Using Gluu as IDP

By: mohamed abdelrazek user 22 Feb 2022 at 10:04 p.m. CST

32 Responses
mohamed abdelrazek gravatar
First, i have a question, when i use gluu as SAML IDP, and add users to gluu for authentication, and configure the SP and IDP side with the metadata, what is the authentication flow?I assume that users will go the SP which will redirect them to gluu, and gluu should check the users DB to verify the user, then trigger a page where the user enter their username and password, then redirect back to the SP .. Can gluu do this with only SAML configuration or i need some other component? In my actual setup, when i use my personal email, Gluu shows in idp-process.log, that the assertion is done for the admin user ``` <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">admin</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">admin@ec2-54-147-178-181.compute-1.amazonaws.com</saml2:AttributeValue> ``` Why Gluu does not use the email i used for login , and instead user the admin user
Gluu 4.3 Ubuntu 18.04
closed

Answers

By Mohib Zico staff 22 Feb 2022 at 10:38 p.m. CST

Copy
Mohib Zico gravatar
>> I assume that users will go the SP which will redirect them to gluu, and gluu should check the users DB to verify the user, then trigger a page where the user enter their username and password, then redirect back to the SP .. SP 'login button' --> Gluu Server authentication page --> User authenticate --> Gluu checks user information and credential validity along with SP configuration --> send back to SP --> Logged in SP. >> In my actual setup, when i use my personal email, Gluu shows in idp-process.log, that the assertion is done for the admin user May be your email address is linked with admin user? somehow? We would answer best if you can share a recorded screencast with: - SSO flow ( SP --> IDP login --> SP ) in one browser. - Log tailing ( idp-process.log ) in terminal.

By mohamed abdelrazek user 23 Feb 2022 at 12:11 a.m. CST

Copy
mohamed abdelrazek gravatar
![enter image description here](https://cisco.box.com/s/b9y99lnzjg319h3696hjs91hqim37r74 "enter image title here")Hi Gluu Server :https://ec2-54-147-178-181.compute-1.amazonaws.com Trust Relationship ( attached) Users ( attached) SP side ( attached) Behaviour 1- when i first install the server - open app.thousandeyes.com/login/sso - put email engmohamedlink@hotmail.com - SAML negotiation happens - Redirect back to app.thousandeyes.com/login idp log 1 file attached 2- After many login trials - open app.thousandeyes.com/login/sso - put email engmohamedlink@hotmail.com - SAML negotiation happens - redirect back to the page with error " Sorry, it looks like there is a problem finding your session. This can happen if you waited too long on the login page, or if you were redirected to a different server that issued the original request. This error usually goes away if you try accessing your desired application again." idp log 2 file

By mohamed abdelrazek user 23 Feb 2022 at 1:05 a.m. CST

Copy
mohamed abdelrazek gravatar
https://cisco.box.com/s/b9y99lnzjg319h3696hjs91hqim37r74
Video or screenshot link

By mohamed abdelrazek user 23 Feb 2022 at 4:48 p.m. CST

Copy
mohamed abdelrazek gravatar
whatever the email address i use for login , Gluu always use the admin user

By mohamed abdelrazek user 28 Feb 2022 at 1:02 a.m. CST

Copy
mohamed abdelrazek gravatar
@Mohib.Zico what can i do to have a session to integrate Gluu with my SP for SAML SSO login ?

By Mohib Zico staff 28 Feb 2022 at 7:40 a.m. CST

Copy
Mohib Zico gravatar
Hello Mohamed, Thanks for logs and screenshots. Can you please share a recorded screencast please? when the problem is appearing for you? I am trying to connect dots.

By mohamed abdelrazek user 28 Feb 2022 at 6:53 p.m. CST

Copy
mohamed abdelrazek gravatar
@Mohib.Zico I can explain the problem ( dont know what is screencast) 1- i configure SAML in Gluu 2- I configure SAML in SP 3- Try to login from the client, and at first, a redirect to gluu login page occurs, and i put username/password for the user i am trying to authenticate 4- authentication fails and i am redirected to SP failed login page again 5- trying to re-login from the client, no gluu login page shows, and i am redirected to SP failed login page note: i used okta SAML and it works with my SP I would like to have a session to setup this integration with you or one of your team to make this integration works

