Gluu Server uses SAML relaying party config, instead is Unchecked

By: Edgar Woolley user 03 Mar 2022 at 12:25 p.m. CST

4 Responses
Edgar Woolley gravatar
In the scenario than you have a Gluu production server with some SP integrations, you want to change config in one of them to modify per example SSO behaivor under Configure Relying Party options. After modification and Updating the new configuration and restart IDP service, your SP trust relationship doesn't work: /opt/shibboleth/logs 2022-03-03 17:49:39,681 - 121.128.55.137 WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:118] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration EntityNames[https://join.service.com/shibboleth,] (RPID https://join.service.com/shibboleth) 2022-03-03 17:49:39,687 - 10.128.64.152 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration To rollback the issue, you need to disable "Configure Relying Party" check, update the configuration and restarts IDP service, but Gluu Server continues ussing Configure Relying Party internal configuration and your SP doesn't work with Gluu anymore. To finally recover the SP trust relationship, go to "Configure Relying Party" check under SAML->Trust Relationship for a SP, enable again the check "Configure Relying Party", remove the internal RP configuration, disable check, update configuration and restart the service. Expected BEHAIVOR: If you have disabled "Configure Relying Party" check under SAML->Trust Relationship for a SP and Updates the configuration, then Gluu Server should not use Configure Relying Party internal configuration. I'm right? Thank You
Gluu 4.3 Ubuntu 20.0
closed

Answers

By Mobarak Hosen Shakil staff 10 Mar 2022 at 2:36 a.m. CST

Copy
Mobarak Hosen Shakil gravatar
Can you please confirm that you have configured TR properly? is the IDP running? This issue can be happened because of configuration. > ```/opt/shibboleth/logs 2022-03-03 17:49:39,681 - 121.128.55.137 WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:118] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration EntityNames[https://join.service.com/shibboleth,] (RPID https://join.service.com/shibboleth) 2022-03-03 17:49:39,687 - 10.128.64.152 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration``` > If you would like to read the docs, please visit [here](https://gluu.org/docs/gluu-server/4.3/admin-guide/saml/)

By Edgar Woolley user 10 Mar 2022 at 6:06 a.m. CST

Copy
Edgar Woolley gravatar
Hi Mobarak, Yes I can confirm than I had TR configured properly until I changed TR configuration with a unproperly configuration to force broke my TR, then results: /opt/shibboleth/logs 2022-03-03 17:49:39,681 - 121.128.55.137 WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:118] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration EntityNames[https://join.service.com/shibboleth,] (RPID https://join.service.com/shibboleth) 2022-03-03 17:49:39,687 - 10.128.64.152 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration Well, right now I want to rollback my TR config with this admin usability steps: 1. Disabling "Configure Relying Party" check 2. Update the configuration 3. Restarts IDP service Results: Gluu Server continues ussing Configure Relying Party internal configuration and my TR stills broken. Is this a normal situation? because finally recover the SP trust relationship, with this steps: 1. Go to "Configure Relying Party" and check the box to enabled again 2. Click "Configure Relying Party" and remove the internal RP configuration 3. Disable check 4. Update configuration 5. Restarts IDP service I needed two additional steps 1,2 when I should need 3 in total. Do you understand, what do you think? Let me know Thank You Ed.

By Mobarak Hosen Shakil staff 10 Mar 2022 at 8:23 p.m. CST

Copy
Mobarak Hosen Shakil gravatar
Hi Edgar, You must be enabled `relying party config` otherwise it won't work. Please do following things: 1. deactivate current TR and hit update 2. create a new TR with proper `relying party config` configuration 3. Do a test that SSO is working or not. Let me know the update. Thanks and Regards ~ Shakil

By Edgar Woolley user 14 Mar 2022 at 1:25 a.m. CDT

Copy
Edgar Woolley gravatar
Hi Shakil, Yes, I desactivate old TR and create a new one, and works. Thank you!

Post an answer