/opt/shibboleth-idp/logs/idp-process.log 2018-04-25 10:49:38,592 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for https://vcd.XXX.ru/cloud/org/demo-XXXX/saml/metadata/alias/vcd in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2018-04-25 10:49:38,603 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID https://vcd.XXXX.ru/cloud/org/demo-XXX/saml/metadata/alias/vcd) 2018-04-25 10:49:38,605 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration

I enable the debug in this /opt/shibboleth-idp/conf/logback.xml ... <variable name="idp.loglevel.idp" value="DEBUG" ></variable> <variable name="idp.loglevel.opensaml" value="DEBUG" ></variable> ... And my /opt/shibboleth-idp/logs/idp-process.log: ``` 2018-04-25 13:54:42,918 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2018-04-25 13:54:42,918 - DEBUG [org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver:260] - Resolved no EntityDescriptors via underlying MetadataResolver, returning empty collection 2018-04-25 13:54:42,918 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:128] - Message Handler: No metadata returned for https://vcd.MY-DOMAIN.ru/cloud/org/demo-MYNAME/saml/metadata/alias/vcd in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2018-04-25 13:54:42,919 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:174] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler of type 'org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler' on INBOUND message context 2018-04-25 13:54:42,919 - DEBUG [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:195] - Profile Action WebFlowMessageHandlerAdaptor: Invoking message handler on message context containing a message of type 'org.opensaml.saml.saml2.core.impl.AuthnRequestImpl' 2018-04-25 13:54:42,919 - DEBUG [org.opensaml.saml.common.binding.impl.SAMLAddAttributeConsumingServiceHandler:110] - Message Handler: No metadata context found, nothing to do 2018-04-25 13:54:42,920 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://vcd.MY-DOMAIN.ru/cloud/org/demo-MYNAME/saml/metadata/alias/vcd 2018-04-25 13:54:42,920 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration 2018-04-25 13:54:42,921 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:299] - Profile request is unverified, returning configuration shibboleth.UnverifiedRelyingParty 2018-04-25 13:54:42,921 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.UnverifiedRelyingParty for request 2018-04-25 13:54:42,923 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID https://vcd.MY-DOMAIN.ru/cloud/org/demo-MYNAME/saml/metadata/alias/vcd) 2018-04-25 13:54:42,925 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration 2018-04-25 13:54:42,926 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:154] - No SAMLBindingContext or binding URI available, error must be handled locally ``` Maybe I need to fix the files: /opt/gluu/jetty/identity/conf/shibboleth3/idp/metadata-providers.xml.vm /opt/gluu/jetty/identity/conf/shibboleth3/idp/attribute-resolver.xml.vm

According Enable Your Organization to Use a SAML Identity Provider (for vCloud Director) "The system will extract these attributes from the SAML token (if available) and use them for interpreting the corresponding pieces of information about the user attempting to log in. email address = "EmailAddress" user name = "UserName" full name = "FullName" ser's groups = "Groups" user's roles = "Roles" (this attribute is configurable)" [Enable Your Organization to Use a SAML Identity Provider](https://docs.vmware.com/en/vCloud-Director/9.0/com.vmware.vcloud.user.doc/GUID-4C8A9583-ED38-49BF-9BAC-345139540551.html)

My meta from vcd ``` <?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://vcd.MY-COMPANY.ru/cloud/org/demo-XXXXX/saml/metadata/alias/vcd" ID="https___vcd.MY-COMPANY.ru_cloud_org_demo-XXXXX_saml_metadata_alias_vcd"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true" AuthnRequestsSigned="true"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>XXXXXXXXXXXXXXXXXXXXXXX</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>XXXXXXXXXXXXXXXXXXXXXXX</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Location="https://vcd.MY-COMPANY.ru/cloud/org/demo-XXXXX/saml/SingleLogout/alias/vcd" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"></md:SingleLogoutService> <md:SingleLogoutService Location="https://vcd.MY-COMPANY.ru/cloud/org/demo-XXXXX/saml/SingleLogout/alias/vcd" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"></md:SingleLogoutService> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> <md:AssertionConsumerService Location="https://vcd.MY-COMPANY.ru/cloud/org/demo-XXXXX/saml/SSO/alias/vcd" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true" index="0"></md:AssertionConsumerService> <md:AssertionConsumerService Location="https://vcd.MY-COMPANY.ru/cloud/org/demo-XXXXX/saml/HoKSSO/alias/vcd" Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" index="1" xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"></md:AssertionConsumerService> </md:SPSSODescriptor> </md:EntityDescriptor> ```

