Hi Chris, Lets handle step by step 1. NameID and TransientId are both the same, however different products use different name or terminology to define them. In Gluu we use Transient ID to refer to NameID which is nothing but the same NameID used in SAML 2.0. SP and IdP usually communicate each other about a subject. That subject should be identified through a NAME-IDentifier , which should be in some format so that It is easy for the other party to identify it based on the Format. Shibboleth uses another format for the same NameID in the form of transientID. you can follow this article for more clarification and links are provided within. [Different Nameid Format](http://http://stackoverflow.com/questions/11693297/what-are-the-different-nameid-format-used-for) ``` example: - 1.urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified [default] - 2.urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress - 3.urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - 4.urn:oasis:names:tc:SAML:2.0:nameid-format:transient ``` 2. Yes, you need to create a custom NameID attribute, if you don't have one already to use with Google Apps. Which is clearly outlined in the docs which you have mentioned. If you aren't comfortable adding custom attributes through Gluu LDAP, you can add them through "Register Attribute" button. And that's what is mentioned in the docs. 3. And where to add the custom attribute, its already mentioned in the docs. And you have to follow the steps below to add a custom attribute. •Add custom attribute to /opt/gluu/schema/openldap/custom.schema 4. Yes "Register Attribute" in oxTrust UI, is another way to add attribute through the interface for ease of the user. Please feel free to Let us know, if you still have queries, we will help you understand. And also, Let us know how you think we can improve the documentation to make this more clear. If you really want to help, submit a PR on the [docs GitHub Project](https://github.com/GluuFederation/docs-3.0.1).

Hello Joseph, I have a similar problem as Chris as part of the integration of an application with Gluu that requires a Specific Nameid with email format ( urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) . Your response to Chris confused me. From my understanding: 1- the creation of a new attribute in the LDAP schema is mandatory. It is only after that that you must register the attribute via "Register Attribute" 2- Once the attribute is created and saved, it is necessary to make changes to the attribute-resolver.xml.vm file so that the attribute will be considered as NamedID (SAML2StringNameID) 3- In the Relationship trust in Gluu for the application to be connected, it is necessary to release this attribute Is my understanding correct? In my case, I performed all the step 1, 2 and 3. But the custom attribute is never released, instead a NamedID is released with the format urn:oasis:names:tc:SAML:2.0:nameid-format:transient eg : NameId : AAdzZWNyZXQxSNcKy4lY+60XkQdOOJi4A9NHIvJpzgbEvYP5...== format : urn:oasis:names:tc:SAML:2.0:nameid-format:transient I'm using Gluu 3.0.1 Regards

Here are the steps I performed... created custom attribute named googleID to /opt/gluu/schema/openldap/custom.schema This file had a lot of other custom attributes (for examples I presume?) I removed them all and added this: ``` attributetype ( oxAttribute:1003 NAME 'googleID' SUBSTR caseIgnoreSubstringsMatch EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Gluu - googleID person attribute' ) objectclass ( oxObjectClass:101 NAME 'gluuCustomPerson' SUP top AUXILIARY MAY (googleID) X-ORIGIN 'Gluu - googleID person objectclass' ) ``` Then I issued the following command: > service solserver restart I then went into the oxTrust admin GUI and clicked "Register Attribute" I added the following: > Name: googleID > > SAML 1 and SAML 2 URI: > > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress > > Type: Text > Edit Type: Admin > View Type: Admin and User > Usage Type: Not Defined > Multivalued: False > Status: Active I then added The following to the attribute definitions in /opt/gluu/jetty/identity/conf/shibboleth3/idp/attribute-resolver.xml.vm (between </resolver:AttributeDefinition> and #else) ``` #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('googleid') ) ) <resolver:AttributeDefinition id="googleid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP"></resolver:Dependency> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ></resolver:AttributeEncoder> </resolver:AttributeDefinition> ``` So the whole atrribute definition section now looks like this: ``` <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> #foreach( $attribute in $attrParams.attributes ) #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('persistentId') ) ) #if($attribute.name.equals('eppnForNIH')) <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> </resolver:AttributeDefinition> #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('googleid') ) ) <resolver:AttributeDefinition id="googleid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP"/> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </resolver:AttributeDefinition> #else <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" friendlyName="$attribute.name" encodeType="false" /> </resolver:AttributeDefinition> #end #end #end ``` Then issue this: service identity restart I have no idea if any of this is correct. If someone could check my performed steps and comment, that would be great. I have noticed that there is a documentation for DropBox SSO goes into depth about the custom nameid attribute, but the Google SSO documentation does not and instead has a dead link to https://gluu.org/docs/customize/attributes/#custom-nameid which redirects to Gluu's homepage.

