By: cs chong user 29 Jan 2018 at 4:15 a.m. CST

9 Responses
cs chong gravatar
I'm setting up an external SAML IDPs using the Passport.js in Gluu Server. Follow by this URL: [https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/#register-external-idps-with-home-idp](https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/#register-external-idps-with-home-idp) After I fill-in those value into the Json file. It look like this, ``` "externalIDP": { "entryPoint": "XXX_EntryPoint_OBSCURED_XXX", "issuer": "urn:oasis:names:tc:SAML:2.0:metadata", "identifierFormat": ["urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified","urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName","urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos","urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"], "authnRequestBinding": "HTTP-POST", "logo_img":"/a/a/a.jpg", "enable":"true", "cert":"XXXXXXXXXXX_CERT_OBSCURED_XXXXXXXX", "skipRequestCompression": "true", "reverseMapping": { "email" : "email", "username": "urn:oid:0.9.2342.19200300.100.1.1", "displayName": "urn:oid:2.16.840.1.113730.3.1.241", "id": "urn:oid:0.9.2342.19200300.100.1.1", "name": "urn:oid:2.5.4.42", "givenName": "urn:oid:2.5.4.42", "familyName": "urn:oid:2.5.4.4", "provider" :"issuer" } } ``` Then i can get the metadata from this URL, https://csvm/passport/auth/meta/idp/externalIDP It's look like this, ``` <?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:oasis:names:tc:SAML:2.0:metadata" ID="urn_oasis_names_tc_SAML_2_0_metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>XXXXXXXXXXX_CERT_OBSCURED_XXXXXXXX </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat> <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://CSVM/passport/auth/saml/externalIDP/callback"/> </SPSSODescriptor> </EntityDescriptor> ``` Would like to understand is the "cert" property support "signing" and "encryption" ? For example, ``` <md:KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>XXXXXXXXXXX_CERT_OBSCURED_XXXXXXXX</X509Certificate> </X509Data> </KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>XXXXXXXXXXX_CERT_OBSCURED_XXXXXXXX</X509Certificate> </X509Data> </KeyInfo> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_X"/> </md:KeyDescriptor> ``` And how do I insert more "AssertionConsumerService"... similar the metadata below, ``` <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://XX_OBSCURED_XX"/> <AssertionConsumerService index="1" isDefault="false" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://XX_OBSCURED_XX"/> <AssertionConsumerService index="2" isDefault="false" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://XX_OBSCURED_XX"/> ``` Two Question, a. Does Gluu server has the realm concept ? or support Realm? b. Does Gluu server support SAML artifact ? ``` 1. User go to SP, then login and authenticate via IDP 2. IDP reply the SAML artifact to SP. 3. SP use the SAML artifact and communicate with IDP to retrieve the actual SAML. 4. SP prompt user for consent. 5. If yes, continue normal OAuth2 process (auth code & token & JWT) ``` Thanks !

By Aliaksandr Samuseu staff 29 Jan 2018 at 8:45 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Chong. > Would like to understand is the "cert" property support "signing" and "encryption" ? You should use certificate your IDP publishes for purpose of signature verification in `passport-saml-config.json`. Usage of encryption in Inbound SAML flow hasn't been tested and officially is not supported at the moment. >And how do I insert more "AssertionConsumerService"... similar the metadata below Not supported as well, most likely. I'll ask dev team's member responsible for this part to review those two aspects and decide whether it's worth to be implemented. Feel free to provide your arguments as well here in the ticket. > a. Does Gluu server has the realm concept ? or support Realm? Could you elaborate, perhaps? What exact functionality you need implemented? Please also note that through writing [an authentication interception script](https://gluu.org/docs/ce/3.1.2/authn-guide/customauthn/) you can implement additional functionality you need. >b. Does Gluu server support SAML artifact ? I'm most certain Inbound SAML doesn't support it by default. For outbount SAML Gluu uses Shibboleth IDPv3, so whatever SAML profile/flow it supports is implicitly supported by Gluu. Must admit though that I don't remember anybody asking such question on those boards in the last years, so I can't say for sure. 99% of our users seem to be satisfied with usual HTTP-Redirect/POST bindings, but as we have Artifact Resolution profile exposed to web UI it should be supported out-of-the-box as well. Please let us know if you'll have any difficulties with it.