What files i need edit: /opt/gluu/jetty/identity/conf/shibboleth3/idp/ attribute-resolver.xml.vm OR /opt/shibboleth-idp/conf/ attribute-resolver.xml ??? Is it correct format for vcd: ``` <resolver:AttributeDefinition xsi:type="ad:Simple" id="EmailAddress" sourceAttributeID="EmailAddress"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" name="EmailAddress" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="FullName" sourceAttributeID="FullName"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:fullname" name="FullName" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="Groups" sourceAttributeID="Groups"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:groups" name="Groups" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="Roles" sourceAttributeID="Roles"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:Roles" name="Roles" /> </resolver:AttributeDefinition> ```

I try this configuration, it's not working. Can you help me, make configuration xml files for your idp provider.

What other information do I need to provide, so that the vCloud Director can work with gluu?

Hi Urii, Try one thing... - Remove that already create Trust relationship. - Download vCloud metadata and save it as xml. - Create a new Trust Relationship with 'File' method. For Entity Type: Single SP - Add this TR - See if it's 'validation success' or not - If yes then configure Relying party / SAML2SSO - Wait for 10 mins - Test

- Validation Success - https://imgur.com/zdkgtC9 - Relying party - https://imgur.com/yPJBUx0 - I wait 10 mins, error is difrent SAML authentication failed for this organization - https://imgur.com/dw3Eyk9 ``` [root@idp logs]# tail idp-process.log 2018-04-26 13:33:03,461 - DEBUG [org.opensaml.saml.common.binding.security.impl.EndpointURLSchemeSecurityHandler:52] - Message Handler: Checking outbound endpoint for allowed URL scheme: https://vcd.MY-COMPANY.ru/cloud/org/demo-MY-NAME/saml/SSO/alias/vcd 2018-04-26 13:33:03,462 - DEBUG [org.opensaml.saml.common.SAMLObjectSupport:56] - Examining signed object for content references with exclusive canonicalization transform 2018-04-26 13:33:03,463 - DEBUG [org.opensaml.saml.common.SAMLObjectSupport:70] - Saw exclusive transform, declaring non-visible namespaces on signed object 2018-04-26 13:33:03,464 - DEBUG [org.opensaml.saml.common.SAMLObjectContentReference:165] - Adding list of inclusive namespaces for signature exclusive canonicalization transform 2018-04-26 13:33:03,485 - DEBUG [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:100] - Looking up message encoder based on binding URI: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 2018-04-26 13:33:03,491 - DEBUG [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:159] - Invoking Velocity template to create POST body 2018-04-26 13:33:03,492 - DEBUG [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:192] - Encoding action url of 'https://vcd.MY-COMPANY.ru/cloud/org/demo-MYNAME/saml/SSO/alias/vcd' with encoded value 'https://vcd.MY-COMPANY.ru/cloud/org/demo-MYNAME/saml/SSO/alias/vcd' 2018-04-26 13:33:03,492 - DEBUG [org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder:198] - Marshalling and Base64 encoding SAML message 2018-04-26 13:33:03,498 - DEBUG [net.shibboleth.idp.profile.impl.RecordResponseComplete:89] - Profile Action RecordResponseComplete: Record response complete 2018-04-26 13:33:03,507 - INFO [Shibboleth-Audit.SSO:241] - 20180426T103303Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|a1ic5aj7bhdh0h7e277gad03icgg707|https://vcd.MY-COMPANY.ru/cloud/org/demo-MY_NAME/saml/metadata/alias/vcd|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.MY-COMPANY.ru/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_9a5a2b2a2fb9a3c13af27cb61d5c6572|admin|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||AAdzZWNyZXQx6Cd6p6SXNgitmzLK59S9eO46XBwAlgm7ICVHGpp3MAIg58o9cCBF+SzVUGuiRguluZPAk/4m7xtXvZDf6DMv3cdZJdnDYk/KFysgMJbq6OcSdyP6WSgXZ4gwYKCzXA1H1ZQnyd8FCNqY8B5jEqCdSkCyJltOs0mL8gwc2F4rRqt+GA==|_3cbd5176df90c218ad94970e344dbc3f| ``` Thanks for you answer.

