Google login credentials could not be verified

By: Karl Jaro user 03 Mar 2017 at 9:22 p.m. CST

20 Responses
Karl Jaro gravatar
Hello Gluu, So I was able to create a custom attribute, create a trust relationship and followed the guide in Google SSO integration. (do note that I was able to make it work 2.4.3, 2.4.4.2) Right now I'm getting this error ``` This account cannot be accessed because the login credentials could not be verified. We are unable to process your request at this time, please try again later. ``` Do you think this is an issue with the cert file? How will I be able to get the cert file without changing its permissions (I did chmod 777 in order for me to copy it to my pc and upload it). Or do you think this has something do with [how I created my googleID attribute](https://support.gluu.org/single-sign-on/3842/unable-to-create-custom-attribute/)
CentOS72
closed

Answers

By Karl Jaro user 03 Mar 2017 at 9:29 p.m. CST

Copy
Karl Jaro gravatar
Or is it because the attrbiute-resolver.xml.vm's new format and I coded it wrong? [Attribute-resolver.xml.vm](http://pastebin.com/WAjiyAgw)

By Sahil Arora user 03 Mar 2017 at 9:45 p.m. CST

Copy
Sahil Arora gravatar
Please check log and share any stack trace.

By Karl Jaro user 03 Mar 2017 at 9:46 p.m. CST

Copy
Karl Jaro gravatar
Sahil, What logs do you need?

By Sahil Arora user 03 Mar 2017 at 9:58 p.m. CST

Copy
Sahil Arora gravatar
Check in oxauth.log and oxtrust.log files

By Karl Jaro user 03 Mar 2017 at 10:04 p.m. CST

Copy
Karl Jaro gravatar
Here you go (right after I tried logging in): [oxtrust.log](http://pastebin.com/ztnC9bFN) [oxauth.log](http://pastebin.com/WSKBzePf) I saw this in oxtrust ``` 2017-03-04 03:46:44,776 WARN [qtp274064559-12] [org.jboss.seam.ui.renderkit.DefaultActionRendererBase] (DefaultActionRendererBase.java:54) - Must set an id for the default action source 2017-03-04 03:46:44,778 WARN [qtp274064559-12] [org.jboss.seam.ui.renderkit.DefaultActionRendererBase] (DefaultActionRendererBase.java:54) - Must set an id for the default action source 2017-03-04 03:46:46,571 ERROR [qtp274064559-19] [org.gluu.oxtrust.action.UpdateTrustRelationshipAction] (UpdateTrustRelationshipAction.java:291) - Failed to save SP meta-data file FileUploadWrapper [contentType=null, fileName=7F3650498DB09F860002778C10DD0006B1E8A7E7-sp-metadata.xml, fileSize=null, stream=null] ``` most from oxAuth are just INFO and most of them are Authentication Success: ``` 2017-03-04 03:44:22,210 INFO [qtp242131142-17] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:323) - Authentication success for User: 'xxxxxxxx@xxxxxx.ph' ```

By Mohib Zico staff 03 Mar 2017 at 10:14 p.m. CST

Copy
Mohib Zico gravatar
And idp-process.log. As this problem is coming from saml transactions, that will tell us what's a wrong where. If required, please increase enable debug logging.

By Karl Jaro user 03 Mar 2017 at 10:19 p.m. CST

Copy
Karl Jaro gravatar
Mohib, is that the [stderrout.log](http://pastebin.com/HbiWdDCG) EDIT: Found it [idp-process.log](http://pastebin.com/nWe2XF5t) [ longer trail version of idp-process.log](http://pastebin.com/kmKn6cbw) Weird, I did not find any errors ``` 2017-03-04 04:02:28,467 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:157] - Session validation successful. User is logged in 2017-03-04 04:02:28,849 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:115] - Profile Action ValidateExternalAuthentication: **External authentication succeeded for user: xxxxxxxxxx.test@xxxxxx.ph** 2017-03-04 04:02:28,908 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format 2017-03-04 04:02:28,929 - WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:91] - Relay state exceeds 80 bytes, some peers may not support this. ```

By Mohib Zico staff 03 Mar 2017 at 10:52 p.m. CST

Copy
Mohib Zico gravatar
We will only know what's wrong where from log. [Here](https://gluu.org/docs/ce/3.0.1/operation/logs/) is the doc.

By Karl Jaro user 03 Mar 2017 at 11:20 p.m. CST

Copy
Karl Jaro gravatar
From my latest test (debug level) [idp-process.log](http://pastebin.com/hk4jXwLG) [ox-auth.log](http://pastebin.com/qpqHt9Vc) [oxtrust.log](http://pastebin.com/wxzdWZi2) - found errors ``` 2017-03-04 05:18:46,408 DEBUG [pool-2-thread-8] [org.gluu.oxtrust.ldap.service.MetadataValidationTimer] (MetadataValidationTimer.java:92) - Metadata validation finished with result: 'false' ``` I'm still using the metadata that I always use when setting up Google SSO, except that I changed the domain.

