Google SSO errors

By: Aaron Echols user 28 Jun 2016 at 6:47 p.m. CDT

2 Responses
Aaron Echols gravatar
Hello, I had SAML working until I restarted tomcat to make sure everything would work correctly. I'm pretty sure that I have everything setup correctly. I think there might be a bug in Gluu causing the issue I'm seeing. You can see my config [here](https://support.gluu.org/integrations/google-sso-2898#at11939) When I restart tomcat, I see this error indicating that there is a duplicate 'googleID' attribute. It was working, but now it won't work. ``` 15:37:34.258 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. The root cause of this error was: org.xml.sax.SAXParseException: Duplicate key value [googleID] declared for identity constraint of element "AttributeResolver". 15:37:34.268 - ERROR [org.springframework.web.context.ContextLoader:215] - Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.AttributeResolver': Invocation of init method failed; nested exception is edu.internet2.middleware .shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. ... Caused by: edu.internet2.middleware.shibboleth.common.service.ServiceException: Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. ... Caused by: org.xml.sax.SAXParseException: Duplicate key value [googleID] declared for identity constraint of element "AttributeResolver". ``` Here is what my logged looked like when it was working: ``` 20160628T202028Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|iodnciakgobmcljdmoiedlbpjaolghcdpbgmbljo|google.com/a/domain.com|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://vip.domain.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_9513b5097b28ae0d31462c0cd354b3b2|ittest|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||ittest@domain.com|_bec47fdd88363af42dcd0eddd6ec2178,| ``` Here it is when it's not working: ``` 20160628T220207Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|pcmnajibanlolcahiknnknehfofniliiaglnbpeg|google.com/a/domain.com|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://vip.domain.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_041810200a874b87fb3012aea7cb964d|ittest|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||_**<missing_email_address_in_this_field>**_|_296d2a2c194b14a8499764b97b61fd67,| ```
U1404
closed

Answers

By Mohib Zico Account Admin 29 Jun 2016 at 1:10 a.m. CDT

Copy
Mohib Zico gravatar
Seems like you have two googleID attributes in attribute-resolvers.xml. Please share both attribute-resolver.xml and attribute-resolver.xml.vm ( complete files ).

By Aaron Echols user 29 Jun 2016 at 1:16 p.m. CDT

Copy
Aaron Echols gravatar
Yes, I found the issue. This is now resolved. I changed the code for the attribute definitions in attributes-resolver.xml.vm to: ``` <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> #foreach( $attribute in $attrParams.attributes ) #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('googleID') ) ) <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" ></resolver:Dependency> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="$attrParams.attributeSAML1Strings.get($attribute.name)" ></resolver:AttributeEncoder> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" friendlyName="$attribute.name" ></resolver:AttributeEncoder> </resolver:AttributeDefinition> #end #end <!-- Name Identifier related attributes --> <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId"> <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" ></resolver:AttributeEncoder> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" ></resolver:AttributeEncoder> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- My Attribute Definitions --> <!-- ========================================== --> #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('googleID') ) ) <resolver:AttributeDefinition id="googleID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP"></resolver:Dependency> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ></resolver:AttributeEncoder> </resolver:AttributeDefinition> #end ``` Thank you for the reply. :)

Post an answer