So here is the errors I noticed at different steps when configuring ADFS as TR. At xml metadata import : 2018-07-17 10:54:53,571 ERROR [qtp1744347043-19] [apache.velocity.runtime.parser.node.ASTComparisonNode] (ASTComparisonNode.java:100) - Left side ($trustParams.trustEntityIds.get($trustRelationship.inum).size()) of comparison operation has null value at attribute-filter.xml.vm[line 8, column 93] At validation success : 2018-07-17 10:56:39,551 ERROR [ForkJoinPool.commonPool-worker-0] [org.gluu.oxtrust.ldap.service.Shibboleth3ConfService] (Shibboleth3ConfService.java:1002) - Failed to parse metadata file '/opt/shibboleth-idp/metadata/FD16D9638492692800027B8A43BE0006ABBC371E-sp-metadata.xml' org.xml.sax.SAXParseException: Content is not allowed in prolog. at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:257) ~[?:1.8.0_162] at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339) ~[?:1.8.0_162] at org.xdi.service.XmlService.getXmlDocument(XmlService.java:192) ~[oxcore-service-3.1.3.Final.jar:?] at org.gluu.oxtrust.ldap.service.Shibboleth3ConfService.isFederationMetadata(Shibboleth3ConfService.java:1000) [classes/:?] at org.gluu.oxtrust.ldap.service.Shibboleth3ConfService.isFederation(Shibboleth3ConfService.java:1519) [classes/:?] at org.gluu.oxtrust.ldap.service.MetadataValidationTimer.validateMetadata(MetadataValidationTimer.java:205) [classes/:?] at org.gluu.oxtrust.ldap.service.MetadataValidationTimer.procesMetadataValidation(MetadataValidationTimer.java:113) [classes/:?] at org.gluu.oxtrust.ldap.service.MetadataValidationTimer.processMetadataValidationTimerEvent(MetadataValidationTimer.java:103) [classes/:?] at org.gluu.oxtrust.ldap.service.MetadataValidationTimer$Proxy$_$$_WeldSubclass.processMetadataValidationTimerEvent$$super(Unknown Source) [classes/:?] at sun.reflect.GeneratedMethodAccessor366.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_162] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162] at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) [weld-core-impl-3.0.1.Final.jar:3.0.1.Final] at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) [weld-core-impl-3.0.1.Final.jar:3.0.1.Final] at org.xdi.service.cdi.async.AsynchronousInterceptor$1.get(AsynchronousInterceptor.java:36) [oxcore-service-3.1.3.Final.jar:?] at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) [?:1.8.0_162] at java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1582) [?:1.8.0_162] at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289) [?:1.8.0_162] at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056) [?:1.8.0_162] at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692) [?:1.8.0_162] at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157) [?:1.8.0_162] On "Add person" : 2018-07-17 11:02:16,804 ERROR [qtp1744347043-19] [org.gluu.oxtrust.ldap.service.AttributeService] (AttributeService.java:558) - Failed to find attribute 'userPassword' metadata On "Add"(person) 2018-07-17 11:04:19,898 ERROR [qtp1744347043-19] [org.gluu.oxtrust.ldap.service.AttributeService] (AttributeService.java:558) - Failed to find attribute 'oxTrustEmail' metadata ------------------- I did not encountered this time, the EntityID exception.

Asimba is deprecated. You need to use Passport. One quick question, Gilles. Can you please share a flow how you want to achieve your SSO? I am little bit confused on your requirement so not exactly if you need Inbound or Outbound one.

I was just noticing that in my testing (non cluster) installation, Inbound/Outbound was not specified anymore in the menu. I think it's related to the fact of not installing Asimba as Mike asked. I published applications (https://formation.gesform.fr/ for example) through netscaler VIP associated with an AAA SAML authentification portal which redirect to our ADFS Cluster. On ADFS, if you choose ANFH logo, you can authenticate through Active Directory, if you choose "Etablissements", your mail is asked and according to the mail domain your are redirect to an external IdP. It's supposed to be the clients Idp for those who have one, and our (external to AD) for those who do not. For now, it's auth0.com, and it is working well. But to explore a less expansive solution, I try to make it work with Gluu. Which appear in testing for as "idp.anfh.fr" ont the first ADFS page. The problem is that even having reshaped adfs metadata, as soon as I import them in Gluu, I have a lot of errors in oxtrust.log with no explanation available. More, in Auth0, I had to adjust the following parameters and I can't find any help on how to do this on Gluu ... Specific settings on Addon: SAML2 Web App page in Auth0 ``` { "signatureAlgorithm": "rsa-sha256", "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" } ```

>> I was just noticing that in my testing (non cluster) installation, Inbound/Outbound was not specified anymore in the menu. I think it's related to the fact of not installing Asimba as Mike asked. you need to install 'Shibboleth' to get SAML related menu. We are supporting some Enterprise customers who has been using Asimba for some long time only. For others.. we request them to go with 'Passport'. >> The problem is that even having reshaped adfs metadata, as soon as I import them in Gluu, I have a lot of errors in oxtrust.log with no explanation available. I think it's better to concentrate on 'actual SSO' [ whichever happening in your browser ] rather than reading all logs which are being popped up in this Dev phase. I am still not clear if you need inbound or outbound though...

I need Outbound. Gluu as simple IdP. ADFS as Federation server for all IdP we have to deal with, including Gluu if possible.

Have you create a Relying Party Trust on ADFS for Gluu server?

No, I created a Claim provider trust, as I did for Auth0. As I said it appears on ADFS IdP selection page as "idp.anfh.fr".

Ok.. so if it's Outbound one ( sp --> ADFS --> Gluu Server --> ADFS --> sp ); then you just need to follow simple [Trust Relationship](https://gluu.org/docs/ce/3.1.3/admin-guide/saml/#create-a-trust-relationship) from Gluu Server side. Try to do SSO; see how that goes... check 'idp-process.log' from Gluu Server for failure. Move forward from there. You can check our Office365 doc for example, Gluu Server is connecting to ADFS there.

Web Login Service - Unsupported Request idp-process.log : 2018-07-18 16:45:24,096 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for http://sts.anfh.fr/adfs/services/trust in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2018-07-18 16:45:24,098 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID http://sts.anfh.fr/adfs/services/trust) 2018-07-18 16:45:24,100 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration

Office 365 documentation is Wrong When you read it you figure out that ADFS is IDP and Gluu the SP. Not the contrary.

>> When you read it you figure out that ADFS is IDP and Gluu the SP. Not the contrary. Negative. Authentication is happening in Gluu Server, not ADFS. >> Web Login Service - Unsupported Request Configure relying party as Thomas said. Search for such error in support portal... there should be some community tickets on such error.

For Office365 Doc : Negative. Claims come from ADFS not Gluu. Office 365 is connected with Gluu not with ADFS. You can see that the Trust Relationship configuration in Gluu is with O365 not ADFS. (I want the reverse thing) So Service Provider is Gluu and IDP is ADFS in Office 365 documentation. For my case, of course I have unsupported Request, I need Gluu in SHA256 and authentication in PasswordProtectedTransport !! Still don't know how to do that.

The documentation adressing my case is : https://gluu.org/docs/ce/admin-guide/saml/ But I don't understand the nameid customattribute part. And there are the parameters above, I don't kown where to set.

>> But I don't understand the nameid customattribute part. Which part you don't understand?