By cs chong user 30 Jan 2018 at 12:30 a.m. CST

cs chong gravatar
Hi Aliaksandr Samuseu, Thanks for your reply, For the SAML artifact, > **_b. Does Gluu server support SAML artifact ?_** > I'm most certain Inbound SAML doesn't support it by default. For outbount SAML Gluu uses Shibboleth IDPv3, so whatever SAML profile/flow it supports is implicitly supported by Gluu. Must admit though that I don't remember anybody asking such question on those boards in the last years, so I can't say for sure. 99% of our users seem to be satisfied with usual HTTP-Redirect/POST bindings, but as we have Artifact Resolution profile exposed to web UI it should be supported out-of-the-box as well. Please let us know if you'll have any difficulties with it. Could you please share us the link that we can refer to, in order to configure the "Artifact Resolution profile exposed to web UI" ? Not sure if this step is the correct guide for "Artifact Resolution profile exposed to web UI", https://gluu.org/docs/ce/admin-guide/saml/ Appreciate your help ! P/s: I accidentally close the ticket, please assist to reopen it. thanks

By Aliaksandr Samuseu staff 30 Jan 2018 at 11:28 a.m. CST

Aliaksandr Samuseu gravatar
I've opened the ticket again. >Could you please share us the link that we can refer to, in order to configure the "Artifact Resolution profile exposed to web UI" ? [This doc page](https://gluu.org/docs/ce/3.1.2/admin-guide/saml/#relying-party-configuration) covers profiles' tweaking briefly. You could try to just add SAML2SSO and Artifact resolution profiles with default properties to the list, and proceed to testing it (if outbound SAML is what your are after)

By cs chong user 31 Jan 2018 at 3:55 a.m. CST

cs chong gravatar
Hi Aliaksandr Samuseu, Thanks for the link, I'm now following the step to setup the SAML IDP. Before that, I would like to setup a **Shibboleth SP** to generate the metadata for Gluu Server to import. I'm following the steps from [Guide_A](https://gluu.org/docs/ce/2.4.4/integration/saml-sp/) and [Guide_B](https://kb.wisc.edu/helpdesk/page.php?id=20454&no_frill=1) I couldn't found any RHEL7, so I choose CentOS_7. (as refer back to Guide_B) ![enter image description here](https://i.imgur.com/mfSIlXn.png "enter image title here") **Import shibboleth security repo key** ``` wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo -O /etc/yum.repos.d/shibboleth.repo ``` **Shibboleth SP Installation** ``` [root@CSVM mnt]# yum -y install shibboleth.x86_64 Loaded plugins: langpacks, product-id, search-disabled-repos, subscription- : manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package shibboleth.x86_64 0:2.6.1-3.1 will be installed --> Processing Dependency: xmltooling-schemas(x86-64) >= 1.6.0 for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: opensaml-schemas(x86-64) >= 2.6.0 for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: libcurl-openssl(x86-64) >= 7.21.7 for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: libxmltooling.so.7()(64bit) for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: libxmltooling-lite.so.7()(64bit) for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: libxml-security-c.so.17()(64bit) for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: libxerces-c-3.1.so()(64bit) for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: libsaml.so.9()(64bit) for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: libodbc.so.2()(64bit) for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: libmemcached.so.11()(64bit) for package: shibboleth-2.6.1-3.1.x86_64 --> Processing Dependency: liblog4shib.so.1()(64bit) for package: shibboleth-2.6.1-3.1.x86_64 --> Running transaction check ---> Package libcurl-openssl.x86_64 0:7.57.0-1.1 will be installed --> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: libcurl-openssl-7.57.0-1.1.x86_64 ---> Package liblog4shib1.x86_64 0:1.0.9-3.2 will be installed ---> Package libmemcached.x86_64 0:1.0.16-5.el7 will be installed ---> Package libsaml9.x86_64 0:2.6.1-3.1 will be installed ---> Package libxml-security-c17.x86_64 0:1.7.3-3.2 will be installed ---> Package libxmltooling7.x86_64 0:1.6.3-3.1 will be installed ---> Package opensaml-schemas.x86_64 0:2.6.1-3.1 will be installed ---> Package unixODBC.x86_64 0:2.3.1-11.el7 will be installed ---> Package xerces-c.x86_64 0:3.1.1-8.el7_2 will be installed ---> Package xmltooling-schemas.x86_64 0:1.6.3-3.1 will be installed --> Finished Dependency Resolution Error: Package: libcurl-openssl-7.57.0-1.1.x86_64 (security_shibboleth) Requires: libcrypto.so.10(OPENSSL_1.0.2)(64bit) You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest ``` I encountered some dependency missing error message, ``` Error: Package: libcurl-openssl-7.57.0-1.1.x86_64 (security_shibboleth) Requires: libcrypto.so.10(OPENSSL_1.0.2)(64bit) ``` Then when I try to list the available dependency by using this command, ``` rpm -q --provides openssl-libs | grep libcrypto.so.* ``` I didn't see libcrypto.so.10(OPENSSL_1.0.**_2_**)(64bit) display in the CMD output. ![enter image description here](https://i.imgur.com/mwFk0Wi.png "enter image title here") I did some research from google and i didn't found any related information. Do you remember anybody asking such question before ? My company would like to know more on Gluu support model and understand if Gluu server could meet our requirements, do you have any support/sales email that we can send the enquires directly ? Thanks.

