By: anish narang user 25 Aug 2016 at 3:09 a.m. CDT

3 Responses
anish narang gravatar
I have configured Gluu IDP to work with pysaml2 SP. Cache refresh is setup to sync users from an LDAP server and Authentication is configured. Redirection to the login page is successful. However the IDP process log has the following warning: ``` WARN[edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:492] - No attribute of principal 'anish.n' can be encoded in to a NameIdentifier of required format 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' for relying party 'http://sp1.localhost/saml2/metadata' ``` Due to this, the SP also gives the error : ``` Not successful operation: <ns0:Status xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /></ns0:StatusCode><ns0:StatusMessage>Required NameID format not supported</ns0:StatusMessage></ns0:Status> ```

By Aliaksandr Samuseu staff 25 Aug 2016 at 4:48 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, anish. You could try to add "transientID" attribute to the list of released attributes of this TR in web UI. This should add nameid of type "transient" to your response. But if your SP won't be satisfied with this and requires some other type of nameid, your only option is to edit templates manually, adding its definition. Please see [this article](https://www.gluu.org/docs/customize/attributes/#defining-nameid) for details. You may refer to Shibboleth's docs for examples of how to define them too: [link](https://wiki.shibboleth.net/confluence/display/SHIB2/IdPNameIdentifier) Best regards, Alex.

