT

Copy
Noelle Keller gravatar
This is the link we are using to test SSO that does the redirect, https://www.securitymentor.com/sso/saml?token=a2tva1VPVmYuZ2xJUEhFQ3Y3aFVvZQ, to the gluu server.

By Mohib Zico staff 11 Sep 2015 at 4:49 p.m. CDT

Copy
Mohib Zico gravatar
Noelle, What Gluu Server endpoints 'SecurityMentor' SP is using for authentication redirection?

By Michael Schwartz Account Admin 11 Sep 2015 at 5:05 p.m. CDT

Copy
Michael Schwartz gravatar
I think this is a bug in the 2.3.3 release. I just tested and got the same behavior--oxauth is not correctly displaying the default workflow. I'll have to get a developer to take a look next week.

By Noelle Keller user 11 Sep 2015 at 5:06 p.m. CDT

Copy
Noelle Keller gravatar
OK, sounds good. Thanks!

By Michael Schwartz Account Admin 11 Sep 2015 at 5:16 p.m. CDT

Copy
Michael Schwartz gravatar
Created [oxAuth issue 72](https://github.com/GluuFederation/oxAuth/issues/72) in github.

By William Lowe user 15 Oct 2015 at 3:13 p.m. CDT

Copy
William Lowe gravatar
Noelle, as you can see on [github](https://github.com/GluuFederation/oxAuth/issues/72), this issue has been fixed. It will be included in our next release, 2.4.0, due out towards the end of the month. Thanks for your patience.

Post an answer