New error: HTTP ERROR: 503 Problem accessing /idp/profile/SAML2/POST/SSO. Reason: Service Unavailable ``` 2018-04-27 11:33:40,792 - ERROR [org.springframework.web.context.ContextLoader:351] - Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.metrics.RegisterMetricSets$child#0' defined in URL [file:/opt/shibboleth-idp/conf/admin/metrics.xml]: Cannot resolve reference to bean 'shibboleth.metrics.AttributeResolverGaugeSet' while setting bean property 'arguments' with key [7]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.metrics.AttributeResolverGaugeSet' defined in URL [file:/opt/shibboleth-idp/system/conf/general-admin-system.xml]: Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Injected service was null or not an AttributeResolver at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359) Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.metrics.AttributeResolverGaugeSet' defined in URL [file:/opt/shibboleth-idp/system/conf/general-admin-system.xml]: Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Injected service was null or not an AttributeResolver at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1578) Caused by: net.shibboleth.utilities.java.support.component.ComponentInitializationException: Injected service was null or not an AttributeResolver at net.shibboleth.idp.attribute.resolver.impl.AttributeResolverServiceGaugeSet.doInitialize(AttributeResolverServiceGaugeSet.java:104) ``` general-admin-system.xml: ``` [root@idp conf]# cat general-admin-system.xml <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <import resource="../../conf/admin/general-admin.xml" /> <import resource="../../conf/admin/metrics.xml" /> <!-- A parent bean to default some of the flow boilerplate. --> <bean id="shibboleth.AdminFlow" abstract="true" class="net.shibboleth.idp.admin.BasicAdministrativeFlowDescriptor" p:servletRequest-ref="shibboleth.HttpServletRequest" p:nonBrowserSupported="false" /> <!-- Function for returning custom access control policies for access to metrics. --> <bean id="shibboleth.metrics.AccessPolicyStrategy" parent="shibboleth.ContextFunctions.Expression" c:expression="#custom.get('policyMap').get(#input.getSubcontext(T(net.shibboleth.idp.profile.context.SpringRequestContext)).getRequestContext().getFlowScope().get('metricId')) ?: #custom.get('defaultPolicy')" c:outputType="#{T(java.lang.String)}"> <property name="customObject"> <map> <entry key="policyMap" value-ref="shibboleth.metrics.AccessPolicyMap" /> <entry key="defaultPolicy" value-ref="shibboleth.metrics.DefaultAccessPolicy" /> </map> </property> </bean> <!-- MetricRegistry we can control with logging categories. --> <bean id="shibboleth.metrics.MetricRegistry" class="org.opensaml.core.metrics.FilteredMetricRegistry" p:metricFilter-ref="shibboleth.metrics.LoggerDrivenMetricFilter" /> <bean id="shibboleth.metrics.LoggerDrivenMetricFilter" class="org.opensaml.core.metrics.LoggerDrivenMetricFilter" c:_0="metrics." c:_1="#{getObject('shibboleth.metrics.MetricLevelMap')}" /> <!