Hi Mike, This is an inbound SAML requirement. Basically, any time you need to support an external IDP for user authentication, that falls under the umbrella of inbound SSO. Assigning to the developer who wrote the passport docs to see if we can provide some additional assistance. Thanks, Will

Hi Mike > I tried following the guides for inbound SAML using Passport.js but I ran into an issue where Passport required a json file (passport-saml-config.json) from the IDP but Salesforce only generates an XML file for SAML authentication. passport-saml-config.json is for configuring details for multiple IDPs. If you setup right configuration passport server will setup metadatas for you in xml format which you can use easily . can you please explain which part you did not able to understand where i can help with docs ? if you have tried can you send me passport server logs. Thanks,Arvind Tomar

Hi Arvind, I am following the documentation here: https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/ and I am trying to understand how to get the IDP information into Gluu and how to get the XML file from Gluu to put into the SP (Tableau). I see there is a section for onboarding a new IDP. Do I just manually add IDP's to the file /etc/gluu/conf/passport-config.json? Tableau requires a single XML file for the IDP. From Tableau's perspective the IDP will be Gluu. Where do I find the XML file for Gluu to be used on Tableau? Thank you, Mike

> Do I just manually add IDP's to the file /etc/gluu/conf/passport-config.json? Yes. > Where do I find the XML file for Gluu to be used on Tableau? Your Gluu Server's SAML IDP metadata can be found at `https://hostname/idp/shibboleth`.

Thank you. I have made some progress but I am still missing something. I am able to get Tableau to redirect to Gluu but then I get this: Web Login Service - Unsupported Request The application you have accessed is not registered for use with this service. How do I register Tableau with Gluu? Do I need to create a Trust Relationship? I tried setting this up using the XML file that I exported from Tableau but I still get the same error. Are there logs on the server that can help me to troubleshoot this issue further? Thank you, Mike

Hi, Mike. >Web Login Service - Unsupported Request The application you have accessed is not registered for use with this service. Have you added Trust Relationship for Tableau (which I believe plays role of SP in this setup, i.e. it tries to use Gluu itself as IdP)? So far you've been following the doc for adding authentication method to be used by Gluu itself. You also need to create TR for your SP(s) that will be using Gluu as IdPs. Here is doc you need: [link](https://gluu.org/docs/ce/admin-guide/saml/#create-a-trust-relationship) >Are there logs on the server that can help me to troubleshoot this issue further? For clues on issues with Gluu's IDP please check `/opt/shibboleth-idp/logs/idp-process.log` inside container.

Hi mike can you share (passport-saml-config.json)? are you able to generate metadata from passport script [link](https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/#gathering-saml-metadata)? if yes than you need to register that metadata in your Tableau server . Thanks arvind

Hi Aliaksandr, I did set up the Trust Relationship but I had missed the check box for Configure Relying Party. After I selected that and used SAML2SSO with default options, I no longer received the error. Now I am getting the login screen for the Gluu server. This is the URL it takes me to: https://{hostname}/oxauth/auth/passport/passportlogin There is no option here to use the Salesforce IDP that I have set up so I must be missing something still. Arvind, The link you gave says to get the metadata XML file from here: We can also get metadata as an XML file at the following path: ...<path to gluu server >/opt/gluu/node/passport/server/idp-metadata But the idp-metadata file does not exist there. I was told previously to get the metadata XML file from here: https://hostname/idp/shibboleth and that is what I imported into Tableau. That part seems to be working fine unless I need to be sent to a different login page in order to see the IDP's I have configured. Here is my passport-saml-config.json file: # cat passport-saml-config.json { "idp1": { "entryPoint": "https://mihin--FedTest.cs42.my.salesforce.com/idp/endpoint/HttpPost", "issuer": "https://mihin.my.salesforce.com", "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "authnRequestBinding": "HTTP-POST", "skipRequestCompression": "true", "reverseMapping": { "email": "email", "username": "urn:oid:0.9.2342.19200300.100.1.1", "displayName": "urn:oid:2.16.840.1.113730.3.1.241", "id": "urn:oid:0.9.2342.19200300.100.1.1", "name": "urn:oid:2.5.4.42", "givenName": "urn:oid:2.5.4.42", "familyName": "urn:oid:2.5.4.4", "provider": "issuer" } }, "idp2": { "entryPoint": "<Your idps' entry point idp2>", "issuer": "urn:test:example", "identifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "authnRequestBinding": "HTTP-POST", "additionalAuthorizeParams": "{ 'providerId': 'test' }", "skipRequestCompression": "true", "reverseMapping": { "email": "email", "username": "urn:oid:0.9.2342.19200300.100.1.1", "displayName": "urn:oid:2.16.840.1.113730.3.1.241", "id": "urn:oid:0.9.2342.19200300.100.1.1", "name": "urn:oid:2.5.4.42", "givenName": "urn:oid:2.5.4.42", "familyName": "urn:oid:2.5.4.4", "provider": "issuer" } } } Thank you, Mike

hi mike you are missing cert param in json please add cert param and try again cert is Identity Provider's public PEM-encoded X.509 certificate using the cert confguration key. The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line. Thanks arvind tomar

