By: Jay Kumar user 13 Mar 2018 at 6:26 a.m. CDT

17 Responses
Jay Kumar gravatar
Hi Gluu team, We have setup passport-saml-demo-app on our server where Gluu CE is installed. Everything worked successfully and our external IdP is showing on this demo application page. But when we click on the IdP link to initiate the authentication flow at the chosen remote external IDP. Then, we are getting this error "login.errorSessionInvalidMessage" on oxauth error page. Kindly look into the issue and suggest the solution for the same. Thank you.

By Thomas Gasmyr Mougang staff 13 Mar 2018 at 12:13 p.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Jay**, Can you provide the link you have followed and also error logs?

By Jay Kumar user 14 Mar 2018 at 5:35 a.m. CDT

Jay Kumar gravatar
Hi Thomas, After successful setup of Gluu CE on our Ubuntu sever 16.04, We followed every steps mentioned on the Inbound SAML using Passport.js documentation: https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/ . We also configured the demo app for testing the Passpaort-SAML authentication as per the test steps listed on this doc. It configured successfully and our external IdP is showing on this demo application page. But, as I mentioned earlier the authentication process is failing at initiation. Please provide more details on which logs you are asking for and path for the same. Thank you.

By Thomas Gasmyr Mougang staff 14 Mar 2018 at 9:36 a.m. CDT

Thomas Gasmyr Mougang gravatar
Logs files are located here `/opt/gluu/jetty/oxauth/logs/oxauth.log` and `/opt/gluu/jetty/oxauth/logs/oxauth_script.log`. What External IDP are you using?

By Jay Kumar user 14 Mar 2018 at 10:05 a.m. CDT

Jay Kumar gravatar
Hi Thomas, Please find below the link of the archived log files as asked by you: [Logs File](https://dev-sso.taoconnect.org/uploads/logs.7z) Also, to answer your question, we are using JumpCloud as our external IdP and using its SAML 2.0 connector for trust integration. Kindly look into the issue and let us know if you required anything else from our side. Thank you!

By Thomas Gasmyr Mougang staff 20 Mar 2018 at 3:28 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Jay**, The documentation has been updated as well as the demo application. You have to: 1. Clone the latest demo app's version 1. Follow the updated documentation. Thanks, Thomas Gasmyr

By Jay Kumar user 22 Mar 2018 at 5:46 a.m. CDT

Jay Kumar gravatar
Hi Thomas, Thanks for the update! The latest demo app appears to be working now and we are able to get to the selected external IdP's SSO authentication page. But after entering the valid user credentials of that directory we are now being redirect to our ACS url page and it is showing "page not specified", may be the firewalls on our development server causing this. We'll be updating on the ticket after analysis. Thank you again!

By Thomas Gasmyr Mougang staff 22 Mar 2018 at 6:06 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi Jay, Thank you for your feedback. Feel free to closed the ticket when done. Thanks, Gasmyr.

By Jay Kumar user 23 Mar 2018 at 12:25 p.m. CDT

Jay Kumar gravatar
Hi Thomas, From the updated demo app, we initiated the SSO authentication at our chosen external IdP. We redirected to the SSO authentication page of that external IdP and when we entered the correct user credentials from that IdP it redirected us on passport-post-login page. So as it is showing in the video for demo Node.js application mentioned on the doc for Inbound SAML using passport.js, the email field should be auto-filled after redirect, which is not happening in our case. And after that, it should redirect to localhost:3000/profile page and shows the fetched data for that particular user. Just FYI, we analyzed both the oxauth as well as oxauth_script logs. In oxauth_script logs for passport-saml, there are not errors/exceptions throwing. But in oxauth.log file, it is showing INFO related to authentication which says: Authentication failed for 'null'. So, kindly suggest us what should we missing at this point. Thank you!

By Thomas Gasmyr Mougang staff 23 Mar 2018 at 2:40 p.m. CDT

Thomas Gasmyr Mougang gravatar
Hi Jay, Make sure the client you have registered in you IDP is configured to release email scope.

By Jay Kumar user 26 Mar 2018 at 6:23 a.m. CDT

Jay Kumar gravatar
Hello Thomas, We have already added the email scope under our registered OIDC client for Inbound SAML authentication process, please see the attached image for the same: [Link](https://dev-sso.taoconnect.org/uploads/openid-client.png). Can you please take a look if it is the right one you are mentioning about or there is something else needs to be configured? Thank you!

By Thomas Gasmyr Mougang staff 26 Mar 2018 at 6:32 a.m. CDT

Thomas Gasmyr Mougang gravatar
Yes the `email` scope is released as expected. We need more information to figured out what is going on.

By Jay Kumar user 26 Mar 2018 at 6:35 a.m. CDT

Jay Kumar gravatar
Please let us know what information you might need to be able to look further.

By Thomas Gasmyr Mougang staff 27 Mar 2018 at 5 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Jay**, This seems to be a session issue. Test with another browser or clear browser cookies and test again. Let us know if that fix the problem.

By Jay Kumar user 27 Mar 2018 at 9:53 a.m. CDT

Jay Kumar gravatar
Hi Thomas, We cleared all the cache and cookies of our browsers and retested the authentication on both Firefox as well as Chrome browsers, still getting this issue. Considering the session issue as you mentioned, we also tried the private/incognito mode on these browsers but we faced the same issue. Kindly suggest what else we should look for as it does not seem to be a session problem. Thank you!

By Thomas Gasmyr Mougang staff 29 Mar 2018 at 3:18 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Jay**, Any progress on your side? I'm through the documentation again to see if i can reproduce the problem. I will let you know when done. Thanks, Gasmyr

By Thomas Gasmyr Mougang staff 29 Mar 2018 at 5:48 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi, Not able to reproduce your issue. We suggest you to make sure all steps mentioned in documentation has been followed or may be go through these steps once more. Thanks, Gasmyr

By Thomas Gasmyr Mougang staff 02 Apr 2018 at 12:18 a.m. CDT

Thomas Gasmyr Mougang gravatar
Hi **Jay**, We are about to close this ticket for inactivity.