-- Parent beans for registering MetricSets and Metrics. --> <bean id="shibboleth.metrics.RegisterMetricSets" abstract="true" class="org.springframework.beans.factory.config.MethodInvokingBean" p:targetObject-ref="shibboleth.metrics.MetricRegistry" p:targetMethod="registerMultiple" /> <bean id="shibboleth.metrics.RegisterMetric" abstract="true" class="org.springframework.beans.factory.config.MethodInvokingBean" p:targetObject-ref="shibboleth.metrics.MetricRegistry" p:targetMethod="register" /> <bean id="shibboleth.metrics.HTTPReporter" abstract="true" destroy-method="stop" class="net.shibboleth.idp.metrics.impl.HTTPReporter" c:registry-ref="shibboleth.metrics.MetricRegistry" c:filter="#{null}" p:httpClient-ref="shibboleth.NonCachingHttpClient" /> <!-- Some predefined metric sets, only created if installed by user. --> <bean id="shibboleth.metrics.CoreGaugeSet" class="net.shibboleth.idp.metrics.impl.CoreGaugeSet" lazy-init="true" /> <bean id="shibboleth.metrics.IdPGaugeSet" class="net.shibboleth.idp.metrics.impl.IdPGaugeSet" lazy-init="true" /> <bean id="shibboleth.metrics.LoggingGaugeSet" class="net.shibboleth.idp.metrics.ReloadableServiceGaugeSet" lazy-init="true" c:metricName="logging" p:service-ref="shibboleth.LoggingService" /> <bean id="shibboleth.metrics.AccessControlGaugeSet" class="net.shibboleth.idp.metrics.ReloadableServiceGaugeSet" lazy-init="true" c:metricName="accesscontrol" p:service-ref="shibboleth.ReloadableAccessControlService" /> <bean id="shibboleth.metrics.MetadataGaugeSet" class="net.shibboleth.idp.saml.metadata.impl.MetadataResolverServiceGaugeSet" lazy-init="true" c:metricName="metadata" p:service-ref="shibboleth.MetadataResolverService" /> <bean id="shibboleth.metrics.RelyingPartyGaugeSet" class="net.shibboleth.idp.metrics.ReloadableServiceGaugeSet" lazy-init="true" c:metricName="relyingparty" p:service-ref="shibboleth.RelyingPartyResolverService" /> <bean id="shibboleth.metrics.NameIdentifierGaugeSet" class="net.shibboleth.idp.metrics.ReloadableServiceGaugeSet" lazy-init="true" c:metricName="nameid" p:service-ref="shibboleth.NameIdentifierGenerationService" /> <bean id="shibboleth.metrics.AttributeResolverGaugeSet" class="net.shibboleth.idp.attribute.resolver.impl.AttributeResolverServiceGaugeSet" lazy-init="true" c:metricName="attribute.resolver" p:service-ref="shibboleth.AttributeResolverService" /> <bean id="shibboleth.metrics.AttributeFilterGaugeSet" class="net.shibboleth.idp.metrics.ReloadableServiceGaugeSet" lazy-init="true" c:metricName="attribute.filter" p:service-ref="shibboleth.AttributeFilterService" /> </beans> ```

