By: Maniganda Prakash Kannan Account Admin 05 Nov 2018 at 6:30 p.m. CST

5 Responses
Maniganda Prakash Kannan gravatar
#### <u>**Requirement**:</u> As shown in the diagram, some values need to be fetched from DB and set in the response returned to SP. http://pasteboard.co/HLazlC8.png So, thought attributes would solve the problem. #### <u>**Below is what's been tried but didn't work:**</u> * Add a custom attribute per https://gluu.org/docs/ce/3.1.4/admin-guide/attribute/ * Register in the UI * Check it is listed in Attributes https://pasteboard.co/HLPzPxG.png * Update passport_saml custom script, add 'customTest' in both generic_local_attributes_list and generic_remote_attributes_list and update fillUser() function as in https://pasteboard.co/HLPD4xs.png * Authenticate with an IDP, error thrown as follows for `customTest` ``` 2018-11-05 15:48:39,492 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. authenticate called 1 2018-11-05 15:48:39,493 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. authenticate for step 1. JWT user profile token found 2018-11-05 15:48:39,494 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. validSignature. Checking JWT token signature 2018-11-05 15:48:39,496 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. validSignature. Validation result was True 2018-11-05 15:48:39,501 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User with externalUid 'passport-saml:manigandaprakash.kannan@amexgbt.com' already exists 2018-11-05 15:48:39,501 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. attemptAuthentication. Updating user None 2018-11-05 15:48:39,502 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Exception: 2018-11-05 15:48:39,502 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - u'customtest' 2018-11-05 15:48:39,502 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. attemptAuthentication. Authentication failed ``` ### Is this a right approach, would you rather suggest a different way?

By Aliaksandr Samuseu staff 06 Nov 2018 at 11:31 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Maniganda. I don't think I've had a chance to test this exact setup (Passport-SAML with a custom attribute in mappings). I'll try it when I'll have a chance in next couple of days. For now, please also share your `/etc/gluu/conf/passport-saml-config.json` file and full values of properties `generic_local_attributes_list` and `generic_remote_attributes_list` of the `passport_saml` custom script I suppose you use.

By Maniganda Prakash Kannan Account Admin 06 Nov 2018 at 11:52 a.m. CST

Maniganda Prakash Kannan gravatar
Can you please assert that using attributes is the right way for the requirement http://pasteboard.co/HLazlC8.png ? **passport-saml-config.json:** ``` { "salesforce": { "entryPoint": "https://gbt1.my.salesforce.com/idp/endpoint/HttpPost", "issuer": "https://gbt1.my.salesforce.com", "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "authnRequestBinding": "HTTP-POST", "logo_img":"https://c1.sfdcstatic.com/content/dam/web/en_us/www/images/home/logo-salesforce.svg", "enable":"true", "cert":"MIIErDCCA5SgAwIBAgIOAWaDrOzaAAAAAHaXSTAwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzE3T2N0MjAxOF8yMDE3MTkxGDAWBgNVBAsMDzAwRDQ2MDAwMDAxVjFZOTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTgxMDE3MjAxNzIwWhcNMTkxMDE3MTIwMDAwWjCBkDEoMCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMTdPY3QyMDE4XzIwMTcxOTEYMBYGA1UECwwPMDBENDYwMDAwMDFWMVk5MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqrD6PKcdEilFtdJ+rulnub82FQrBHdbFnEN+QEOcmj6tiDdIexPMbYtNQYyHqBJpov6vmxXJag26p3RiW+irclBRB0OqNB42MURCobXcFStYJcDLH5NQbQrYhd7dH1mDajRIWjMb9tfDL7Uu/jmmqRjiHR7cUP0PXReLY5wIfBS7wmOPR9QtVqIXvEDBLi854i8tR2sowf+HcHZpnLQ9XK1kZInFv9wc5ua5aOX1sKWlMeQHFfDWdgVLEv/K9yM97eJPK8z/yn9qfvACwt8VFNBAH3q0n4SnZywp9M7eTJk+xEV2uSMoFbOo0HeDwW6+SqJu8MD1J5+6fnRddEmQcCAwEAAaOCAQAwgf0wHQYDVR0OBBYEFB5YatExwxj6AU76kA3eyiQfPivhMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUHlhq0THDGPoBTvqQDd7KJB8+K+GhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzE3T2N0MjAxOF8yMDE3MTkxGDAWBgNVBAsMDzAwRDQ2MDAwMDAxVjFZOTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFmg6zs2gAAAAB2l0kwMA0GCSqGSIb3DQEBCwUAA4IBAQCT5zlojqB6eioZ9H+djXjdXbrRVn+w0V0k+pmPunojpdeeHJnCX8MBW7bfcVv8md2vvzoLHWpR6HG+7yLY6jsEM8TxKPmXFYwlruHTmP3NSoIUJOBYH7VCBU7Y/4cich8aTS64uNHm5lRisLAkLn2o83FllDhGCUI8qvRED4u7sJOf8CM7EuEddKr5/7OzcOGkLoXWuDvFbqTi4/XboVUQk/5ON5A0rDICWOkn1pI7apaB/50I+b+EYJeV0broQk5q7+xNiw3ntf/SWj4pAByK7XjVnry0bT4b2nBe5FqkqcOFqzFr3hjTA1IZX7yMxbEo5qBjgbZEyBEVuzumJFpS", "skipRequestCompression": "true", "reverseMapping": { "email" : "email", "username":"username", "displayName": "name", "id": "id", "name": "name", "givenName":"name", "familyName": "name", "provider" :"issuer" } } ``` **generic_local_attributes_list:**<br> `customTest, uid, mail, cn, displayName, givenName, sn, provider` **generic_remote_attributes_list:**<br> `customTest, username, email, name, name, givenName, familyName, provider`