By Mohib Zico staff 28 Feb 2022 at 9:22 p.m. CST

Copy
Mohib Zico gravatar
>> @Mohib.Zico I can explain the problem ( dont know what is screencast) "Screencast" is recording what you are doing on your screen. Here is software you can use: https://support.apple.com/en-us/HT208721 >> I would like to have a session to setup this integration with you or one of your team to make this integration works Troubleshooting session / meeting is only for Gluu customers. >> 3- Try to login from the client, and at first, a redirect to gluu login page occurs, and i put username/password for the user i am trying to authenticate Something is messed up in your Gluu configuration. >> 5- trying to re-login from the client, no gluu login page shows Because, a session is already there which is just passing that info from Gluu. That's why I am interested to see the recorded screencast and based on that I'll ask for new logs etc.

By mohamed abdelrazek user 28 Feb 2022 at 11:17 p.m. CST

Copy
mohamed abdelrazek gravatar
@Mohib.Zico Here is the link for Screencast for the behaviour + SP metadata + Gluu Metadata + idp debug log https://cisco.box.com/s/dzmzjng3ckmdhdfymjjh0af104q3xh55
Video or screenshot link

By Mohib Zico staff 01 Mar 2022 at 8:26 a.m. CST

Copy
Mohib Zico gravatar
Thanks. >> Try to login from the client, and at first, a redirect to gluu login page occurs, and i put username/password for the user i am trying to authenticate You are getting login prompt, because there is no active session. So that's okay. >> authentication fails and i am redirected to SP failed login page again Please resend me the log files of this specific timing ( it's better to send that specific attempt's log ) from `idp-process.log` and `oxauth.log`. Also record the HAR file and send that to me from this event. >> trying to re-login from the client, no gluu login page shows, and i am redirected to SP failed login page That makes sense, because you are trying on same window/same browser 'again' so there is already an active session. So, re-trying wont' work until and unless you hit "logout" to kill the session.

By mohamed abdelrazek user 01 Mar 2022 at 5:10 p.m. CST

Copy
mohamed abdelrazek gravatar
@Mohib.Zico here is the link for the idp-process.log + oxauth.log + HAR file https://cisco.box.com/s/06nwap8mi53dd49xx2eukk116ebe83o0

By Mohib Zico staff 01 Mar 2022 at 8:23 p.m. CST

Copy
Mohib Zico gravatar
- HAR file: doesn't have any information of your Gluu Server - Log files you attached: it's the combination of both shibboleth and oxauth. ( I am not exactly sure if you are sending different logs from same time frame or not ). Please note that: we are working on "specific SP problem of yours" in community support so the easier you can make things for us, will be faster for you to get support response. Community support do not have any SLA. I would do next: - Open two terminals: - Start tailing idp-process.log in one terminal. - Start tailing oxauth.log in another termnial. - Enable network analyzer in web browser and start doing your job in browser. - Just send "exactly" what you are getting in logs from both terminal + HAR files.

By mohamed abdelrazek user 01 Mar 2022 at 8:41 p.m. CST

Copy
mohamed abdelrazek gravatar
@Mohib.Zico Thanks for helping me with this issue I did exactly what you asked for, and here is the files https://cisco.box.com/s/y41nsm2pnuclihgdw5n4yy3j05iicjg4

By mohamed abdelrazek user 01 Mar 2022 at 11:21 p.m. CST

Copy
mohamed abdelrazek gravatar
i also added in this folder a HAR from Okta integration with my SP which is working. Just to compare the 2 HARs and know what we need to edit in Gluu to work successfully

By mohamed abdelrazek user 06 Mar 2022 at 10:48 p.m. CST

Copy
mohamed abdelrazek gravatar
@Mohib.Zico i am just checking if you have any update for my issue

By Mohib Zico staff 07 Mar 2022 at 12:16 a.m. CST

Copy
Mohib Zico gravatar
I heard from Davin that you are working on deploying Gluu for your customers actively, so I would like to test this ThousdandEye SP with my Gluu Server by myself. Is it possible for you to connect my Gluu Server with your ThousandEye SP and create a test user for me there in ThousandEye?

