I need to use two different email address for email nameid, any idea why this isnt working?

By: Rhett Prichard user 02 Aug 2021 at 11:47 a.m. CDT

3 Responses
Rhett Prichard gravatar
I need to be able to send both my email address backed by o365 and by gmail for different SPs, as some tie in with o365 and some tie in with google. According to the shib docs, this should work, but with this file as it is, Gluu is not sending and nameID at all, not just a blank value, but no key for it either... Any ideas what might be wrong with this file? ``` <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> #set($grouped= {} ) #if( $resovlerParams.size() > 0 ) #foreach( $nameIdConfig in $resovlerParams.configs ) #set ($valid = true) #if ($grouped[$nameIdConfig.nameIdType]) #set($grouped[$nameIdConfig.nameIdType] = $grouped[$nameIdConfig.nameIdType] + ", '" + $nameIdConfig.sourceAttribute + "'") #else #set($grouped[$nameIdConfig.nameIdType] = "'" + $nameIdConfig.sourceAttribute + "'") #end #end #end <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> #foreach($nameIdType in $grouped.keySet()) #if ($nameIdType == "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent") <bean parent="shibboleth.SAML2PersistentGenerator" p:attributeSourceIds="#{ {$grouped[$nameIdType]} }"/> #elseif ($nameIdType == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress") <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'gmailaddress2'} }"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://google.com/a/edtools.psd401.net" /> </property> </bean> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="$nameIdType" p:attributeSourceIds="#{ {$grouped[$nameIdType]} }"> <property name="activationCondition"> <bean parent="shibboleth.Conditions.NOT"> <constructor-arg> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="google.com/a/edtools.psd401.net" /> </constructor-arg> </bean> </property> </bean> #else <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="$nameIdType" p:attributeSourceIds="#{ {$grouped[$nameIdType]} }"/> #end #end </util:list> <util:list id="shibboleth.SAML1NameIdentifierGenerators"> <ref bean="shibboleth.SAML1TransientGenerator" /> </util:list> </beans> ```
Gluu 4.1.1 CentOS 7.0
closed

Answers

By Aliaksandr Samuseu staff 17 Aug 2021 at 1:04 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Rhett. Apparently, there was an inssue with notifications about new tickets, so some of them were missed. Let us know if you still need help with this one.

By Rhett Prichard user 18 Aug 2021 at 12:42 p.m. CDT

Copy
Rhett Prichard gravatar
i think a different answer that told me to look at the idp-warn.log actually helped tell me what this was not working. I still seem to be having an issue with identity not restarting 100% of the time, but I'm wondering if there might be a time out of how long velocity can take to process the xml.vm files, as mine are getting pretty large.

By Aliaksandr Samuseu staff 25 Aug 2021 at 5:10 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
>i think a different answer that told me to look at the idp-warn.log actually helped tell me what this was not workin Ok, glad to hear. >I still seem to be having an issue with identity not restarting 100% of the time How do you verify it didn't restart? Or do you mean you see a service error when doing "service identity restart"? It sometimes happen that restart just takes too much time and a timeout is reached so an error pops up telling you it didn't restart - but actually if you'll wait a couple minutes more, the service will come back online. Usually happens when there is not enough resources on the machine (insufficient memory allocations for Gluu's JVMs, low CPU quotas etc). You can modify JVMs memory allocations in `/etc/default/identity` for oxTrust (there are config files for oxauth and other services as well). Anyway, I think it should go in a separate ticket, so please create one if you'll feel it's worth it. Also, you are using 4.1.1 it seems, while 4.2.3 is the most recent one, and 4.3 is about to be released - so may be just try an upgrade, or install the newest one and see how it goes there.

Post an answer