You definitely have to release transient id.
I just configured this myself coincidentally to test it. It was tricky... a few other things you need to do:
1. In the security section of `advanced_settings.json` add `"requestedAuthnContext": false`
2. I didn't get SLO working.
3. My apache proxy config was very picky about the trailing `/` in the url
4. Only the "Login with attributes" button worked for me--I think that's a problem with the way the app redirects that I didn't have the patience to fix.
5. I had to upload the metadata file in the Gluu Server (URI didnt' work because I think I was testing with a self-signed HTTPS certificate)
6. I had to copy the IDP certificate from my gluu server metadata, remove all the spaces and line breaks, and copy it in.
7. I generated the certs exactly as the instructions suggested, and up them in the certs folder.
If you want to compare, I'll just paste my config files here:
`advanced_settings.json`
```
{
"security": {
"requestedAuthnContext": false,
"nameIdEncrypted": false,
"authnRequestsSigned": false,
"logoutRequestSigned": false,
"logoutResponseSigned": false,
"signMetadata": false,
"wantMessagesSigned": false,
"wantAssertionsSigned": true,
"wantNameId" : false,
"wantNameIdEncrypted": false,
"wantAssertionsEncrypted": true,
"signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
},
"contactPerson": {
"technical": {
"givenName": "technical_name",
"emailAddress": "technical@example.com"
},
"support": {
"givenName": "support_name",
"emailAddress": "support@example.com"
}
},
"organization": {
"en-US": {
"name": "sp_test",
"displayname": "SP test",
"url": "http://sp.example.com"
}
}
}
```
`settings.json`
```
{
"strict": false,
"debug": true,
"sp": {
"entityId": "https://squid.gluu.info/python-saml-sp/metadata/",
"assertionConsumerService": {
"url": "https://squid.gluu.info/python-saml-sp/?acs",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
},
"singleLogoutService": {
"url": "https://squid.gluu.info/python-saml-sp/?sls",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
},
"idp": {
"entityId": "https://albacore.gluu.info/idp/shibboleth",
"singleSignOnService": {
"url": "https://albacore.gluu.info/idp/profile/SAML2/Redirect/SSO",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"singleLogoutService": {
"url": "https://albacore.gluu.info//idp/logout.jsp",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"x509cert": "MIIDZjCCAk4CCQDspHilYCggPTANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzANBgNVBAcMBkF1c3RpbjENMAsGA1UECgwER2x1dTEbMBkGA1UEAwwSYWxiYWNvcmUuZ2x1dS5pbmZvMRwwGgYJKoZIhvcNAQkBFg1taWtlQGdsdXUub3JnMB4XDTE2MDgxMDE0NTUxOFoXDTE3MDgxMDE0NTUxOFowdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlRYMQ8wDQYDVQQHDAZBdXN0aW4xDTALBgNVBAoMBEdsdXUxGzAZBgNVBAMMEmFsYmFjb3JlLmdsdXUuaW5mbzEcMBoGCSqGSIb3DQEJARYNbWlrZUBnbHV1Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3AQEt9hrd4Idlyfts+d8sVfBQkf8yOs2z4viLMs36Uc0nQ5ldwfaG3Q35dXV2pWm5gbbxU+ztUslgPdKzfRYx/FLgGpEetgyVxgmuJUfPi3T6LY4toPP13HFXl8VWR1ldOycDBcJ9xGuj6scZMC1RqJAg/+0SNkYkkuEa2umdMRTeUUerSK1tG6u6KyjEpAMbuK81dellftwRQqhyWeDUo09gzc6EQkg+FqD954IdUItbO/V7t1N7oMKc/Jew4hwNXvBFFpA3i/sHPoA6EeWDgZ6F0LPBNII3qBlVvMYGGtoA9gvSmA8aY4MGCzktm37B2DmiMtGz53phBje/Z4qUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAenK25tySeLgET7QoyiKGpFz8EDWAwbF3btJWbsFWzUVN+f0Ilnv33Qrw+haZaIN2wB8PAHVzhoMfaZiROYvhKz7mO7xqbB0eBFi2o98D6NM7oMJLAcb77b8Va7JP5xYjLkOFJEwT5Mzp4PC3K/vfjDhoHNDmqrLIWv8+bhQknMiwzoCqoQ8aPQE1DIucWv4N5xpROXY2iGH5DOQ02Kcvq+yPs3MIf5+I/PoXr5N47CRAdxqjd0zyWzdbhR2GkZOHXmcL1+IPNnUuOL8rDKqGMZKzRk8lGu3hhuERBtC7BYNvIzweERVpzlme6p04EvlXygScxSjf5/GRbrjC8Ec/aQ=="
}
}
```
sp-metadata
```
<?xml version="1.0" ?><md:EntityDescriptor cacheDuration="PT604800S" entityID="https://squid.gluu.info/python-saml-sp/metadata/" validUntil="2016-08-26T16:22:10Z" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescrip
