Issue with gsuite integration

By: Shikha Mishra Account Admin 11 Aug 2017 at 6:18 a.m. CDT

11 Responses
Shikha Mishra gravatar
We have referred https://gluu.org/docs/ce/3.0.1/integration/saas/google/ to integrate gsuite with gluuserver. And also created custom attribute googleid' in Modified /opt/gluu/jetty/identity/conf/shibboleth3/idp/attribute-resolver.xml.vm ``` <?xml version="1.0" encoding="UTF-8"?> <resolver:AttributeResolver xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd"> <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('mail') ) ) <resolver:AttributeDefinition id="mail" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="email"> <resolver:Dependency ref="siteLDAP"/> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </resolver:AttributeDefinition> #end #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('googleid') ) ) <resolver:AttributeDefinition id="googleid" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="email"> <resolver:Dependency ref="siteLDAP"/> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </resolver:AttributeDefinition> #end #foreach( $attribute in $attrParams.attributes ) #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('persistentId') ) ) #if($attribute.name.equals('eppnForNIH')) <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> </resolver:AttributeDefinition> #else <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" so ``` And modified saml-nameid.xml``` <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <!-- <ref bean="shibboleth.SAML2PersistentGenerator" /> --> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" p:attributeSourceIds="#{ {'googleid'} }" /> </util:list> <!-- SAML 1 NameIdentifier Generation --> <util:list id="shibboleth.SAML1NameIdentifierGenerators"> <ref bean="shibboleth.SAML1TransientGenerator" /> <bean parent="shibboleth.SAML1AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> <bean parent="shibboleth.SAML1AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" p:attributeSourceIds="#{ {'googleid'} }" /> </util:list> </beans> ``` Gluu Server throwing below warning messages: ``` 2017-08-11 10:51:39,659 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format 2017-08-11 10:53:21,840 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format 2017-08-11 11:02:03,422 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format ```
CentOS67
closed

Answers

By Michael Schwartz Account Admin 11 Aug 2017 at 3:02 p.m. CDT

Copy
Michael Schwartz gravatar
Alex, can you take a look at this. They are trying to create a custom template. Not sure if that's actually required for Google.

By Aliaksandr Samuseu staff 11 Aug 2017 at 4:54 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Shikha. If you really need to use nameid of `unspecified` format, your also need to create override in `relying-party.xml.vm`. Shib IdPv3 will never consider using it by default, AFAICR. Yet, I see you also defined nameid of `email` type. This one should work, so if possible (if Google allows to use it) I would recommend to switch to it. Let me do a quick test..

By Vipin Jain named 14 Aug 2017 at 8:08 a.m. CDT

Copy
Vipin Jain gravatar
Hello Shikha, Below are the results of our GSuite Integration 1. When we are doing IDP Initiated URL then we are getting "RelayState not found error" in GSuite 2. When we are doing SP Initiated then we are getting Google Login page and then we need enter our org username and then it goes to Gluu Login Page. How can we achieve SSO without being prompted to enter username or getting the error. Thanks

By Aliaksandr Samuseu staff 14 Aug 2017 at 8:34 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Vipin. Please provide actual urls you use for both of those cases.

By Vipin Jain named 14 Aug 2017 at 8:59 a.m. CDT

Copy
Vipin Jain gravatar
Hello Aliaksandr, Please find following 1. IDP Inititated https://gluulab.example.com/idp/profile/SAML2/Unsolicited/SSO?providerId=google.com/a/domain.com 2. SP Initiated google.com/a/domain.com Thanks

By Vipin Jain named 14 Aug 2017 at 12:22 p.m. CDT

Copy
Vipin Jain gravatar
This is fixed. URL to be used https://www.google.com/a/domaniname/ServiceLogin?continue=https://admin.google.com

By William Lowe user 14 Aug 2017 at 2:13 p.m. CDT

Copy
William Lowe gravatar
Ok, so we can close this ticket?

By Aliaksandr Samuseu staff 17 Aug 2017 at 1:41 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Thanks for details, Vipin, my observations are the same. I couldn't make IdP-initiated sign-in to work. Regarding initial issue - Shikha, I think you could try to use `urn:oasis:names:tc:SAML:2.0:nameid-format:email` nameid format instead of `unspecified` one mentioned in our current doc. In IdPv3 you need to do additional work to make the later one work, and it's generally not recommended to employ it at all these days. `email` format seems to work pretty well for me so far. Please let us know whether it will resolve your issue. It also appears that in IdPv3 there is no need any more in editing `attribute-resolver.xml.vm`. You just need to ensure that next bean definition is placed in `saml-nameid.xml`: ``` <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" p:attributeSourceIds="#{ {'mail'} }"/> ``` ...and also release `email` attribute for this TR (can be done in web UI). Talking of which, I'm a bit confused with this line in the file you provided before: ``` #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('mail') ) ) ``` That seems like it will actually prevent you from releasing `email` attribute, as you're overriding it to release as a nameid. Not sure about the reason you had to do this, but I would recommend to revert to original, unmodified `attribute-resolver.xml.vm` file for this test (as mentioned, you don't need to edit this file in IdPv3 for standard nameids of formats like `email`, `unspecified` etc) You also need to use updated metadata with different nameid format (check the attachment). Please test it for yourself, Shikha, and let us know how it works for you.
gsuite_md.xml

By Aliaksandr Samuseu staff 17 Aug 2017 at 1:46 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
One more thing. You need to edit the metadata in the file I provided: ``` <EntityDescriptor entityID="google.com/a/your-domain.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:email</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/your-domain.com/acs" ></AssertionConsumerService> </SPSSODescriptor> </EntityDescriptor> ``` Instead of all inclusions of `google.com/a/your-domain.com` use ones containing your own domain at google.

By Aliaksandr Samuseu staff 17 Aug 2017 at 1:48 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
I think it would be even better to use ``` <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" p:attributeSourceIds="#{ {'mail'} }"/> ``` ..instead of (or in addition to) ``` <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> ``` ..in your `saml-nameid.xml` ```

By Shikha Mishra Account Admin 20 Aug 2017 at 11:52 p.m. CDT

Copy
Shikha Mishra gravatar
Thanks, Issue is fixed. Please close this ticket.

Post an answer