By: Todd Vernick user 25 Jun 2015 at 11:21 a.m. CDT

14 Responses
Todd Vernick gravatar
I setup a trust with Ultipro's metadata, and it's successful validating. The link they provided me brings me the gluu login page and redirects to their service but it brings me to an error page on their side. They have told me that I'm not passing a field in the assertion called NameID. I added an attribute called NameID but it still gives me the error page and they said they do not see it being passed to them. Any idea what I can look at? I attached screenshots.

By Mohib Zico Account Admin 25 Jun 2015 at 11:25 a.m. CDT

Mohib Zico gravatar
Release 'TransientID' and see what's up there. 'TransientID' is our default NameID which might work for your case. It's available in available attributes section.

By Todd Vernick user 25 Jun 2015 at 11:34 a.m. CDT

Todd Vernick gravatar
I tried added but still get an error. What about the relying party config, does that look correct? I don't know which I should be adding, and some have a checkbox to "includeAttributeStatement".

By Mohib Zico Account Admin 25 Jun 2015 at 11:42 a.m. CDT

Mohib Zico gravatar
>> I tried added but still get an error. Just release 'TransientID' as NameID. Don't use your custom made nameID. >> What about the relying party config, does that look correct? Relying party configuration depends on SP's requirement. If they want that; you can move forward.

By Todd Vernick user 25 Jun 2015 at 11:44 a.m. CDT

Todd Vernick gravatar
I added TransientID, but still get an error.

By Mohib Zico Account Admin 25 Jun 2015 at 11:45 a.m. CDT

Mohib Zico gravatar
Then you can check the log for hints... SAML transactions related logs are inside /opt/idp/logs/

By Todd Vernick user 25 Jun 2015 at 12:46 p.m. CDT

Todd Vernick gravatar
Last few lines of the log are here, do you see anything wrong at all? :53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501] - Name identifier for relying party 'http://fs.ultiproworkplace.com/adfs/services/trust' will be built from attribute 'transientId' 16:53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868] - Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'http://fs.ultiproworkplace.com/adfs/services/trust' 16:53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:572] - Determining if SAML assertion to relying party 'http://fs.ultiproworkplace.com/adfs/services/trust' should be signed 16:53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:653] - IdP relying party configuration 'http://fs.ultiproworkplace.com/adfs/services/trust' indicates to sign assertions: false 16:53:58.125 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:660] - Entity metadata for relying party 'http://fs.ultiproworkplace.com/adfs/services/trust 'indicates to sign assertions: true 16:53:58.126 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:583] - Determining signing credntial for assertion to relying party 'http://fs.ultiproworkplace.com/adfs/services/trust' 16:53:58.126 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:599] - Signing assertion to relying party http://fs.ultiproworkplace.com/adfs/services/trust 16:53:58.138 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:331] - secondarily indexing user session by name identifier 16:53:58.138 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:796] - Encoding response to SAML request id-b3397259-9873-489a-991f-e55face6b58c from relying party http://fs.ultiproworkplace.com/adfs/services/trust 16:53:58.157 - INFO [Shibboleth-Audit:1028] - 20150625T165358Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|id-b3397259-9873-489a-991f-e55face6b58c|http://fs.ultiproworkplace.com/adfs/services/trust|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://gluu.nyc.squarespace.net/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_1d724821b2f6fe5ae45a495253320b27|tvernick|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||_1f2b25192791b667596d585ea008034b|_c7b2766b73cd502cac5d4bc1995c2941,|

By Mohib Zico Account Admin 25 Jun 2015 at 1:23 p.m. CDT

Mohib Zico gravatar
No, I don't see any error from your log snippet.

By Todd Vernick user 29 Jun 2015 at 11:47 a.m. CDT

Todd Vernick gravatar
Hi, I attached what ultipro is expecting as an attribute. Do you know which attribute I should be releasing or what I should create for this to work? I tried creating a new attribute with that particular string but it didnt work.

By Todd Vernick user 29 Jun 2015 at 3:11 p.m. CDT

Todd Vernick gravatar
How do you do that? If you're talking about the URI for the attribute yes I added that as: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:2.0:nameid-format:transient I'm not certain about the other options but I left most them all as default.

By Todd Vernick user 29 Jun 2015 at 3:58 p.m. CDT

Todd Vernick gravatar
The screenshot is when I passed the TransientId attribute only. When I used the custom attribute I created they don't see anything.

By Todd Vernick user 30 Jun 2015 at 10:15 a.m. CDT

Todd Vernick gravatar
As far as the attribute values, those are being passed by editing the user values in "Manage People"? Also, I have an assertion document they gave me, but not sure exactly how I should implement it. Ie. should I be creating a new attribute etc. Is there an email I can send that to?

By Mohib Zico Account Admin 01 Jul 2015 at 11:01 a.m. CDT

Mohib Zico gravatar
Todd, Seems like Ultipro is expecting some custom NameID which should be with format 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' and this NameID will be based on some 'UserAttribute' ( which can be UID or Email_Address, Ultipro can decide ). It's not possible to create and map custom NameID with Gluu Server's GUI ( oxTrust ) right now. For our customers, Gluu Engineers are creating such custom attribute manually.