By mohamed abdelrazek user 07 Mar 2022 at 12:18 a.m. CST

Copy
mohamed abdelrazek gravatar
@Mohib.Zico Sure, send me your email and i will send you activation email to activate your account to my test organization and you can change the SSO setting of this account

By Mohib Zico staff 07 Mar 2022 at 12:24 a.m. CST

Copy
Mohib Zico gravatar
Thanks. My email address is: `mohib@gluu.org`

By Mohib Zico staff 07 Mar 2022 at 12:38 a.m. CST

Copy
Mohib Zico gravatar
Seems like something is off there.... - I got your activation link. Activated it - It asked for new username and password. Did that. - I went to Sign In page. Failed to login with my newly created profile. ( in the mean time, I got a "password changed" email in my inbox. Which I didn't initiate ). - As I am unable to login, I tried to use "Forgot password" link but I haven't got any password reset link in my inbox.

By mohamed abdelrazek user 07 Mar 2022 at 12:42 a.m. CST

Copy
mohamed abdelrazek gravatar
i have sent you a password reset email, can you click the link and set your password ?

By Mohib Zico staff 07 Mar 2022 at 6:53 a.m. CST

Copy
Mohib Zico gravatar
Thanks. I reset my password okay. But can't login now, what's the username? I tried "mohib@gluu.org", "mohib", "Mohib", "Zico", "Mohib Zico" with that new password. Nothing working. Screenshot attached.
Screenshot_from_2022-03-07_18-52-31.png

By mohamed abdelrazek user 07 Mar 2022 at 4:30 p.m. CST

Copy
mohamed abdelrazek gravatar
are you trying to access using SSO via this link ? app.thousandeyes.com/login/sso You can use this link app.thousandeyes.com/login

By Mohib Zico staff 07 Mar 2022 at 9:20 p.m. CST

Copy
Mohib Zico gravatar
>> app.thousandeyes.com/login That worked. Thanks.

By Mohib Zico staff 08 Mar 2022 at 9:21 a.m. CST

Copy
Mohib Zico gravatar
Ok, here is my situation attached. I will write a doc and share with you.
zoom_0.mp4

By mohamed abdelrazek user 08 Mar 2022 at 4:06 p.m. CST

Copy
mohamed abdelrazek gravatar
Great. it worked. Thank you so much I am waiting your doc to list the steps that made the integration successful

By Mohib Zico staff 08 Mar 2022 at 8:55 p.m. CST

Copy
Mohib Zico gravatar
Here it is: https://www.gluu.org/docs/gluu-server/4.3/integration/saas/thousandeyes/

By mohamed abdelrazek user 10 Mar 2022 at 3:04 a.m. CST

Copy
mohamed abdelrazek gravatar
Hi, I am waiting for the doc to test on my Gluu server Get Outlook for Androidhttps://aka.ms/AAb9ysg>

By Mohib Zico staff 10 Mar 2022 at 3:55 a.m. CST

Copy
Mohib Zico gravatar
>> Hi, I am waiting for the doc to test on my Gluu server Check just one comment above your last comment.

By mohamed abdelrazek user 10 Mar 2022 at 5:38 p.m. CST

Copy
mohamed abdelrazek gravatar
@Mohib.Zico Thanks so much for this, login is working for me, but logout does not work, it always shows HTTP 400 "Your browser sent a request that this server could not understand"

By Mohib Zico staff 10 Mar 2022 at 7:12 p.m. CST

Copy
Mohib Zico gravatar
Please try to configure SAML Logout by this way: https://www.gluu.org/docs/gluu-server/4.3/operation/logout/#saml-logout

By mohamed abdelrazek user 10 Mar 2022 at 7:22 p.m. CST

Copy
mohamed abdelrazek gravatar
when i use this logout URL, and logout from ThousandEyes then click Logout Globaly, then try to login again i see this message "{ "error_description": "The provided id token (or access token) or session state are invalid or were issued to another client.", "error": "invalid_grant_and_session" }" Is this nornal ?

By Mohib Zico staff 22 Mar 2022 at 11:09 a.m. CDT

Copy
Mohib Zico gravatar
>> click Logout Globaly, then try to login again i see this message "{ "error_description": "The provided id token (or access token) or session state are invalid or were issued to another client.", "error": "invalid_grant_and_session" }" Yes, normal. - You logged out. Session killed. - You are trying to login on same window of same browser. - So, no session.

Post an answer