Hi, Sandra. Were you following some guide on the net while doing these configurations? If it's so, could you provide us a link to it, so we can reproduce the issue? Regards, Alex.

I following Using SAML To Get SSO With Google Apps, i need some guide to configurarion of nameid atribute to google. Plz your help.

Do you mean our guide on the docs portals, [https://www.gluu.org/docs/integrate/google-saml/](https://www.gluu.org/docs/integrate/google-saml/)? Don't remember trying it myself, may be I'll find some time and check it, perhaps it needs to be updated. Please let me know if you'll be able to solve your issue sooner.

Sandra, >> I have this error SAML 2 SSO profile is not configured for relying party google.com/a/unc.edu.pe If you are 'sure' that you configured SAML2SSO profile for this trust then only reason you are seeing this message: difference between the entityID of your Googlemetadata and the hostname (google site) from where the request is coming >> I configured NameID atribute with the following characteristics You just created a custom attribute. Creation of namedID is more than that. Check out [this](https://support.gluu.org/integrations/need-to-map-givenname-and-sn-to-firstname-and-lastname-mail-to-nameid-2461#at8594) ticket on NameID creation AND [Shibboleth doc](https://wiki.shibboleth.net/confluence/display/SHIB2/IdPNameIdentifier)

to create the attribute (nameId to google), the parameter "oxAuth claim name" is required, How I can get it?

Hi, Sandra. You don't need to supply the "oxAuth claim name" if you don't intend to use OpenID Connect. Or you could use the same name as for attribute itself for this parameter.

Hello Gluu, This is the only thing that's remaining for me. I'm encountering the same problem with Sandra. There doesn't seem a proper documentation on creating/requesting a googleID Name ID. It was stated on the your [Google SSO Guide](https://www.gluu.org/docs/integrate/google-saml/) > Required attributes: Generally a nameID attributes is required. Please talk to us to generate this nameID in your Gluu Server. I'm really confuse if we're the one's that should do the Name ID attribute manually, by inserting a line in _attribute-resolver.xml.vm_ located at _/opt/gluu-server-2.4.2/opt/apache-tomcat-7.0.55/conf/shibboleth2/idp_ Here's what I inserted. > <!-- Modified for google app inteartion mail attribute --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="googleID" sourceAttributeID="googleID"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="googleID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" /> </resolver:AttributeDefinition> I also tried adding this line to _attribute-filter.xml.vm_ inside the line of _#foreach( $trustRelationship in $trustParams.deconstructed )_ > <afp:AttributeFilterPolicy> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com" /> <afp:AttributeRule attributeID="googleID"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> And after doing so, and rebooting tomcat. I could not seem to find the attribute googleID. Do I have to create a custom attribute + manually adding the lines, or do you guys have a way of _"generating this nameID in your Gluu Server"_. Thank you so much for the help in advance.

Karl, You don't need to modify 'attribute-filter.xml.vm'. Adding custom nameID in 'attribute-resolver.xml.vml' is fine.

Thanks for the quick reply, Mohib. Do I have to do anything else after adding my lines to 'attribute-resolver.xml.vm'? Cause it's not appearing in the 'Release' tab of my Google Trust Relationship.

>> Cause it's not appearing in the 'Release' tab of my Google Trust Relationship. May be you haven't created the attribute from oxTrust ( Gluu Server GUI ) yet? Here's the deal: - Create custom attribute from GUI. i.e. 'googleID' - Configure it in attribute-resolver.xml.vm as this newly created 'googleID' can work as nameID. - Release this attribute in trust relationship from GUI. One thing you need to make sure that... your custom attribute has values. That means... the 'sourceAttribute' of this 'googleID' should be some attribute which has values inside.

I'll try to work on it now. I'll update you regarding this one. Thank you so much, and I hope that you guys would update the documentation of Google SSO, as I've seen similar tickets about this one. I'll be recreating a custom attribute right now, and try to see if it would appear in attribute-resolver.xml.vm. Would my line be enough? (the one I posted above).

Updated the doc.