>> wait 10 mins, error is difrent SAML authentication failed for this organization - https://imgur.com/dw3Eyk9 Are you getting this 'after successful authentication' from Gluu Server? If yes.. then most probably you need to configure NameID for vCloud. >> New error: The log which you provided is actually misleading shib log; that doesn't provide the real reason of failure. And I would request you to create new ticket for new log; that will help community user to find specific issue by searching the subject of the ticket.

I was enter to https://vcd.MY-COMPANY.ru/cloud/org/demo-ORG/ after it passes a very fast redirection to gluu server - https://idp.MY-COMPANY.ru and back to https://vcd.MY-COMPANY.ru/cloud/org/demo-ORG/failure.jsp and an error occurs "SAML authentication failed for this organization." https://imgur.com/dw3Eyk9 NO authentication is request. > NEW ERROR: I recreate TRUST, and HTTP ERROR: 503 was gone

>> I was enter to https://vcd.MY-COMPANY.ru/cloud/org/demo-ORG/ after it passes a very fast redirection to gluu server - https://idp.MY-COMPANY.ru and back to https://vcd.MY-COMPANY.ru/cloud/org/demo-ORG/failure.jsp and an error occurs Try with incognito window please or different browser.

1) I configure NameID for vCloud and regenerate certificate (Certificate Expiration: 04/27/2019), then UPDATE Sp Metadata File on gluu. 2) After 10 mins. I was enter to https://vcd.MY-COMPANY.ru/cloud/org/demo-ORG/ after it passes a very fast redirection to gluu server - https://idp.MY-COMPANY.ru. It request me authentication, it was done. 3) Then I redirect to https://vcd.MY-COMPANY.ru/cloud/org/demo-ORG/failure.jsp and an error occurs again: "SAML authentication failed for this organization." https://imgur.com/dw3Eyk9

> Try with incognito window please or different browser. Yes, i try incognito.

On another PC, error "SAML authentication failed for this organization." - repeats.

May be need add attributes groups = "Groups" and roles = "Roles" to export SP?

Import users and Group - not show https://imgur.com/X57l7Qk https://imgur.com/CicBuGE http://vmwarehints.blogspot.ru/2012/10/integrating-vcloud-director-with.html

Is it possible to charge paid technical support from you only in this case, with a guaranteed solution to the problem and raising the priority?

[root@idp logs]# cat idp-warn.log > .... 2018-04-28 12:36:44,024 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format

Hi Urii, >> Ignoring NameIDFormat metadata that includes the 'unspecified' format Yes.. so it's forwarding to NameID generation. Shibboleth v3 doesn't support unspecified format. Here is what you can do: - Remove unspecified type from SP metadata; just keep one nameID format there. - Configure NameID persistentType or email-Address type in Gluu Servers. Docs are available there in our doc site and Shibboleth wiki. - Enable DEBUG logging for Shibboleth of your Gluu Server. Same... docs are available in our documentation site and as well in Shibboleth site. - See.. how that goes. >> Is it possible to charge paid technical support from you only in this case, with a guaranteed solution to the problem and raising the priority? [Here](https://www.gluu.org/pricing/) is our VIP Support link.

- > Enable DEBUG logging for Shibboleth I enable the debug in this /opt/shibboleth-idp/conf/logback.xml ... ``` <variable name="idp.loglevel.idp" value="DEBUG" ></variable> <variable name="idp.loglevel.opensaml" value="DEBUG" ></variable> ``` - > Configure NameID persistentType or email-Address type in Gluu Servers. /opt/shibboleth-idp/conf/saml-nameid.xml: ``` [root@idp conf]# cat saml-nameid.xml <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <!-- ========================= SAML NameID Generation ========================= --> <!-- These generator lists handle NameID/Nameidentifier generation going forward. By default, transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs and generating more one-off formats based on resolved attributes. The suggested approach is to control their use via release of the underlying source attribute in the filter policy rather than here, but you can set a property on any generator called "activationCondition" to limit use in the most generic way. Most of the relevant configuration settings are controlled using properties; an exception is the generation of arbitrary/custom formats based on attribute information, examples of which are shown below. --> <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> </util:list> <!-- SAML 1 NameIdentifier Generation --> <util:list id="shibboleth.SAML1NameIdentifierGenerators"> <!-- <ref bean="shibboleth.SAML1TransientGenerator" /> --> <!-- <bean parent="shibboleth.SAML1AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> --> </util:list> </beans> ``` /opt/gluu/jetty/identity/conf/shibboleth3/idp/attribute-resolver.xml.vm ``` [root@idp idp]# cat attribute-resolver.xml.vm <?xml version="1.0" encoding="UTF-8"?> <resolver:AttributeResolver xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd"> <!-- ========================================== --> <!-- Attribute Definitions --> <!-- ========================================== --> #foreach( $attribute in $attrParams.attributes ) #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('persistentId') ) ) #if($attribute.name.equals('EmailAddress')) <resolver:AttributeDefinition id="EmailAddress" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="Email" encodeType="false" /> </resolver:AttributeDefinition> #else <resolver:AttributeDefinition xsi:type="ad:Simple" id="$attribute.name" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="$attrParams.attributeSAML2Strings.get($attribute.name)" friendlyName="$attribute.name" encodeType="false" /> </resolver:AttributeDefinition> #end #end #end #if( $resovlerParams.size() > 0 ) #set( $attribute = $resovlerParams.get("name_id_attr_base") ) #set( $name_id_conf = $resovlerParams.get("name_id_conf") ) <resolver:AttributeDefinition xsi:type="ad:Simple" id="$name_id_conf.attributeName" sourceAttributeID="$attribute.name"> <resolver:Dependency ref="siteLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:$name_id_conf.nameIdType" /> </resolver:AttributeDefinition> #end <!-- ========================================== --> <!-- Data Connectors --> <!-- ========================================== --> <resolver:DataConnector id="siteLDAP" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"> <dc:FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </dc:FilterTemplate> <!-- <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes> --> <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> </resolver:DataConnector> </resolver:AttributeResolver> ```