By Aliaksandr Samuseu staff 06 Nov 2018 at 12:20 p.m. CST

Aliaksandr Samuseu gravatar
> Can you please assert that using attributes is the right way for the requirement http://pasteboard.co/HLazlC8.png ? Not sure, to be honest. In particular, why do you add the `customTest` to one of the mappings, if it isn't passed from remote IDP? The only purpose of all those mappings is to assign values passed from remote IDP to attributes of the local user entry. In your case, beside the lines retrieving this additional data from the REST API you've already added to the default jython script (I guess) I would add lines which add those values to the object representing user entry (there may be several places in the script you'll need to modify, like branch responsible for addition of a new user, and another one responsible for update of an existing entry etc)

By Maniganda Prakash Kannan Account Admin 07 Nov 2018 at 2:24 p.m. CST

Maniganda Prakash Kannan gravatar
Got it, then customTest is not needed to be entered in `generic_local_attributes_list` and `generic_remote_attributes_list` which is a learning for me. But my original problem still remains. Added the below line in fillUser function which causes the exception as in the logs. ``` def fillUser(self, foundUser, profile): foundUser.setAttribute("customTest", "some text") ..... } ``` **Exception:** (search for the word `Exception`) ``` 2018-11-05 15:48:39,492 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. authenticate called 1 2018-11-05 15:48:39,493 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. authenticate for step 1. JWT user profile token found 2018-11-05 15:48:39,494 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. validSignature. Checking JWT token signature 2018-11-05 15:48:39,496 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. validSignature. Validation result was True 2018-11-05 15:48:39,501 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - User with externalUid 'passport-saml:manigandaprakash.kannan@amexgbt.com' already exists 2018-11-05 15:48:39,501 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. attemptAuthentication. Updating user None 2018-11-05 15:48:39,502 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Exception: 2018-11-05 15:48:39,502 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - u'customtest' 2018-11-05 15:48:39,502 INFO [qtp1094834071-17] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. attemptAuthentication. Authentication failed ```

By Aliaksandr Samuseu staff 13 Nov 2018 at 5:46 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Maniganda. Sorry for the delay. It turns out we are unable to reproduce your issue. In my test setup I can assign a value to "customTest" attribute from inside the Jython script without any errors. No exceptions are visible in the log. The only change I had to made is the one depicted on [the picture](https://pasteboard.co/HLPD4xs.png) you provided, i.e. adding this line: ``` foundUser.setAttribute("customTest", "Test_Value") ``` Do you use version of the script which came pre-packaged with your instance, or did you download some other version from somewhere? I'm attaching my version of the script to this post. Do you mind also sharing your customized version, so we could try to debug it locally? You could also run a "diff" on the version provided by us and your own version, just in case there are more differences between them than we know. Are you pefectly sure it's this line which becomes the source of that exception? If I understand your case correctly, you've done additional changes to the script as well. You could consider enclosing all lines you suspect of generating it in the "try-catch" blocks like below: ``` ... import sys ... try: ... some block of code ... except Exception, ex: print "Catching point #1" print "Unexpected error: %s, %s"%(ex, sys.exc_info()[0]) raise except: print "Catching point #2" print "Unexpected error: %s"%(sys.exc_info()[0]) raise ``` This should provide additional clues on what kind of exception it is. Finally, a couple of general suggestions (sorry if it's quite obvious, but better to rule out those before delving deeper into trooubleshooting): 1. Are you sure that you added the "customTest" attribute correctly? You can test it by trying to add this attribute to any user on "Users -> Manage people" page, if no error is shown and the attribute is there even after you searched for the same user again and opened its page, we can rule this possibility out. 2. This is not directly related to currest situation, but to prevent possible future confusions - you should also make sure you added the "customTest" attribute to the list of released attributes for the SP you need to send it to.