Awesome! Anyway, here's an update. I've already seen the googleID inside the attribute-resolver.xml, however when I was trying to view it in attribute-resolver.xml.vm, the line's weren't there, I was just able to see a 'for-each' code, and I put a condition there like: > #if(($attribute.name.equals('googleID'))) <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="$attrParams.attributeSAML1Strings.get($attribute.name)" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" friendlyName="$attribute.name" /> </resolver:AttributeDefinition> #end But it still gives me this error: Error Message: SAML 2 SSO profile is not configured for relying party google.com/a/civicom.ph

Updating the ticket for follow ups: Here's my setup, and it's still not working. **attribute-resolver.xml.vm**  **attribute-resolver.xml**  **Attributes**  **Trust Relationship**  **Relying Party** 

Two points: 1. You don't need to specify SAML1 URI and SAML2 URI while creating custom attribute in oxTrust. 2. Declaration and Configuration for this nameID in attribute resolver is still incomplete. Check [this](https://wiki.shibboleth.net/confluence/display/SHIB2/IdPCustomNameIdentifier) for reference.

Mohib, For dependency, > <resolver:Dependency ref="DEFINITION_ID_1" /> What would I put for as the DEFINITION_ID? I'll remove SAML1 URI and SAML2 URI, as I've thought that it's required because it has an asterisk.

>> What would I put for as the DEFINITION_ID? siteLDAP

I'm encountering errors when putting a null value at a custom attribute via oxTrust GUI. 

These URI values shouldn't be mandatory. Here is a video from Gluu Server 2.4.2: https://youtu.be/ApKsQSq9sWA

Mohib, I've managed to bypass it by just typing [space] and applying. I also edited the attribute-resolver.xml.vm and inserted the DEPENDENCY. Here's how my attribute-resolver.xml looks now. Isn't it redundant? Or should I use an if statement to make it a single definition of 'googleID'  I'm still encountering the same error.  **Always appreciate the help from you guys.**

Kindly open the ticket again so that I wouldn't have to recreate another ticket as my concern is related to Sandra's.

For SAML2SSO profile error, please read above comments.

Karl, We have decided to put a public doc on how to create custom attributes in Gluu Server. It should be available by middle of next week. Might be helpful for you guys.... Stay tuned, we will inform you.

Mohib, Really grateful for that, Gluu Team. Glad you guys decided to make a public doc for this frequently asked question.

Again, if this would be of any help. I'm using an Amazon EC2 Instance for the Gluu server. It's currently running on Ubuntu Server 14, with an Elastic IP. I've used the Private IP as the address and Public DNS as the hostname. > If you are 'sure' that you configured SAML2SSO profile for this trust then only reason you are seeing this message: difference between the entityID of your Googlemetadata and the hostname (google site) from where the request is coming Does it have something to do with this?

The theory of this error is really simple. Say, you have a website named 'website.com' and it is connected with Gluu Server for SSO. Here is the scenario of total flow: 'website.com' --> Gluu Server for Authentication --> 'website.com' as logged in users. Now... the SP metadata which deployer is using to connect 'website.com' has something like 'website1.com' either in entityID or in some redirectURI location. You will start getting errror because the _request_ is coming from 'website.com' but your Gluu Server has _configuration_ for 'website1.com'.

Mohib, Understood. Do I need to setup any inside Gluu? (I'm talking about the ASIMBA).  Here's a screenshot of my Google Metadata, do you think I should change my nameID format to the same one as Google's? '_urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress_'  Again, I'm really thankful for you being a helping hand.

It's also a whitepage/whitespace even if I'm going to https://hostname/idp/profile/SAML2/Redirect/SSO EDIT1: I'll be doing a fresh Gluu install and re-do all steps. EDIT2: https://hostname/idp/profile/SAML2/Redirect/SSO is working now, redirects me to the error page. I'll wait for further instructions from you guys. as well as an error telling me that SAML 2 SSO profile is not configured for relying party google.com/a/domain

I believe error like "SSO profile is not configured" has little to do with a nameID. It means SAML flow fails prior to any responses that will include this nameID will be sent back. "SSO profile is not configured" is a very widespread issue in Shibboleth's world, and can have many causes. As Zico already has mentioned, invalid SP metadata is a number one (but not the only one!) cause. You must verify that entityID in SP metadata you are using when creating TR in web UI is the same that SP uses after that in SAML request. You can do that by monitoring idp-process.log. I believe in our new packages we lowered its verbosity, so you may need to edit `/opt/idp/conf/logging.xml` file, specifically this section: <!-- Logs OpenSAML, but not IdP, messages --> <logger name="org.opensaml" level="WARN" ></logger> and set it to "DEBUG" (service's restart probably is needed). That may show you some hints on what is happening. It should show you SAML request Google's SP sends, too. Other option would be to use some tool that can capture HTTP traffic and decode SAML messages in a human-readable manner. Burp proxy has a free plug-in that does so. Other tools may exist, too.