So my setup is definitely not working. When I navigate to gmail and try to log in as a user from my domain, it is redirected to my gluu server, but I get the message "Service unavailable". Here is the sign in URL I am using inside google admin: https://myorg.com/idp/profile/SAML2/Redirect/SSO My apache error log looks like this: ``` [Wed Mar 08 17:29:18.953479 2017] [proxy:error] [pid 27145:tid 140071130871552] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:8086 (localhost) failed [Wed Mar 08 17:29:18.953681 2017] [proxy:error] [pid 27145:tid 140071130871552] AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 5s [Wed Mar 08 17:29:18.953707 2017] [proxy_http:error] [pid 27145:tid 140071130871552] [client 10.131.0.227:61799] AH01114: HTTP: failed to make connection to backend: localhost, referer: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=default<mplcache=2&emr=1&osid=1 ``` EDIT: I was able to get around the Service Unavailable message by doing a complete reinstall. It is related to another bug. Now Google will redirect the user to my SSO page, but the page displays this: > Web Login Service - Unsupported Request > The application you have accessed is not registered for use with this service. Here is what idp-process.log shows me: ``` 2017-03-08 20:21:56,855 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for google.com in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2017-03-08 20:21:56,862 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty 2017-03-08 20:21:56,865 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration ```

we are doing QA for Google+3.0.1, will get back to you shortly.

Chris, what is the Google SP you're trying to access? Please confirm if "Use a domain specific issuer" checkbox on Google SSO settings page is checked or not?

I am trying to set up G Suite so that when my users log into any Google service, they are redirected to my Gluu server for authentication. I do not have "Use a domain specific issuer" checked.

Please use **entityID="google.com"** in metadata when "Use a domain specific issuer" is Unchecked. Let me know how it goes.

Chris, We are able to setup Google SSO with Gluu successfully. I'll assist you with the setup. Thanks

Thanks for the help Sahil! I am definitely closer now. It seems that I am directed to the SSO gluu page now and I am able to authenticate, but something is wrong with my attribute? Google is sending this message after authenticating: ``` This account cannot be accessed because we could not parse the login request. We are unable to process your request at this time, please try again later. ``` My idp-process.log file shows this: ``` 2017-03-15 14:43:53,903 - INFO [org.gluu.oxauth.client.authentication.AuthenticationFilter:51] - Property [oxauth.authorize.url] loaded from oxTrust.properties 2017-03-15 14:43:53,904 - INFO [org.gluu.oxauth.client.authentication.AuthenticationFilter:51] - Property [oxauth.client.id] loaded from oxTrust.properties 2017-03-15 14:43:53,904 - INFO [org.gluu.oxauth.client.authentication.AuthenticationFilter:51] - Property [oxauth.client.scope] loaded from oxTrust.properties 2017-03-15 14:43:58,268 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.authorize.url] loaded from oxTrust.properties 2017-03-15 14:43:58,270 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.token.url] loaded from oxTrust.properties 2017-03-15 14:43:58,274 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.token.validation.url] loaded from oxTrust.properties 2017-03-15 14:43:58,275 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.userinfo.url] loaded from oxTrust.properties 2017-03-15 14:43:58,275 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.client.id] loaded from oxTrust.properties 2017-03-15 14:43:58,275 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:51] - Property [oxauth.client.password] loaded from oxTrust.properties 2017-03-15 14:43:58,549 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:151] - validate check session status:200 2017-03-15 14:43:58,550 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:157] - Session validation successful. User is logged in 2017-03-15 14:43:58,774 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:115] - Profile Action ValidateExternalAuthentication: External authentication succeeded for user: taccount 2017-03-15 14:43:58,783 - ERROR [net.shibboleth.idp.profile.impl.ResolveAttributes:240] - Profile Action ResolveAttributes: Error resolving attributes: Invalid Attribute resolver configuration 2017-03-15 14:43:58,839 - WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:91] - Relay state exceeds 80 bytes, some peers may not support this. 2017-03-15 14:43:58,846 - INFO [Shibboleth-Audit.SSO:241] - 20170315T144358Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|leipldpfonfifdbilcmaofimogijabfcchcgdnoe|google.com|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://sso.mydomain.org/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_22ef24cbf2c0096f4f5f601b6da334f2|taccount|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|||_fdd8a4f90744f022de9c09fc25ced390| ``` Something seems to be wrong with my attribute-resolver.xml file. I am getting the following error in idp-warn.log: ``` Caused by: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 1 in XML document from file [/opt/shibboleth-idp/conf/attribute-resolver.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Premature end of file. ``` And the file is completely empty.