I reinstall all server and make trust relationship. Error "SAML authentication failed for this organization." - repeats [https://imgur.com/0wPEBEU](https://imgur.com/0wPEBEU) I change only - saml-nameid.xml ``` <!-- SAML 2 NameID Generation --> <util:list id="shibboleth.SAML2NameIDGenerators"> <ref bean="shibboleth.SAML2TransientGenerator" /> <!-- Uncommenting this bean requires configuration in saml-nameid.properties. --> <ref bean="shibboleth.SAML2PersistentGenerator" /> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> </util:list> ``` I need to transfer 4 attributes to the VCD, system will extract these attributes from the SAML token (if available) and use them for interpreting the corresponding pieces of information about the user attempting to log in: email address = "EmailAddress" user name = "UserName" full name = "FullName" user's groups = "Groups" user's roles = "Roles" (this attribute is configurable) Which configuration file is responsible for this? And could you give an example of filling it, please.

Ok.. lot of info. :-) I'll read them all and share my opinion as soon as I can grab some bandwidth.

Only one ERROR have in DEBUG idp-process.log, my config in https://imgur.com/a/GCLY80X and in the message above 03 May 2018 at 6:44 p.m. MSK. ``` 2018-05-08 16:33:18,866 - ERROR [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:404] - Profile Action AddNameIDToSubjects: Error while generating NameID org.opensaml.saml.common.SAMLException: Invalid NameIdentifierGenerationService configuration at net.shibboleth.idp.saml.nameid.impl.ProxySAML2NameIDGenerator.generate(ProxySAML2NameIDGenerator.java:62) ```

Ok, so... We cannot declared EmailAddress as nameID: - Custom NameID based on EmailAddress: - You need to create a custom attribute first. - Configure that attribute as 'nameID' - Release that custom nameID to Trust relationship.