By Aliaksandr Samuseu staff 31 Jan 2018 at 7:01 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Chong. We can't provide support for non-Gluu related packages for our community (free) users, what includes Shibboleth SP installation. There are plenty of documentation on Shibboleth, though, and dedicated resources where you can find help as well. I don't recall any recent questions like this, unfortunately. >My company would like to know more on Gluu support model and understand if Gluu server could meet our requirements, do you have any support/sales email that we can send the enquires directly? You can use `sales@gluu.org` for enquires. There is also an option to [book a call](https://www.gluu.org/booking/) if you would like to discuss it in person.

By cs chong user 07 Feb 2018 at 6:58 p.m. CST

cs chong gravatar
Thanks Aliaksandr, is Gluu support external IDP Initiated Login ?

By Aliaksandr Samuseu staff 07 Feb 2018 at 8:17 p.m. CST

Aliaksandr Samuseu gravatar
For scenario when Gluu serves as SAML IDP (outbound SAML) it's possible. But for inbound SAML with Passport it isn't. Passport flows work in tandem with oxAuth and a custom auth script, oxAuth creates a certain context/session without which it doesn't make sense. When you simply send SAML response at Passport's SP, there is no prepared session context at oxAuth to handle it. That's also not something that can be easily implemented, as Passport functions rather independently, as a separate component.

By cs chong user 07 Feb 2018 at 9:21 p.m. CST

cs chong gravatar
Sorry, I'm confused. How about when a user login in an external IDP, then once user authenticated, the **external IDP will send the SAML artifact to Gluu** via HTTS. (assume all the pre-configuration are setup correctly in external IDP) Gluu will use a backend API call to external IDP to verify SAML artifact and retrieve the SAML assertion. In my case, Gluu serves as a SP to provide consent only.

By Aliaksandr Samuseu staff 08 Feb 2018 at 10:03 a.m. CST

Aliaksandr Samuseu gravatar
I thought you meant [something like this](https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO). It seems I was right, though, it's the same thing. No, in case when "Gluu serves as a SP" (inbound SAML) it's not supported, for exact reasons I mentioned before - SAML, both inbound and outbound, are handled by 3rd-party components of the Gluu package. They won't know what to do with a SAML message suddenly dropped onto them. In supported flows it works because those are initiated by oxAuth (Gluu's central component) and environment is prepared to receive an answer.