It seems attribute-resolver.xml.vm file under /opt/gluu/jetty/identity/conf/shibboleth3/idp/ is not correct. Please follow this [doc](https://gluu.org/docs/ce/3.0.1/admin-guide/saml/#custom-nameid) to define NameID. Also, you'd need to release NameID attribute in /opt/shibboleth-idp/conf/saml-nameid.xml

Thanks Sahil, It is unclear where to add the declaration for the new attribute to attribute-resolver. My file looks like this and I'm guessing it's not right: ``` <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> #foreach( $attribute in $attrParams.attributes ) #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('persistentId') ) ) #if($attribute.name.equals('eppnForNIH')) <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> </resolver:AttributeDefinition> #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('googleid') ) ) <resolver:AttributeDefinition id="googleid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP"></resolver:Dependency> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ></resolver:AttributeEncoder> </resolver:AttributeDefinition> #else <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" friendlyName="$attribute.name" encodeType="false" /> </resolver:AttributeDefinition> #end #end #end ``` I uncommented this part of saml-nameid.xml: ``` <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> ``` I'm surprised the documentation doesn't say to do this...

ok, Let's do this way. - Remove the code you added in attribute-resolver.xml.vm and do "service identity restart" - opt/shibboleth-idp/conf/attribute-resolver.xml file should like below ``` <resolver:AttributeDefinition xsi:type="ad:Simple" id="googleID" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="googleID" encodeType="false" /> </resolver:AttributeDefinition> ``` - "p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" this part in saml-nameid.xml has to match with nameid param of google metadata. - Make sure you're releasing googleID in TR

Ok so the /opt/shibboleth-idp/conf/attribute-resolver.xml file is no longer empty and it looks like this: ``` <resolver:AttributeDefinition xsi:type="ad:Simple" id="googleID" sourceAttributeID="googleID"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" friendlyName="googleID" encodeType="false" /> </resolver:AttributeDefinition> ``` There is no mail attribute source though and when I log in, my logs show me this now: ``` 2017-03-17 19:55:24,155 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:151] - validate check session status:200 2017-03-17 19:55:24,155 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:157] - Session validation successful. User is logged in 2017-03-17 19:55:24,308 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:115] - Profile Action ValidateExternalAuthentication: External authentication succeeded for user: cabel 2017-03-17 19:55:24,417 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:227] - Attribute sources [mail] did not produce a usable identifier 2017-03-17 19:55:24,499 - WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:91] - Relay state exceeds 80 bytes, some peers may not support this. ``` Google gives me the same error.

>INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:227] - Attribute sources [mail] did not produce a usable identifier This is because your saml-nameid.xml expects {'mail'} attribute but you're releasing googleID. Please update saml-nameid.xml for googleID.

Ok. I'm back to the "Error resolving attributes: Invalid Attribute resolver configuration" message. ``` 2017-03-23 17:19:55,450 - INFO [org.gluu.oxauth.client.validation.OAuthValidationFilter:157] - Session validation successful. User is logged in 2017-03-23 17:19:55,687 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:115] - Profile Action ValidateExternalAuthentication: External authentication succeeded for user: cabel 2017-03-23 17:19:56,128 - ERROR [net.shibboleth.idp.profile.impl.ResolveAttributes:240] - Profile Action ResolveAttributes: Error resolving attributes: Invalid Attribute resolver configuration 2017-03-23 17:19:56,304 - WARN [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:154] - Unable to locate AttributeContext ``` My /opt/shibboleth-idp/conf/attribute-resolver.xml looks like this: ``` <?xml version="1.0" encoding="UTF-8"?> <resolver:AttributeResolver xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd"> <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="googleID" sourceAttributeID="googleID"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" friendlyName="googleID" encodeType="false" /> </resolver:AttributeDefinition> <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <resolver:DataConnector id="siteLDAP" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"> <dc:FilterTemplate> <![CDATA[ (uid=$requestContext.principalName) ]]> </dc:FilterTemplate> <!-- <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes> --> <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> </resolver:DataConnector> </resolver:AttributeResolver> ```