tor use="signing" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyInfo><ds:
X509Data><ds:X509Certificate>MIIDtzCCAp+gAwIBAgIJAKeks//oKVaQMA0GCSqGSIb3DQEBCwU
AMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQXVzdGluMQ0wCwYDVQQKDARHbHV
1MRgwFgYDVQQDDA9zcXVpZC5nbHV1LmluZm8xHDAaBgkqhkiG9w0BCQEWDW1pa2VAZ2x1dS5vcmcwHhc
NMTYwODI0MDQ1MTI4WhcNMjYwODI0MDQ1MTI4WjByMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzA
NBgNVBAcMBkF1c3RpbjENMAsGA1UECgwER2x1dTEYMBYGA1UEAwwPc3F1aWQuZ2x1dS5pbmZvMRwwGgY
JKoZIhvcNAQkBFg1taWtlQGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxMr
iThLr01zwqXc5CAyJW6ZFcERAAwozpZLaDBkeh7Y2xGuYYwj+vkm96IrLaChHSbQ1o7dalNIHz0wFSxg
gRYwqpnvn9pWwZ5qL6SoGAdAgaCWbCqS6yudxV/8nbav8csr2Hm8aa/lA7hAOIG3mlYbco6eaABsvuxI
/6++US25C0WZXNLTkGezJPQUCF1rxeKRY0/g92wxtA3T+CSQyfnVNZMJtVpaZqgQeEuCWGRTK8MNgIhi
8GtJhMwnlHy05Wppgttj0YW4J5VY8+Nw6Rc3IbQcXASW2z9ctpvYjtHN+uSdy6UzYWtzAGwTbU3l3vjs
wc9V2JcHx31lIWJQnfwIDAQABo1AwTjAdBgNVHQ4EFgQUwzj1AZngeC0GFCKijaBJL+nRVEMwHwYDVR0jBBgwFoAUwzj1AZngeC0GFCKijaBJL+nRVEMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAvzbxkH5FFtOOWMwKs3q6c/iA8rVxCRWLjg0paE1JiDtjm/C7fbcpW7lTF5T360yYekOmHNHnR7H/WUspVRmtMP9WY+TRtl7mgwSWVfRnjuPCEN2/mdCGyr6bblDgqrw6/UBIoXyjf6qS0gCzy4JBEfCL4lzvKyZ3LNEX5XH5kdy2klB4klSFo1AK3gNN20d6WfUXxHPFsxtPwS+hxvfEiyV0EbQyyfZhK2dVAdOJAFow4i/tbezeEr0iZ/gAg1yrj+B4/ralL0YdnBPaR8cNf2qjfjT0zYD7UMr+OojdoLcRa+3GMDVykackWe6z20Ur0cbZ9QrbwBtMpP/m9lMblw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtzCCAp+gAwIBAgIJAKeks//oKVaQMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQXVzdGluMQ0wCwYDVQQKDARHbHV1MRgwFgYDVQQDDA9zcXVpZC5nbHV1LmluZm8xHDAaBgkqhkiG9w0BCQEWDW1pa2VAZ2x1dS5vcmcwHhcNMTYwODI0MDQ1MTI4WhcNMjYwODI0MDQ1MTI4WjByMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzANBgNVBAcMBkF1c3RpbjENMAsGA1UECgwER2x1dTEYMBYGA1UEAwwPc3F1aWQuZ2x1dS5pbmZvMRwwGgYJKoZIhvcNAQkBFg1taWtlQGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxMriThLr01zwqXc5CAyJW6ZFcERAAwozpZLaDBkeh7Y2xGuYYwj+vkm96IrLaChHSbQ1o7dalNIHz0wFSxggRYwqpnvn9pWwZ5qL6SoGAdAgaCWbCqS6yudxV/8nbav8csr2Hm8aa/lA7hAOIG3mlYbco6eaABsvuxI/6++US25C0WZXNLTkGezJPQUCF1rxeKRY0/g92wxtA3T+CSQyfnVNZMJtVpaZqgQeEuCWGRTK8MNgIhi8GtJhMwnlHy05Wppgttj0YW4J5VY8+Nw6Rc3IbQcXASW2z9ctpvYjtHN+uSdy6UzYWtzAGwTbU3l3vjswc9V2JcHx31lIWJQnfwIDAQABo1AwTjAdBgNVHQ4EFgQUwzj1AZngeC0GFCKijaBJL+nRVEMwHwYDVR0jBBgwFoAUwzj1AZngeC0GFCKijaBJL+nRVEMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAvzbxkH5FFtOOWMwKs3q6c/iA8rVxCRWLjg0paE1JiDtjm/C7fbcpW7lTF5T360yYekOmHNHnR7H/WUspVRmtMP9WY+TRtl7mgwSWVfRnjuPCEN2/mdCGyr6bblDgqrw6/UBIoXyjf6qS0gCzy4JBEfCL4lzvKyZ3LNEX5XH5kdy2klB4klSFo1AK3gNN20d6WfUXxHPFsxtPwS+hxvfEiyV0EbQyyfZhK2dVAdOJAFow4i/tbezeEr0iZ/gAg1yrj+B4/ralL0YdnBPaR8cNf2qjfjT0zYD7UMr+OojdoLcRa+3GMDVykackWe6z20Ur0cbZ9QrbwBtMpP/m9lMblw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://squid.gluu.info/python-saml-sp/?sls"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://squid.gluu.info/python-saml-sp/?acs" index="1"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en-US">sp_test</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">SP test</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en-US">http://sp.example.com</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>technical_name</md:GivenName>
<md:EmailAddress>technical@example.com</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>support_name</md:GivenName>
<md:EmailAddress>support@example.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
```
apache-config
```
ProxyPreserveHost On
ProxyPass /python-saml-sp/ http://127.0.0.1:8000/
ProxyPassReverse /python-saml-sp/ http://127.0.0.1:8000/
ProxyPass /python-saml-sp/metadata/ http://127.0.0.1:8000/metadata/
ProxyPassReverse /python-saml-sp/metadata/ http://127.0.0.1:8000/metadata/
```
![Final Screenshot](https://ox.gluu.org/lib/exe/fetch.php?t=1472147769&w=500&h=322&tok=f1e1f4&media=python-saml-screenshot.png "enter image title here")