Thanks, Aliaksandr. I'll be doing this next week. I hope that I'd make this work, would also wait for the public documentation so I could just clone what you guys will do.

I'm having this logs while authenticating. idp-process.log 23:39:08.445 - INFO [Shibboleth-Access:73] - 20160412T233908Z|172.98.87.220|ec2-52-38-9-205.us-west-2.compute.amazonaws.com:443|/profile/SAML2/Redirect/SSO| 23:39:08.446 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO 23:39:08.446 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler 23:39:08.446 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 23:39:08.446 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:188] - Incoming request does not contain a login context, processing as first leg of request 23:39:08.446 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' 23:39:08.446 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:76] - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter 23:39:08.446 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:90] - Decoded RelayState: https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fapps.google.com%2Fuser%2Fhub 23:39:08.446 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:127] - Base64 decoding and inflating SAML message 23:39:08.447 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:183] - Parsing message stream into DOM document 23:39:08.447 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:193] - Unmarshalling message DOM 23:39:08.447 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:205] - Message succesfully unmarshalled 23:39:08.448 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:105] - Decoded SAML message 23:39:08.448 - DEBUG [org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder:112] - Extracting ID, issuer and issue instant from request 23:39:08.448 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com/a/civicom.ph 23:39:08.448 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com/a/civicom.ph 23:39:08.448 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com/a/civicom.ph 23:39:08.448 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com/a/civicom.ph 23:39:08.448 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com/a/civicom.ph 23:39:08.448 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com/a/civicom.ph 23:39:08.448 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for google.com/a/civicom.ph 23:39:08.448 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying party configuration found for google.com/a/civicom.ph, looking up configuration based on metadata groups. 23:39:08.449 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com/a/civicom.ph 23:39:08.449 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com/a/civicom.ph 23:39:08.449 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com/a/civicom.ph 23:39:08.449 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com/a/civicom.ph 23:39:08.449 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com/a/civicom.ph 23:39:08.449 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com/a/civicom.ph 23:39:08.449 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for google.com/a/civicom.ph. Using default relying party configuration. 23:39:08.449 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:130] - Evaluating security policy of type 'edu.internet2.middleware.shibboleth.common.security.ShibbolethSecurityPolicy' for decoded message 23:39:08.449 - DEBUG [org.opensaml.util.storage.ReplayCache:92] - Attempting to acquire lock for replay cache check 23:39:08.449 - DEBUG [org.opensaml.util.storage.ReplayCache:94] - Lock acquired 23:39:08.450 - DEBUG [org.opensaml.util.storage.ReplayCache:105] - Message ID foklmijjgaekilpkkpagccjmkdbkhjhfjdamnelc was not a replay 23:39:08.450 - DEBUG [org.opensaml.util.storage.ReplayCache:132] - Writing message ID google.com/a/civicom.phfoklmijjgaekilpkkpagccjmkdbkhjhfjdamnelc to replay cache with expiration time 2016-04-12T23:44:08.450Z 23:39:08.450 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:308] - Checking child metadata provider for entity descriptor with entity ID: google.com/a/civicom.ph 23:39:08.450 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com/a/civicom.ph 23:39:08.450 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:250] - Metadata document did not contain a descriptor for entity google.com/a/civicom.ph 23:39:08.450 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:317] - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity google.com/a/civicom.ph 23:39:08.450 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:286] - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity google.com/a/civicom.ph 23:39:08.450 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:308] - Checking child metadata provider for entity descriptor with entity ID: google.com/a/civicom.ph 23:39:08.450 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com/a/civicom.ph 23:39:08.451 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:250] - Metadata document did not contain a descriptor for entity google.com/a/civicom.ph 23:39:08.451 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:317] - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity google.com/a/civicom.ph 23:39:08.451 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:286] - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity google.com/a/civicom.ph 23:39:08.451 - WARN [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:81] - SPSSODescriptor role metadata for entityID 'google.com/a/civicom.ph' could not be resolved 23:39:08.451 - INFO [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:100] - SAML protocol message was not signed, skipping XML signature processing 23:39:08.451 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:64] - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule 23:39:08.451 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:87] - HTTP request was not signed via simple signature mechanism, skipping 23:39:08.451 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:64] - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule 23:39:08.451 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:81] - Rule can not handle this request, skipping processing 23:39:08.451 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:85] - Successfully decoded message. 23:39:08.452 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:191] - Checking SAML message intended destination endpoint against receiver endpoint 23:39:08.452 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:203] - SAML message intended destination endpoint in message was empty, not required by binding, skipping 23:39:08.452 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:387] - Decoded request from relying party 'google.com/a/civicom.ph' 23:39:08.452 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com/a/civicom.ph 23:39:08.452 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com/a/civicom.ph 23:39:08.452 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com/a/civicom.ph 23:39:08.452 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: google.com/a/civicom.ph 23:39:08.452 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of google.com/a/civicom.ph 23:39:08.452 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID google.com/a/civicom.ph 23:39:08.452 - WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:305] - No metadata for relying party google.com/a/civicom.ph, treating party as anonymous 23:39:08.452 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:222] - SAML 2 SSO profile is not configured for relying party google.com/a/civicom.ph 23:39:08.453 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request 23:39:08.453 - DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display 23:39:08.934 - TRACE [edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:117] - Attempting to retrieve IdP session cookie. Turns out, it is the entityID. Why is Google providing a different one than what Gluu is reading? I uploaded the correct metadata file downloaded from Google. Do I have to manually configure my metadata?