EDIT: I cleared my cookies and now the idp-process.log file is giving me this: ``` 2017-03-24 19:47:41,135 - INFO [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:227] - Attribute sources [googleID] did not produce a usable identifier ``` EDIT AGAIN: I restarted the glu server to se if that would have an effect and now I'm back to this: ``` 2017-03-24 20:18:03,684 - ERROR [net.shibboleth.idp.profile.impl.ResolveAttributes:240] - Profile Action ResolveAttributes: Error resolving attributes: Invalid Attribute resolver configuration 2017-03-24 20:18:03,769 - WARN [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:154] - Unable to locate AttributeContext ``` Is there any sort of documentation available on the web that I can look at and check my work with? I've found some Shibboleth documentation for Google Apps, but it seems different than what I've been told here and I don't know what is required for Gluu and what is not. Gluu seems to have a mix of gui configurations and file configurations and it is very confusing. I can't be the only person that feels this way...

Here are the detailed instructions,available in the docs too. I am providing instructions based on your setup. Please compare with it and update your setup. 1. Create a Custom Attribute in Gluu 3.0.1 2. Create a User with same Email ID as used in setting up Google Account. In your case, you'd also associate googleID attribute to it and set its value to same email. 3. Create a TR with below metadata, and release googleID Metadata for Google SSO ``` <EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:email</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/domain.com/acs" ></AssertionConsumerService> </SPSSODescriptor> </EntityDescriptor> ``` 4. /opt/shibboleth-idp/conf/attribute-resolver.xml should look like following, ``` <resolver:AttributeDefinition id="googleID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="googleID"> <resolver:Dependency ref="siteLDAP"/> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:email" /> </resolver:AttributeDefinition> ``` 5. /opt/shibboleth-idp/conf/saml-nameid.xml should be like below, ``` <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" p:attributeSourceIds="#{ {'googleID'} }"/> ``` We have already updated our document [here ](https://gluu.org/docs/ce/3.0.1/admin-guide/saml/#defining-nameid)with these intructions. Please make note that metadata, attribute-resolver.xml and saml-namedid.xml files have nameid used as **urn:oasis:names:tc:SAML:2.0:nameid-format:email**

I've followed these instructions exact and I am receiving the same error: ``` ERROR [net.shibboleth.idp.profile.impl.ResolveAttributes:240] - Profile Action ResolveAttributes: Error resolving attributes: Invalid Attribute resolver configuration 2017-03-27 16:09:42,320 - WARN [net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:154] - Unable to locate AttributeContext ``` My /opt/shibboleth-idp/conf/attribute-resolver.xml file does not look exactly like yours, it looks like this: ``` <resolver:AttributeDefinition xsi:type="ad:Simple" id="googleID" sourceAttributeID="googleID"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" friendlyName="googleID" encodeType="false" /> </resolver:AttributeDefinition> ``` The documentation you linked to includes some unclear documentation about the attribute-resolver.xml.vm, but you have instructed me not to touch that file. Is this where the problem is? Also the nameid format should look like this: ``` urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress ``` your nameid format (**urn:oasis:names:tc:SAML:2.0:nameid-format:email**) is not a valid format according to OASIS specs: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Let me get back to you on this Chris.

