By: Nikita Share user 07 Dec 2022 at 8:09 a.m. CST

11 Responses
Nikita Share gravatar
Hello! At the moment, we are setting up SAML authentication in gitlab (sp) using Gluu (IDP). Between gitlab and Gluu TR has been configured. Gluu IDP settings used the official documentation. This manual was used to set up [Gitlab SP ](https://docs.gitlab.com/ee/integration/saml.html) Gitlab is currently sending a request above: ``` <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://gitlab.example.com:8443/users/auth/saml/callback" Destination="https://gluu.test.com/idp/profile/SAML2/Redirect/SSO" ID="_26f953a2-c631-468f-8a21-c70233689dc8" IssueInstant="2022-12-07T09:43:57Z" Version="2.0"> <saml:Issuer>https://gitlab.example.com</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"></samlp:NameIDPolicy> </samlp:AuthnRequest> ``` and we get an response: ``` <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://gitlab.example.com:8443/users/auth/saml/callback" ID="_b83e3c2c8c96a03871d608035c536d45" InResponseTo="_26f953a2-c631-468f-8a21-c70233689dc8" IssueInstant="2022-12-07T09:44:00.927Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://gluu.test.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod> <ds:Reference URI="#_b83e3c2c8c96a03871d608035c536d45"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod> <ds:DigestValue>********</ds:DigestValue> </ds:Reference> <ds:SignatureValue>********</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>********</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:**InvalidNameIDPolicy**"></saml2p:StatusCode> </saml2p:StatusCode> <saml2p:StatusMessage>**An error occurred**.</saml2p:StatusMessage> </saml2p:Status> </saml2p:Response> ``` Apparently we are doing something wrong. It looks like we missed most of the guide. Please help if you find the time. gitlab.rb: ``` gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_block_auto_created_users'] = false gitlab_rails['omniauth_auto_link_saml_user'] = true gitlab_rails['omniauth_providers'] = [ { "name" => "saml", "label" => "SSO Gluu", "args" => { "assertion_consumer_service_url": "https://gitlab.example.com:8443/users/auth/saml/callback", "idp_cert_fingerprint": "11:D0:B6:A9:A5:AA:65:5C:41:EC:5C:3D:27:70:C8:27:A9:CF:D5:0B", #"idp_sso_target_url": "https://gluu.test.com/idp/shibboleth", "idp_sso_target_url": "https://gluu.test.com/idp/profile/SAML2/Redirect/SSO", "issuer": "https://gitlab.example.com", "name_identifier_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "attribute_statements": { email: ['emailAddress'] } } } ] ``` and saml-nameid.xml ``` <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <ref bean="shibboleth.SAML2PersistentGenerator" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'email'} }"/> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> </util:list> <util:list id="shibboleth.SAML1NameIdentifierGenerators"> <ref bean="shibboleth.SAML1TransientGenerator" /> <ref bean="shibboleth.SAML1PersistentGenerator" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'email'} }"/> <bean parent="shibboleth.SAML1AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'email'} }" /> </util:list> </beans> ```

By Michael Schwartz Account Admin 20 Dec 2022 at 11:02 a.m. CST

Michael Schwartz gravatar
@Mobarak Hosen.Shakil can you take a look?

By Mobarak Hosen Shakil staff 20 Dec 2022 at 4:40 p.m. CST

Mobarak Hosen Shakil gravatar
Hi, Nikita! Yes, It seems there are some issues with configurations. It's surely indicating about invalid `name-id`: ``` <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:**InvalidNameIDPolicy**"></saml2p:StatusCode> </saml2p:StatusCode> <saml2p:StatusMessage>**An error occurred**.</saml2p:StatusMessage> </saml2p:Status> ``` Please share below things to understand the issues: - TR config - SP metadata - `idp-process.log` Let's try to look what's happening in the log first.