>> Turns out, it is the entityID. Why is Google providing a different one than what Gluu is reading? I uploaded the correct metadata file downloaded from Google. Google has option to download their metadata? >> Do I have to manually configure my metadata? Frankly speaking personally we have been writing Google metadata for our customers, it's very small plus straight forward and works perfectly.

Mohib, Yes they do, and they're at your public documentation for SSO for Google. How are you writing your own, I've been trying to find one online and there seems to be different variations for it. I'd like to try yours simply because it works on your Gluu-server.

>> How are you writing your own, I've been trying to find one online and there seems to be different variations for it. I'd like to try yours simply because it works on your Gluu-server. I am sorry but can't share those as they are very specific to our customer's infrastructure.

Another thing... can you please share your stack trace in some other place ( i.e pastebin or so )? Reading would be much easier....

Sure thing, sorry about that. Regarding the metadata, I understand, could you provide an article where I can get information about creating a metadata that would be the same as yours? (basic one). I'll be sending a pastebin stack trace, I'm just getting the logs.

[Metadata](http://pastebin.com/bTPd6iD2) downloaded via Google [Stack Trace](http://pastebin.com/cszAz5X1)

>> Metadata downloaded via Google Here are issues with your metadata: - metadata is not compatible with Shibboleth. There shouldn't be any '<md' tags - entityID is not right. - you don't need IDPSSODescriptor - You don't need keyDescriptor - There is no AssertionConsumerService information. - NameID format is not right.

Mohib, do I need <ds:X509Data> <ds:X509Certificate>[some random letters here]</ds:X509Certificate> </ds:X509Data> Will be searching some guides online. Thank you! EDIT: My updated [**Metadata** ](http://pastebin.com/duQ5fCJY) and [**Attribute Resolver**](http://pastebin.com/TqbXxfRq) **[New IDP-Process.log](http://pastebin.com/s98ZxdNg)** I appreciate the help that you would give me. EDIT 2: Again, I tried fiddling around with it by changing my entityID to what Google has provided **[Metadata with entityID that Google provided](http://pastebin.com/44LRtynh)** same attribute resolver, just added "ad:Simple" instead of "Simple" **[IDP-Process.log](http://pastebin.com/7Nk0SQf8)** EDIT 3: Changed the **[Metadata to another one](http://pastebin.com/r8ezyX2b)**. with the same attribute resolver and now, I'm not getting any errors but instead I got this:  [New IDP-Process.log](http://pastebin.com/08QhiPjt), what do I do next here?

Just following up on the ticket.

Hey Karl, We published a doc on how to configure custom NameID. Feel free to take a look at [this](https://gluu.org/docs/customize/attributes/#custom-nameid)

Kindly close the ticket. Problem's solved. I followed the configuration of NameID and Metadata. Cheers!

Hi Karl Jaro, Would you be willing to lend a hand? I've poked through this and was referenced to this thread. I'm having some difficulty getting this to work with Google Apps. Thank you in advance. :)

Hello Aaron, Sure! What's up? I usually do the following when creating a new gluu server: 1. Create a custom attribute, please refer to the video linked here in this ticket. I'll be naming it 'googleID' 2. Create a trust relationship for Google. For the metadata, refer to the last update I linked, which is 'EDIT 3', I posted my Metadata there. Be sure to change the domain name to your domain name. 3. Create a NameID, refer to the one referenced here as well. 4. Once done, restart Gluu and it should work. Be sure to try it out on incognito tab.