> You need to create a custom attribute first. When installing the gluu server, i chose OpenDJ, according to your documentation [https://gluu.org/docs/ce/3.1.2/admin-guide/attribute/](https://gluu.org/docs/ce/3.1.2/admin-guide/attribute/), 1) to a file /opt/opendj/config/schema/77-customAttributes.ldif added: ``` [root@idp schema]# cat 77-customAttributes.ldif dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema attributeTypes: ( 1.3.6.1.4.1.48710.1.3.1400 NAME 'vcdmail' DESC 'vcdmail' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'vcdmail' ) objectClasses: ( 1.3.6.1.4.1.48710.1.4.101 NAME 'gluuCustomPerson' SUP ( top ) AUXILIARY MAY ( vcdmail $ telephoneNumber $ mobile $ carLicense $ facsimileTelephoneNumber $ departmentNumber $ employeeType $ cn $ st $ manager $ street $ postOfficeBox $ employeeNumber $ preferredDeliveryMethod $ roomNumber $ secretary $ homePostalAddress $ l $ postalCode $ description $ title ) X-ORIGIN 'Gluu - Custom persom objectclass' ) ``` in /opt/opendj/logs/errors: [21/May/2018:11:35:50 +0300] category=CORE severity=NOTICE msgID=org.opends.messages.core.135 msg=The Directory Server has started successfully [21/May/2018:11:35:50 +0300] category=CORE severity=NOTICE msgID=org.opends.messages.core.139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerStarted, alert ID org.opends.messages.core-135): The Directory Server has started successfully 2) Add the attribute to oxTrust [https://imgur.com/dW3jkYI](https://imgur.com/dW3jkYI) > Configure that attribute as 'nameID' [https://imgur.com/7WLD8wR](https://imgur.com/7WLD8wR) In user properties i also add vcdmail. [https://imgur.com/hbsBNDR](https://imgur.com/hbsBNDR) >Release that custom nameID to Trust relationship. I use docs [https://gluu.org/docs/ce/3.1.2/admin-guide/saml/](https://gluu.org/docs/ce/3.1.2/admin-guide/saml/) Trust relationship - Validation Success [https://imgur.com/pPTrnGM](https://imgur.com/pPTrnGM) [https://imgur.com/celpA5j](https://imgur.com/celpA5j) Everything is right here? SAML authentication failed for this organization. - still remained ``` [root@idp logs]# cat idp-process.log | grep ERROR 2018-05-21 12:35:38,703 - ERROR [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:404] - Profile Action AddNameIDToSubjects: Error while generating NameID ```

We also addressed in tech support vmware on this problem, they have replyed: "The source of the error: “SAML authentication failed for this organization.” is not clear from our side."

>> Profile Action AddNameIDToSubjects: Error while generating NameID This means... SP is still not getting it's required nameID. Check out the SP's metadata; see if there is anything other than emailAddress nameID available or not; if yes.. remove those from metadata and upload modified metadata in this trust relationship. See how that goes.

> See how that goes. Please, can you give link?

You can see my example metadata: https://yadi.sk/d/NGCPIV9K3WQxF3

Is there enough information that I wrote or need more data from the configurations?

I upgrade server gluu to version 3.1.3 Repeat steps to make trust, SAML authentication failed for this organization. - still remained. But cat idp-process.log | grep ERROR - nothing cat idp-warn.log 2018-05-25 15:43:02,211 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:75] - Ignoring NameIDFormat metadata that includes the 'unspecified' format

Please help to set up NameIDFormat?

All done according to your documentation: [https://imgur.com/ZBt27wz](https://imgur.com/ZBt27wz) [https://imgur.com/rFkcd98](https://imgur.com/rFkcd98) [https://imgur.com/25QwcAH](https://imgur.com/25QwcAH) [https://imgur.com/97LfWE6](https://imgur.com/97LfWE6) But: [root@idp logs]# cat idp-warn.log 2018-05-25 17:26:40,613 - WARN [net.shibboleth.idp.attribute.resolver.spring.ad.BaseAttributeDefinitionParser:78] - Attribute Definition 'vcdmail': Configuration contains at least one element in the deprecated 'urn:mace:shibboleth:2.0:resolver' namespace. 2018-05-25 17:26:40,619 - WARN [net.shibboleth.idp.attribute.resolver.spring.dc.AbstractDataConnectorParser:117] - Data Connector 'siteLDAP': Configuration contains at least one element in the deprecated 'urn:mace:shibboleth:2.0:resolver:dc' namespace.

>> You can see my example metadata: >> https://yadi.sk/d/NGCPIV9K3WQxF3 Yes... so remove unwanted NameIDFormat from SP metadata and just use one ( persistent / emailAddress ); then configure nameID in Gluu Server with that format which is specified in SP metadata.

I don't anything in metadata SP. After many try configuration GLUU, authentication is work. Ticket may be close. Thanks.