By Karl Jaro user 03 Mar 2017 at 11:30 p.m. CST

Copy
Karl Jaro gravatar
This is the part where I'm really confused. ``` 2017-03-04 05:27:20,548 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:151] - validate check session status:200 2017-03-04 05:27:20,548 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:157] - Session validation successful. User is logged in 2017-03-04 05:27:21,140 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:115] - Profile Action ValidateExternalAuthentication: External authentication succeeded for user: karl.test@civicom.ph 2017-03-04 05:27:21,198 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format 2017-03-04 05:27:21,224 - WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:91] - Relay state exceeds 80 bytes, some peers may not support this. 2017-03-04 05:27:21,227 - INFO [Shibboleth-Audit.SSO:241] - 20170304T052721Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|dgkopfddjpfdaediealmaidilkpgkddfbakdeceg|google.com/a/civicom.ph|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://sso.dialanote.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_143ee5296421fe80b839cf0ec287f387|karl.test@civicom.ph|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|googleID|AAdzZWNyZXQxtr45AIyfEgcT+rNiARYo/0aOHDOtxePQmQLNfQqC6oKr2NI7FAR82bzFWmna5Ki4xZ5a1qWYRgTHHAgs92RsEUT27U2Kz3JbfTvzkam8g4dQF3szDoU9sIuB7yxZrfaIAA==|_0c57a8ddaa793a378e899e77de8de762| ```

By Sahil Arora user 03 Mar 2017 at 11:33 p.m. CST

Copy
Sahil Arora gravatar
From the logs, it seems IDP is generating assertion successfully. Please check for any logs at SP side. ``` 2017-03-04 05:16:41,237 - INFO [Shibboleth-Audit.SSO:241] - 20170304T051641Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|cgdpbobencgencgajcnhfaeogmkllcfiehggikfb|google.com/a/civicom.ph|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://sso.dialanote.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3398b67b08032db475cf09fcb62bc571|mon.test@civicom.ph|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|googleID|AAdzZWNyZXQxSkhb1LFcGcVQRNJyyidji9UmPdGJguM0Xi9rCDDce6kweY+ESkmtnYa8iS5pIhdmjIqGPnguHbvIU9aenFRGSfCF04ZRCMbDNamltCZ42JMp+wtg2P2MsPQ/uTfzsDKu|_6ea9393c99cee0617f40532f5a7bb0df| ```

By Karl Jaro user 03 Mar 2017 at 11:35 p.m. CST

Copy
Karl Jaro gravatar
Sahil, Thanks for the response. Where can I check the SP side? (sorry) Do you think it has something to do with certs? I tried reuploading the certs from Gluu, chmod it to 644 to be able to get it.

By Sahil Arora user 04 Mar 2017 at 1:56 a.m. CST

Copy
Sahil Arora gravatar
doesn't seem to be related to certs. Can you please enable DEBUG loggin to get full SAML assertion, and use SAML debugger to ensure all required attributes/nameID is being sent to SP. You'd need to check SP side logs ( Please refer SP docs for logs) for errors.

By Karl Jaro user 06 Mar 2017 at 3:08 p.m. CST

Copy
Karl Jaro gravatar
I think this is related with the custom attribute that I made. Which doesn't involve me creating a custom config folder. However, upon checking your latest documentation, I saw that you already removed that process. I also did not use this line that's in your documentation. ``` objectclass ( oxObjectClass:101 NAME 'gluuCustomPerson' SUP top AUXILIARY MAY (customTest) X-ORIGIN 'Gluu - Custom person objectclass' ) ``` Instead, I changed the oxObjectClass:101 to (long number here that's the same from other objectClass).101

By Karl Jaro user 06 Mar 2017 at 3:18 p.m. CST

Copy
Karl Jaro gravatar
Also, do note that I'm connecting to Google, and followed everything on the setup guide to Google SSO. I'm only using Gluu for IDP. I tried logging again today, and I got [this error](http://pastebin.com/zkdhDLCE) from oxauth.log Notable was: ``` 2017-03-06 21:15:55,462 ERROR [qtp242131142-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:415) - Failed to get attributes from session ``` I tried it again, after including the declaration of nameID inside the for-each statement in my [attributes-resolver](http://pastebin.com/104gHgwP). [Log file](http://pastebin.com/md7wAzVR) I did not upload idp-process because there's no errors. I think I just need to fix this attributes-resolver. Any ideas?

By Karl Jaro user 06 Mar 2017 at 6:38 p.m. CST

Copy
Karl Jaro gravatar
Resorted to using 2.4.4.2.

By Mohib Zico staff 07 Mar 2017 at 2:56 a.m. CST

Copy
Mohib Zico gravatar
Ok, an internal ticket created to do a quick QA for Google+3.0.1.

By Sahil Arora user 13 Mar 2017 at 9:21 p.m. CDT

Copy
Sahil Arora gravatar
We're able to successfully setup Google SSO with Gluu.Please reach out to us for your queries/concerns. Thanks

By Karl Jaro user 15 Mar 2017 at 8:32 p.m. CDT

Copy
Karl Jaro gravatar
Guys, Thank you so much for being helpful. I'm now using 2.4.4.2 sp3, as we need the SSO asap. If you don't mind. Could you update your Google SSO setup documentation, for others. :)

By Mohib Zico staff 16 Mar 2017 at 2 a.m. CDT

Copy
Mohib Zico gravatar
Karl, It should be updated... If not can you please let us know? Your suggestion will be helpful for sure.

Post an answer