Hi Karl, Thank you for your reply! [This](https://support.gluu.org/integrations/google-sso-2898) is my current thread. I'm replying inline here: 1. I created googleID attribute in Gluu and did a source mapping of: mail -> googleID. 2. I re-created the Trust and uploaded that specific metadata, but the trust is inactive and won't activate, getting the error below: 3. I did that in the attribute-filter.xml.vm using [this](https://gluu.org/docs/customize/attributes/#custom-nameid) info. 4. Obviously, since 2. isn't working, this isn't working. ``` 2016-06-27 17:27:39,028 ERROR [org.gluu.oxtrust.action.UpdateTrustRelationshipAction] Failed to save SP meta-data file FileUploadWrapper [contentType=null, fileName=BF6BDD02B40FAD83000232D8F9AA00067EB04C89-sp-metadata.xml, fileSize=null, stream=null] ``` Any ideas? Thank you for your quick response. This is really holding back my projects this summer. :(

Hello Aaron, 1. Try using 'Text' for the custom attribute, just copy every setting from the video posted by Mohib here. (I don't have any mapping) 2. Have you tried rebuilding/recreating a new Gluu server? Pretty sure it has something to do with you having the same trust relationship name as the old one (which is deleted, not sure tho). 3. Try using [my filter](http://pastebin.com/gyrJSmgF) Btw, it held me back for a month iirc. You can do it! Just hit me up.

Hi Karl, So I have it partially working now. Basically, it gets to the page you listed [earlier](https://support.gluu.org/integrations/google-sso-relationship-2571#at9787) because it can't parse the login request. Thank you for your help with this, it's the furthest I've been along thus far. Any ideas on the above issue? :)

Hello Aaron, Iirc, I think that's where I changed my NameID after Mohib linked the documentation about NameID -- this is what I gave to you (my filter). Have you tried checking your metadata? did you put your domain > EntityDescriptor entityID="google.com/a/your domain here"

Ok, let me test that. Can I define multiple domains then? I have 2 right now, and will be adding at least one more.

I tried changing it from my primary to my secondary, and neither have worked thus far. :(

Just change it to your primary domain name, meaning the google address you are using, (i.e karl.jaro@company.ph) I'd put the company.ph on the 'your domain here"

Thanks Karl :) So does my nameID look correct? I mapped it to my mail attribute I'm pulling in from Active Directory. Thank you again. :) ``` #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('googleID') ) ) <resolver:AttributeDefinition id="googleID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP"/> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </resolver:AttributeDefinition> #end ```

Karl, Just got it! So I had forgotten to add back googleID to the Trust Relationship. Once I did that, it logged right in. Thank you for your help, it was greatly appreciated. :)

Aaron, Sure! Glad that you made it work, I actually did a set-up yesterday on a CentOS build. btw, connect with me on [LinkedIn](https://ph.linkedin.com/in/nikolaijaro).

Thanks! I will add you. Ok, I have a weird one for you. Not sure if you might know what is wrong. So if I 'release' the 'googleID' inside the trust relationship, the logs spew that there are duplicates for 'googleID' and it will never complete generating the atrributes-resolver.xml. This leads to a blank white page when a user logs in and the logs show this: 20160628T220207Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|pcmnajibanlolcahiknnknehfofniliiaglnbpeg|google.com/a/domain.com|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://vip.domain.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_041810200a874b87fb3012aea7cb964d|ittest|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||_**<missing_email_address_in_this_field>**_|_296d2a2c194b14a8499764b97b61fd67,| But if I release googleID after tomcat has restarted, it works fine. Not sure how to proceed. Not sure if this is a bug or if something is misconfigured?

Aaron, I'm having the same whitepage as well when doing that. Try turning Multivalued to False as well as SCIM Attribute from googleID custom attribute.

Hrm, that didn't seem to work. Seems like it's not working now.

Aaron, You could try to recreate a Trust Relationship and see if it works. I'm not sure with your error but I think a staff would be happy to help you.

Yeah, I'll have to start a new ticket and see. But there is a conflict somewhere. :\ The 'white' screen error is caused by this: ``` 15:37:34.258 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. The roo t cause of this error was: org.xml.sax.SAXParseException: Duplicate key value [googleID] declared for identity constraint of element "AttributeResolver". 15:37:34.268 - ERROR [org.springframework.web.context.ContextLoader:215] - Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.AttributeResolver': Invocation of init method failed; nested exception is edu.internet2.middleware .shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. ... Caused by: edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. ... Caused by: org.xml.sax.SAXParseException: Duplicate key value [googleID] declared for identity constraint of element "AttributeResolver". ```