For SAML stuff you should definitely check the Shibboleth IDP logs. For locations see [Gluu Server Logs](https://gluu.org/docs/ce/3.1.3/operation/logs/) If you can post the metadata for your SP, that would help.

Hi, Jakub. As Michael has mentioned, we will need more data from you to provide assistance. Please also provide metadata of all SPs you have issues with, and screenshots of their configuration from Gluu's web UI. >After redirecting to this page, it continues redirecting me to: https://login.mydomain.com/identity/home.htm Which gives me the Gluu Web UI. This is very strange result. Can't even say what could cause it. Please record your complete failing flow and provide us HAR file of it. You can use steps listed [here](https://www.inflectra.com/support/knowledgebase/kb254.aspx) - please use Firefox for that, Chrome's HARs are flawed. Also don't forget to set "Persist log" and "Disable cache" checkboxes in the console to save everything, not just the recently loaded page. Before doing the capture, please if possible disable assertion encryption at your IDP, this will help troubleshooting it a lot (we need to see which attributes are being sent in the SAML response) You also can't simply re-use a previously used and/or outdate url with a SAML request embeded into it, as the protocol has inbuilt protection agains replay attacks, which seems to be the reason you got this error. Regarding your questions: > What should be the full login URL, so I can login using this SAML configuration to my SP? I believe you're talking about sign-in url at SP, the one which will trigger a SAML flow. This will differ between SP implementations, and will depend on how a specific SP is configured. Please note that we don't cover SP configuration topics under Community (free) support. >What log files I should be looking for to find where is my error in case I am having any configuration problem? The most important log when it comes to troubleshooting issues with IDP is `/opt/shibboleth-idp/logs/idp-process.log`. You also may opt to rise its verbosity level by editing `/opt/shibboleth-idp/conf/logback.xml`, specifically next 3 elements: ``` <variable name="idp.loglevel.idp" value="INFO" /> <variable name="idp.loglevel.messages" value="INFO" /> <variable name="idp.loglevel.opensaml" value="INFO" /> ``` Set them to "DEBUG" and restart `idp` service to see more detailed logs. >What would be an unsolicited login URL in my case? I will want to be able to login to an application from a custom login page that will have links to several SP (does that page already exist with Gluu? my /idp page returns "No services are available at this location"). I have tried this URL: https://login.mydomain.com/idp/profile/SAML2/Unsolicited/SSO?providerId=https://myprovider.com You seem to be using the correct procedure to trigger the Unsolicited flow. Just note that "providerId" must contain entityid in it, which you can learn from SP's metadata, or by capturing and studying SP's initial SAML request. Yet this: >But again, it redirects me to the provider and then returns again to the error page of /identity/feedback.html. ..again isn't the expected result. Please create a HAR file capturing that flow as well, and share with us.

Thank you for quick response! > Please also provide metadata of all SPs you have issues with, and screenshots of their configuration from Gluu's web UI. Here is the SP Metadata and configuration, keep in mind that I have changed the domain, but that should not matter at all: ``` <?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://secure.PROVIDERDOMAIN.com"><md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://secure.PROVIDERDOMAIN.com/ta/JDsTest.login-saml" index="1"/></md:SPSSODescriptor></md:EntityDescriptor> ```  And the details with disabled assertion encryption:  I'll also include the HAR file, as requested. Keep in mind that I've also changed the domain names to something different. In case there is any part in a foreign language - I apologize but I was not able to configure everything in English. Please Google Translate that from Polish to English if the need may be. It shouldn't be much though. [Archive Har](https://gist.github.com/shnek/a08aa7b3ea7eef87d67f9fc6c9d2a073) > >What should be the full login URL, so I can login using this SAML configuration to my SP? > > I believe you're talking about sign-in url at SP, the one which will trigger a SAML flow. This will differ between SP implementations, and will depend on how a specific SP is configured. Please note that we don't cover SP configuration topics under Community (free) support. No, that's not what I'm talking about. I have the login URL for SP. I'm talking about a login on the IDP that will be used by the SP to redirect. Currently it is set up as login.mydomain.com, thus it redirects to login.mydomain.com/?SAMLRequest=... which does not seem right. I am essentially asking what should be the first part of URL, before the question mark (?SAMLRequest=...) so that the login is correct. I will change the log level and try re-testing everything and looking into logs later today. Thanks! Thank you again for your quick response and help! I appreciate it!.

Hi, Jakub. According to what is recorded in HAR, you SP redirects browser to to url like this at Gluu: ``` https://login.IDENTITYPROVIDER.com/?SAMLRequest=hZFPT8JAEMXvJn6HZu%2F9BwnihpY0FLEVsdKCtrdNHWGT7S7ubFG%2FvQUlwYue572Z33szGn80wtqDRq5kQHzHIxbIWr1wuQnIqrixh2QcXl6MkDViR6PWbOUS3lpAY3VOifQ4CEirJVUMOVLJGkBqappH93Paczy608qoWglyZvnbwRBBmw6JWEkckGydrrLoKU4fHqsqy8u8uCtm88Usni6fo7Isp5P0NkqrWadGbCGRaJg0Ael5%2FtD2hrbfL7xr6g9ov%2B%2F4V4OKWOtT4t4hcYJZd5HvISCvTCAQKzoBTJTEtgGdg97zGlbLeUC2xuyQui5C3WpwQJqDtgElBZfg1KpxDXPTGIuuJkeoDZf2ITMJjzXSI6QO%2F18zcs%2F1Pz9YdG0lcaYErz%2BtSAj1PtHATMdudAvEDb9dv58VfgE%3D ``` This is, of course, not correct, it's not proper IDP endpoint to send a SAML request to. You should check url like `https://your.gluu.host/idp/shibboleth` which will return you an xml document with IDP's metadata, which includes endpoints it offers to SPs. Usually you'll want to send SAML request to something like `https://your.gluu.host/idp/profile/SAML2/Redirect/SSO`, but this may vary, depending on SP's configuration. You mention proper endpoint in many your other posts in this ticket, not sure why the SP behaves like this. It's definetely not Gluu-related issue, and we don't assist with SP configuration, unfortunately.

Hi Aliakandr, I am aware my URL is incorrect. For whatever reason my SP asks me to give me the redirect URL, but I did not know what URL should i type in (I'll try the `https://your.gluu.host/idp/profile/SAML2/Redirect/SSO`) In my IDP metadata (`https://your.gluu.host/idp/shibboleth`) there are several URL's for SSO bindings, I just had not idea if I should use Unsolicited or HTTP-POST-SimpleSign or HTTP-POST or HTTP-Redirect. Thanks! Do you have any idea why my Unsolicited URL redirects me to Shibboleht Stale Request page? Thank you!

Hi, Jakub. >Do you have any idea why my Unsolicited URL redirects me to Shibboleht Stale Request page? Please create another HAR file for this flow and share with us.

Hi, Jakub. Closing the ticket due to inactivity.