Hi Arvind, After adding the cert parameter, I still have the same issue. There was a syntax error with the example that I was using and it was logging in /opt/gluu/jetty/oxauth/logs/oxauth.log every time I restarted passport. I fixed the issue which was adding a comma after "provider": "issuer" and then the error stopped logging when I restart passport. This makes me think that the syntax of my passport-saml-config.json file is correct and that it is being read but I still do not have the option to use that IDP on the login screen that I am redirected to. This is the login URL: https://{hostname}/oxauth/auth/passport/passportlogin Is this correct? The screen looks like this: [login screen](https://www.google.com/imgres?imgurl=https%3A%2F%2Fwww.gluu.org%2Fblog%2Fwp-content%2Fuploads%2F2017%2F02%2FScreen-Shot-2017-02-28-at-4.49.05-PM.png&imgrefurl=https%3A%2F%2Fwww.gluu.org%2Fblog%2Fdjango-openid-connect%2F&docid=4atnVm8HNCLc2M&tbnid=g0kJqHyZM47E9M%3A&vet=10ahUKEwjmzZLjhPjXAhWlYd8KHexKA6gQMwhBKAIwAg..i&w=1080&h=490&bih=949&biw=1920&q=gluu%20login%20screen&ved=0ahUKEwjmzZLjhPjXAhWlYd8KHexKA6gQMwhBKAIwAg&iact=mrc&uact=8) but also has links to Twitter, LinkedIn, Facebook, Google, etc. Ideally I would like to remove all of those links and replace them with my 2 Salesforce instances. Here is my new passport-saml-config.json: { "idp1": { "entryPoint": "https://mihin--FedTest.cs42.my.salesforce.com/idp/endpoint/HttpPost", "issuer": "https://mihin.my.salesforce.com", "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "authnRequestBinding": "HTTP-POST", "additionalAuthorizeParams": "", "skipRequestCompression": "true", "cert":"MIIE{OMITTED FOR SPACE}7g==", "reverseMapping": { "email": "email", "username": "urn:oid:0.9.2342.19200300.100.1.1", "displayName": "urn:oid:2.16.840.1.113730.3.1.241", "id": "urn:oid:0.9.2342.19200300.100.1.1", "name": "urn:oid:2.5.4.42", "givenName": "urn:oid:2.5.4.42", "familyName": "urn:oid:2.5.4.4", "provider": "issuer", } } } Thank you, Mike

hi Mike are you able to get metadata now ? if yes than your configurations are good. about passport login page , we don not have implemented discovery on passport page in 3.1.1 , it will be great enhance met for next version. please look at [java example](https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/#demo-server-config) in doc to know how to generate Authorisation URL for login . or you can use passport url like this `https://<gluu host name>/passport/auth/<provider>/<token>` , token can be found at `https://<gluu host name>/passport/token` Thanks Arvind Tomar.

Arvind, Yes the metadata is there now but that metadata is for the Salesforce instance. If I import that into Tableau then Tableau will only know how to authenticate with a single Salesforce instance. I need Tableau to be redirected to Gluu and then from Gluu have the option to select the IDP to authenticate to. Currently I am using the XML file from https://hostname/idp/shibboleth on Tableau and that redirects me to Gluu which is what I want and I see all of the social login options (Facebook, Twitter, etc.). I want the same thing but with Salesforce1, Salesforce2, etc. instead of the social login options. Is this the feature you are saying is not implemented? In the example from the link you gave, the IDP name is passed by the user to Gluu and then the user is redirected to the corresponding login page. This is close to what I am looking for but not quite right. I need the user and SP (Tableau) to know nothing about the IDP. Gluu should have the IDP information and present them as options to the user after they have navigated to the Tableau login URL. From there the user should be able to select from multiple IDP's and no matter which one they authenticate to it should send the SAML response back to Tableau. Thank you for your help on this. Mike

Perhaps your organization needs to buy a support contract. We're not going to undertake this work for a community user.

Hi Michael, Thank you for your response. We are deciding if Gluu will work for our use case before we look into purchasing a contract. It does not look like it will. Thank you, Mike