By Nikita Share user 23 Dec 2022 at 8:08 a.m. CST

Nikita Share gravatar
Hi everyone, Thank you for reply TR (screenshots) and ipd-process.log (only 3 messages) : https://drive.google.com/drive/folders/1K4EmMpBSl8VGhB0ENOu85HM-itnvl2Dr?usp=sharing SP Metadata: ``` This XML file does not appear to have any style information associated with it. The document tree is shown below. <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8b86150a-aa2d-4e9b-a5f2-49ed903b4073" entityID="https://gitlab.example.com"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://gitlab.example.com:8443/users/auth/saml/callback" index="0" isDefault="true"/> <md:AttributeConsumingService index="1" isDefault="true"> <md:ServiceName xml:lang="en">Required attributes</md:ServiceName> <md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> </md:AttributeConsumingService> </md:SPSSODescriptor> </md:EntityDescriptor> ```

By Mobarak Hosen Shakil staff 26 Dec 2022 at 10:44 p.m. CST

Mobarak Hosen Shakil gravatar
Hi, Nikita! Can you please try to use `<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>` in SP metadata config? ## For `relying-party config`: in **Gluu Server**, Make sure that you have marked them: ``` includeAttributeStatement Support Unspecified NameIdFormat? ``` **in selected name-id format, choose this two format**: ``` SAML:2.0:nameid-format:transient SAML:1.1:nameid-format:unspecified ``` **in release-attributes**: Make sure that you have release these attributes from TR config as required by the SP metadata. ``` <md:AttributeConsumingService index="1" isDefault="true"> <md:ServiceName xml:lang="en">Required attributes</md:ServiceName> <md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> </md:AttributeConsumingService> ``` Regards ~ Shakil

By Nikita Share user 28 Dec 2022 at 2:04 a.m. CST

Nikita Share gravatar
Thank you Shakil! SSO button is redirect me but now I got the warn: ``` 2022-12-28 07:25:50.027 [ WARN] : org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler: SAMLPeerContext did not contain either a SAMLMetadataContext or a RoleDescriptor, unable to evaluate rule ``` And login page looks like: https://ibb.co/1r713YM I think that means I have no metadata for some side. Maybe I'm doing something wrong? gitlab.rb now: ``` "assertion_consumer_service_url": "https://gitlab.example.com:8443/users/auth/saml/callback", "idp_cert_fingerprint": "<---HIDE--->", #"idp_sso_target_url": "https://gluu.example.com/idp/shibboleth", "idp_sso_target_url": "https://gluu.example.com/idp/profile/SAML2/Redirect/SSO", "issuer": "https://gitlab.example.com", # "name_identifier_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "name_identifier_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "attribute_statements": { email: ['emailAddress'] }, "attribute_statements": { name: ['Username'] } ``` and TR release attributes: https://ibb.co/mbNKTnX

By Mobarak Hosen Shakil staff 28 Dec 2022 at 11:03 p.m. CST

Mobarak Hosen Shakil gravatar
Can you please share the `idp-process.log` again?

By Nikita Share user 30 Dec 2022 at 12:27 a.m. CST

Nikita Share gravatar
The message I sent is the only one that appears in the idp process. ``` 2022-12-28 07:25:50.027 [ WARN] : org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler: SAMLPeerContext did not contain either a SAMLMetadataContext or a RoleDescriptor, unable to evaluate rule ``` and 422 code in browser.

By Mobarak Hosen Shakil staff 02 Jan 2023 at 8:06 p.m. CST

Mobarak Hosen Shakil gravatar
Hi, Nikita! please update the `shibboleth-idp` log level to `TRACE`. To update: ``` gluu-serverd login cd /opt/shibboleth-idp/conf vi logback.xml ``` modify the `logback.xml`: ``` <variable name="idp.loglevel.idp" value="${idp.loglevel.idp:-TRACE}" /> ``` and then shared the `idp-process.log` again please. Regards ~ Shakil

By Nikita Share user 08 Jan 2023 at 12:20 p.m. CST

Nikita Share gravatar
Sorry, I use docker-compose installation and when I try to edit logback.xml (have only **logback.xml.orig**) this file removed. And i receive only WARN messages. When I try restart java-application inside container, then container are restarting and file removed again.

By Mobarak Hosen Shakil staff 22 Jan 2023 at 7:22 p.m. CST

Mobarak Hosen Shakil gravatar
Hi, Nikita! Do you have any update? It shouldn't be removed. Regards ~ Shakil

By Nikita Share user 23 Jan 2023 at 3:44 a.m. CST

Nikita Share gravatar
Hi, Shakil! This week my colleague will deploy Gluu not in docker and we will try again. I'll post the results.