Hi Sahil, I have the same issue. Please help me to point out the step by step guide or document to create a custom name id policy with email Address and with the unspecified.i.e Gluu nameID format - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Email Address urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress Use Case: Trying to integrate Glue as IDP with Service Now As SAML SP. (Outbound SAML). What's working ServiceNow (SP) SAML properties are configured as required. Gluu (IdP) properties have been configured as required. ServiceNow can successfully redirect users to the Gluu login page. Gluu (IdP) can authenticate user successfully. Gluu (IdP) sends SAML response back to ServiceNow. What's not working Based on the current SAML configuration on both the systems, ServiceNow can successfully validate the Gluu response without giving any errors in the logs. However, Gluu (IdP) is sending 156 character string in the NameID tag of the SAML response which is not recognised by ServiceNow (As per logs the user cannot be found to log them in). The expected value in the NameID tag of the SAML response should be username / email to find the correct user and log them in. ServiceNow. Collectively we tried all the 4 combinations of nameID format in both the systems but none of the combination gave us the positive results. For some of the combinations we didn't even get a valid SAML response in SN and for some combination Gluu couldn't validate the nameID format. Pasting the SAML response below: <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response Destination="https://instance.service-now.com/navpage.do" ID="_6f846baabec143bc3853c153d767282b" InResponseTo="SNC21359d3ca3a3934ec6d3c9ce9af85cf6" IssueInstant="2017-03-30T05:41:42.048Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://domain/idp/shibboleth</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode></saml2p:Status><saml2:Assertion ID="_20809931162394f8a4345ae484b57778" IssueInstant="2017-03-30T05:41:42.048Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer>https://domain/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod> <ds:Reference URI="#_20809931162394f8a4345ae484b57778"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod> <ds:DigestValue>pP6yySGkRiPQ3qa6uReM6xoWWIc/ONZrNwqBzx7lzG4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> // A valid key </ds:X509Data></ds:KeyInfo> </ds:Signature> <saml2:Subject><saml2:NameID **Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" **NameQualifier="https://domain/idp/shibboleth" SPNameQualifier="https://dev33269.service-now.com">AAdzZWNyZXQxg5ZDpfdjyJrRIMoOVsudgx+qZGBYIPOJzCyfdfpqWC28NCFNfHCN0Ev8hEl6Nbc9uUJI+J7zRtxAdvIe8/Z9DmlzxWpdwec0ggIZPgpypMMqokcKv+hLR6zsjqmPUP7Vd6nL1QMSL96Igjc=</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="127.0.0.1" InResponseTo="SNC21359d3ca3a3934ec6d3c9ce9af85cf6" NotOnOrAfter="2017-03-30T05:46:42.056Z" Recipient="https://dev33269.service-now.com/navpage.do"></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-03-30T05:41:42.048Z" NotOnOrAfter="2017-03-30T05:46:42.048Z"><saml2:AudienceRestriction><saml2:Audience>https://dev33269.service-now.com</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-03-30T05:41:42.000Z" SessionIndex="_5f63709ca63f1c24910e9816428a2c8b"><saml2:SubjectLocality Address="127.0.0.1"></saml2:SubjectLocality><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>krutik.patel</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="mail" Name="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>krutik.patel@example.com</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>

Chris, Can you try attached document on a fresh setup and let me know how it goes?

Sahil, you want me to try the documentation with a fresh install of gluu? Any way to backup my existing gluu setup before doing so?

Yes Chris, Lets try on a fresh install. [Here ](https://gluu.org/docs/ce/3.0.1/operation/backup/)are the instructions to take backup.

Chris, Please update on the setup status.

Sorry for the delay. The documentation works with a clean install of Gluu. I am now trying to set up cache refresh with my AD server so that my AD users can authenticate to G Suite. Having a few issues here, but let me try to work them out and I'll report back. Thanks

Great, Let's close this ticket as Google SSO is working fine. Please feel free to open another ticket for issues you may have. Thanks

In case anyone else needs the Gluu/Google SSO doc attached above by Sahil, it can be viewed [here](https://drive.google.com/file/d/1Djut6vHCR0Pxj8C2O-ErFZ53RopivqDZ/view?usp=sharing).

I just wanted to say a huge thank you for detailing this out. At no point anyway was the little piece mentioned about the attribute uri's! Would be great if this was added to the documentation for setting up the nameid.

Emma, Can you push a merge update to our docs? They're all accessible on GitHub. Each doc has a little pencil icon in the top right corner that will take you to the specific page's source on GitHub. Thanks in advance, Will

Yes, I will do that tomorrow.

Thank you! We always greatly appreciate the community's extra eyes and contributions to the documentation...there's a lot! I'm glad you were able to find your answer here on the portal.