By Michael Schwartz Account Admin 25 Aug 2016 at 12:57 p.m. CDT

Michael Schwartz gravatar
You definitely have to release transient id. I just configured this myself coincidentally to test it. It was tricky... a few other things you need to do: 1. In the security section of `advanced_settings.json` add `"requestedAuthnContext": false` 2. I didn't get SLO working. 3. My apache proxy config was very picky about the trailing `/` in the url 4. Only the "Login with attributes" button worked for me--I think that's a problem with the way the app redirects that I didn't have the patience to fix. 5. I had to upload the metadata file in the Gluu Server (URI didnt' work because I think I was testing with a self-signed HTTPS certificate) 6. I had to copy the IDP certificate from my gluu server metadata, remove all the spaces and line breaks, and copy it in. 7. I generated the certs exactly as the instructions suggested, and up them in the certs folder. If you want to compare, I'll just paste my config files here: `advanced_settings.json` ``` { "security": { "requestedAuthnContext": false, "nameIdEncrypted": false, "authnRequestsSigned": false, "logoutRequestSigned": false, "logoutResponseSigned": false, "signMetadata": false, "wantMessagesSigned": false, "wantAssertionsSigned": true, "wantNameId" : false, "wantNameIdEncrypted": false, "wantAssertionsEncrypted": true, "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1" }, "contactPerson": { "technical": { "givenName": "technical_name", "emailAddress": "technical@example.com" }, "support": { "givenName": "support_name", "emailAddress": "support@example.com" } }, "organization": { "en-US": { "name": "sp_test", "displayname": "SP test", "url": "http://sp.example.com" } } } ``` `settings.json` ``` { "strict": false, "debug": true, "sp": { "entityId": "https://squid.gluu.info/python-saml-sp/metadata/", "assertionConsumerService": { "url": "https://squid.gluu.info/python-saml-sp/?acs", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" }, "singleLogoutService": { "url": "https://squid.gluu.info/python-saml-sp/?sls", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" }, "idp": { "entityId": "https://albacore.gluu.info/idp/shibboleth", "singleSignOnService": { "url": "https://albacore.gluu.info/idp/profile/SAML2/Redirect/SSO", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, "singleLogoutService": { "url": "https://albacore.gluu.info//idp/logout.jsp", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, "x509cert": "MIIDZjCCAk4CCQDspHilYCggPTANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzANBgNVBAcMBkF1c3RpbjENMAsGA1UECgwER2x1dTEbMBkGA1UEAwwSYWxiYWNvcmUuZ2x1dS5pbmZvMRwwGgYJKoZIhvcNAQkBFg1taWtlQGdsdXUub3JnMB4XDTE2MDgxMDE0NTUxOFoXDTE3MDgxMDE0NTUxOFowdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlRYMQ8wDQYDVQQHDAZBdXN0aW4xDTALBgNVBAoMBEdsdXUxGzAZBgNVBAMMEmFsYmFjb3JlLmdsdXUuaW5mbzEcMBoGCSqGSIb3DQEJARYNbWlrZUBnbHV1Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3AQEt9hrd4Idlyfts+d8sVfBQkf8yOs2z4viLMs36Uc0nQ5ldwfaG3Q35dXV2pWm5gbbxU+ztUslgPdKzfRYx/FLgGpEetgyVxgmuJUfPi3T6LY4toPP13HFXl8VWR1ldOycDBcJ9xGuj6scZMC1RqJAg/+0SNkYkkuEa2umdMRTeUUerSK1tG6u6KyjEpAMbuK81dellftwRQqhyWeDUo09gzc6EQkg+FqD954IdUItbO/V7t1N7oMKc/Jew4hwNXvBFFpA3i/sHPoA6EeWDgZ6F0LPBNII3qBlVvMYGGtoA9gvSmA8aY4MGCzktm37B2DmiMtGz53phBje/Z4qUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAenK25tySeLgET7QoyiKGpFz8EDWAwbF3btJWbsFWzUVN+f0Ilnv33Qrw+haZaIN2wB8PAHVzhoMfaZiROYvhKz7mO7xqbB0eBFi2o98D6NM7oMJLAcb77b8Va7JP5xYjLkOFJEwT5Mzp4PC3K/vfjDhoHNDmqrLIWv8+bhQknMiwzoCqoQ8aPQE1DIucWv4N5xpROXY2iGH5DOQ02Kcvq+yPs3MIf5+I/PoXr5N47CRAdxqjd0zyWzdbhR2GkZOHXmcL1+IPNnUuOL8rDKqGMZKzRk8lGu3hhuERBtC7BYNvIzweERVpzlme6p04EvlXygScxSjf5/GRbrjC8Ec/aQ==" } } ``` sp-metadata ``` <?xml version="1.0" ?