By: Jay Kumar user 12 Feb 2018 at 6:58 a.m. CST

14 Responses
Jay Kumar gravatar
Hi Gluu team, The user authentication on our Gluu setup is not working even after TR established successfully and it redirects to oxauth error page. We deleted current TR which was working perfectly and so do the user authentication but after enabling inbound SAML using passport and we added an on-boarding external IdP, TR suddenly stopped working. As per Mohib's suggestion in ticket #5050, I am sharing the latest passport log (generated on Feb 12). Please find below the pastebin URL for passport log and suggest a solution to resolve this issue. [passport.log.2018-02-12](https://pastebin.com/7iXNXkmy) Thank you.

By Aliaksandr Samuseu staff 12 Feb 2018 at 1:44 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Jay. Please also create and share a HAR file with a capture of the whole failing flow. You can use steps listed [here](https://www.inflectra.com/support/knowledgebase/kb254.aspx) - please use Firefox for that, Chrome's HARs are flawed. Also don't forget to set "Persist log" and "Disable cache" checkboxes in the console to save everything, not just the recently loaded page.

By Jay Kumar user 14 Feb 2018 at 6:02 a.m. CST

Jay Kumar gravatar
Hello Aliaksandr, Please find below the link for the HAR file generated in Firefox browser as asked by you: [HAR file](http://dev-sso.taoconnect.org/uploads/har.zip) Kindly look into the issue and let me know if you need any coordination from our side. Thank you!

By Jay Kumar user 15 Feb 2018 at 5:58 a.m. CST

Jay Kumar gravatar
Hi Aliaksandr, I have shared the link for the HAR logs and let me know if it is inaccessible for you. Please take a look at those logs and suggest a solution. Thank you.

By Aliaksandr Samuseu staff 15 Feb 2018 at 7:33 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Jay. I got the file, thanks. It doesn't help to understand situation much, though. Flow fails the first moment Passport's page is requested. You'll need to proceed to gathering clues from oxAuth and Passport logs and sharing it with us: - `/opt/gluu/jetty/oxauth/logs/oxauth_script.log` - `/opt/gluu/jetty/oxauth/logs/oxauth.log` - `/opt/gluu/node/passport/server/logs/*`

By Jay Kumar user 16 Feb 2018 at 4:45 a.m. CST

Jay Kumar gravatar
Hi Aliaksandr, Please find below the link for the the oxAuth and Passport logs as asked by you: [oxAuth and Passport logs](http://dev-sso.taoconnect.org/uploads/oxauth-and-passort-logs.zip) Please take a look at those logs and suggest a solution. Thank you.

By Aliaksandr Samuseu staff 16 Feb 2018 at 2:44 p.m. CST

Aliaksandr Samuseu gravatar
Your Passport's `start.log` contains a bunch of exceptions implying invalid syntax of your `/etc/gluu/conf/passport-saml-config.json`. Please review your configuration there and make sure you specified everything according to the doc.

By Jay Kumar user 19 Feb 2018 at 5:32 a.m. CST

Jay Kumar gravatar
Hi Aliaksandr, As per the documentation [Inbound SAML using passport.js](https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/) we configured passport-saml-config.json file. After configuration we have generated metadata for our external IdP listed in the passport-saml-config.json file once it successfully validates configuration. We can access our metadata in URL to this format: https://<hostname>/passport/auth/meta/idp/<IDP-id-from-passport-saml-config>. It can also be found under /opt/gluu/node/passport/server/idp-metadata directory within Gluu's chroot container. If passport-saml-config.json had any errors then how the metadata for external onboarding Idp is generated? Can you please take a look at the passport-saml-config.json content below and correct us if we are missing something? ``` {"jcgluussodev": {"entryPoint": "https://sso.jumpcloud.com/saml2/SSO-jcgluussodev", "issuer": "jcgluussodev", "identifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "authnRequestBinding": "HTTP-POST", "additionalAuthorizeParams": "", "skipRequestCompression": "true", "logo_img":"https://chetu-lms.taoconnect.org/theme/taotheme/img/logo.png", "enable":"true", "cert":"MIIC5..........Cw=", "reverseMapping": { "email" : "email", "username": "urn:oid:0.9.2342.19200300.100.1.1", "displayName": "urn:oid:2.16.840.1.113730.3.1.241", "id": "urn:oid:0.9.2342.19200300.100.1.1", "name": "urn:oid:2.5.4.42", "givenName": "urn:oid:2.5.4.42", "familyName": "urn:oid:2.5.4.4", "provider" :"issuer" } } } ``` Thank you.

By Jay Kumar user 21 Feb 2018 at 4:50 a.m. CST

Jay Kumar gravatar
Hello Aliaksandr, Gentle Reminder!! Have you had a chance to look at the JSON content we added in above comment? Also, just wanted to update you that when we selected the Default Authentication Method as auth_ldap_server then user authentication via SAML is working fine. But When we chose the Default Authentication Method as passport_saml then SAML user authentication is not working and it redirects to oxauth error page. Kindly look into this and suggest a solution to resolve this issue. Thank you.

By Aliaksandr Samuseu staff 21 Feb 2018 at 7:47 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Jay. Please note that we don't offer any kind of SLA for community (free) users' tickets. We prioritize tickets of our customers first-first, what sometimes means answers to community tickets may be delayed significantly. I can't reproduce this kind of issue in my own test local setup. I also don't see any obvious mistakes in your configuration. I'll try to use your `passport-saml-config.json` file next, but you'll need to provide it completely, please don't truncate your certificate like you did in your other post.

By Jay Kumar user 21 Feb 2018 at 11:32 a.m. CST

Jay Kumar gravatar
Hi Aliaksandr, We have added a link URL with this comment for the passport-saml-config.json file. Please let us know if it is inaccessible to you. Thank you.

By Jay Kumar user 23 Feb 2018 at 7:03 a.m. CST

Jay Kumar gravatar
Hi Aliaksandr, Have you got the chance to look into the passport-saml-config.json file we provided? Please provide the solution for this issue and let us know if there is anything missing from our side. Thank you.

By Aliaksandr Samuseu staff 23 Feb 2018 at 3:20 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Jay. When I follow steps provided in the doc in my freshly installed 3.1.2 instance, it works fine even with your `passport-saml-config.json`. Thus I can't reproduce your issue. Your log files also don't shed any light on the cause of it. Unless you'll provide an exact details about your setup and all steps to reproduce it (which still conform to the mentioned documentation, as we can't support you on issues with non-standard setups), I don't see how we can help you. You'll have to do some research on your own. You already know location of all log files and how to create HAR capture. You can use [this tool](https://toolbox.googleapps.com/apps/har_analyzer/) to view it. Try to experiment a little, monitoring log files, and see whether suspicious errors will pop up. Try to make a fresh, clean install of 3.1.2 package and configure Passport in it according to the doc, documenting each step. See whether you'll get your issue again.

By Jay Kumar user 26 Feb 2018 at 3:55 a.m. CST

Jay Kumar gravatar
Hello Aliaksandr, As you mentioned it is working fine at your end. So, can you please authenticate one of our user which is created on external directory on JumpCloud (details are mentioned below) and let us know if SSO authentication from JumpCloud's console is working fine. - User email: jcuser01@yopmail.com - User Pass: Chetu@123 Thank you.

By William Lowe staff 13 Mar 2018 at 3:53 p.m. CDT

William Lowe gravatar
Outside the scope of community support.