><md:EntityDescriptor cacheDuration="PT604800S" entityID="https://squid.gluu.info/python-saml-sp/metadata/" validUntil="2016-08-26T16:22:10Z" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescrip tor use="signing" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyInfo><ds: X509Data><ds:X509Certificate>MIIDtzCCAp+gAwIBAgIJAKeks//oKVaQMA0GCSqGSIb3DQEBCwU AMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQXVzdGluMQ0wCwYDVQQKDARHbHV 1MRgwFgYDVQQDDA9zcXVpZC5nbHV1LmluZm8xHDAaBgkqhkiG9w0BCQEWDW1pa2VAZ2x1dS5vcmcwHhc NMTYwODI0MDQ1MTI4WhcNMjYwODI0MDQ1MTI4WjByMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzA NBgNVBAcMBkF1c3RpbjENMAsGA1UECgwER2x1dTEYMBYGA1UEAwwPc3F1aWQuZ2x1dS5pbmZvMRwwGgY JKoZIhvcNAQkBFg1taWtlQGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxMr iThLr01zwqXc5CAyJW6ZFcERAAwozpZLaDBkeh7Y2xGuYYwj+vkm96IrLaChHSbQ1o7dalNIHz0wFSxg gRYwqpnvn9pWwZ5qL6SoGAdAgaCWbCqS6yudxV/8nbav8csr2Hm8aa/lA7hAOIG3mlYbco6eaABsvuxI /6++US25C0WZXNLTkGezJPQUCF1rxeKRY0/g92wxtA3T+CSQyfnVNZMJtVpaZqgQeEuCWGRTK8MNgIhi 8GtJhMwnlHy05Wppgttj0YW4J5VY8+Nw6Rc3IbQcXASW2z9ctpvYjtHN+uSdy6UzYWtzAGwTbU3l3vjs wc9V2JcHx31lIWJQnfwIDAQABo1AwTjAdBgNVHQ4EFgQUwzj1AZngeC0GFCKijaBJL+nRVEMwHwYDVR0jBBgwFoAUwzj1AZngeC0GFCKijaBJL+nRVEMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAvzbxkH5FFtOOWMwKs3q6c/iA8rVxCRWLjg0paE1JiDtjm/C7fbcpW7lTF5T360yYekOmHNHnR7H/WUspVRmtMP9WY+TRtl7mgwSWVfRnjuPCEN2/mdCGyr6bblDgqrw6/UBIoXyjf6qS0gCzy4JBEfCL4lzvKyZ3LNEX5XH5kdy2klB4klSFo1AK3gNN20d6WfUXxHPFsxtPwS+hxvfEiyV0EbQyyfZhK2dVAdOJAFow4i/tbezeEr0iZ/gAg1yrj+B4/ralL0YdnBPaR8cNf2qjfjT0zYD7UMr+OojdoLcRa+3GMDVykackWe6z20Ur0cbZ9QrbwBtMpP/m9lMblw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtzCCAp+gAwIBAgIJAKeks//oKVaQMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGQXVzdGluMQ0wCwYDVQQKDARHbHV1MRgwFgYDVQQDDA9zcXVpZC5nbHV1LmluZm8xHDAaBgkqhkiG9w0BCQEWDW1pa2VAZ2x1dS5vcmcwHhcNMTYwODI0MDQ1MTI4WhcNMjYwODI0MDQ1MTI4WjByMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzANBgNVBAcMBkF1c3RpbjENMAsGA1UECgwER2x1dTEYMBYGA1UEAwwPc3F1aWQuZ2x1dS5pbmZvMRwwGgYJKoZIhvcNAQkBFg1taWtlQGdsdXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxMriThLr01zwqXc5CAyJW6ZFcERAAwozpZLaDBkeh7Y2xGuYYwj+vkm96IrLaChHSbQ1o7dalNIHz0wFSxggRYwqpnvn9pWwZ5qL6SoGAdAgaCWbCqS6yudxV/8nbav8csr2Hm8aa/lA7hAOIG3mlYbco6eaABsvuxI/6++US25C0WZXNLTkGezJPQUCF1rxeKRY0/g92wxtA3T+CSQyfnVNZMJtVpaZqgQeEuCWGRTK8MNgIhi8GtJhMwnlHy05Wppgttj0YW4J5VY8+Nw6Rc3IbQcXASW2z9ctpvYjtHN+uSdy6UzYWtzAGwTbU3l3vjswc9V2JcHx31lIWJQnfwIDAQABo1AwTjAdBgNVHQ4EFgQUwzj1AZngeC0GFCKijaBJL+nRVEMwHwYDVR0jBBgwFoAUwzj1AZngeC0GFCKijaBJL+nRVEMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAvzbxkH5FFtOOWMwKs3q6c/iA8rVxCRWLjg0paE1JiDtjm/C7fbcpW7lTF5T360yYekOmHNHnR7H/WUspVRmtMP9WY+TRtl7mgwSWVfRnjuPCEN2/mdCGyr6bblDgqrw6/UBIoXyjf6qS0gCzy4JBEfCL4lzvKyZ3LNEX5XH5kdy2klB4klSFo1AK3gNN20d6WfUXxHPFsxtPwS+hxvfEiyV0EbQyyfZhK2dVAdOJAFow4i/tbezeEr0iZ/gAg1yrj+B4/ralL0YdnBPaR8cNf2qjfjT0zYD7UMr+OojdoLcRa+3GMDVykackWe6z20Ur0cbZ9QrbwBtMpP/m9lMblw==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://squid.gluu.info/python-saml-sp/?sls"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://squid.gluu.info/python-saml-sp/?acs" index="1"/> </md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en-US">sp_test</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en-US">SP test</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en-US">http://sp.example.com</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="technical"> <md:GivenName>technical_name</md:GivenName> <md:EmailAddress>technical@example.com</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="support"> <md:GivenName>support_name</md:GivenName> <md:EmailAddress>support@example.com</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor> ``` apache-config ``` ProxyPreserveHost On ProxyPass /python-saml-sp/ http://127.0.0.1:8000/ ProxyPassReverse /python-saml-sp/ http://127.0.0.1:8000/ ProxyPass /python-saml-sp/metadata/ http://127.0.0.1:8000/metadata/ ProxyPassReverse /python-saml-sp/metadata/ http://127.0.0.1:8000/metadata/ ``` ![Final Screenshot](https://ox.gluu.org/lib/exe/fetch.php?t=1472147769&w=500&h=322&tok=f1e1f4&media=python-saml-screenshot.png "enter image title here")

By anish narang user 29 Aug 2016 at 12:12 a.m. CDT

anish narang gravatar
Thanks Alex and Michael. Those steps worked perfectly. Im now trying to configure SLO. The logout url provided by the IdP https://<server_name>/idp/logout.jsp logs the user out from Gluu, but not from the SP. Is there a way to accomplish this with Gluu? Thanks, Anish