NameID not being passed from Gluu to SP via the SAML request

By: Gerhard De Mohr user 24 Oct 2018 at 11:24 a.m. CDT

13 Responses
Gerhard De Mohr gravatar
Hey team. I have setup the custom attribute to try and pass the nameID I also setup the configure custom nameID. I even registered the custom nameID in oxTrust etc etc. For the life of me I cannot get Gluu to pass the nameID on the the SP this is what we are seeing when Gluu goes back to SP after authentication. Failed : Error Message - {timeStamp=1540397687399, error_message= Could not fetch nameId from the xml document I have set the release additonal attributes in TR to that of the custom attribute that was created and registered. Does nothing I even used the transcientid still does not provide the nameID to the SP. I am lost as to what else to do to get this damn thing to pass the nameID I tailed the logs and not seeing why this is happening Here is the log ==> /opt/gluu-server-3.1.4/opt/gluu/jetty/oxauth/logs/2018_10_24.jetty.log <== 2018-10-24 16:13:21,018 INFO [qtp804611486-9] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:533) - Attempting to redirect user: SessionUser: SessionState {dn='oxAuthSessionId=131086e0-0804-4356-804f-c11c636358d8,ou=session,o=@!4A5D.C0F9.C614.6A20!0001!1C7C.279D,o=gluu', id='131086e0-0804-4356-804f-c11c636358d8', lastUsedAt=Wed Oct 24 16:13:21 UTC 2018, userDn='inum=@!4A5D.C0F9.C614.6A20!0001!1C7C.279D!0000!A8F2.DE1E.D7FB,ou=people,o=@!4A5D.C0F9.C614.6A20!0001!1C7C.279D,o=gluu', authenticationTime=Wed Oct 24 16:13:21 UTC 2018, state=authenticated, sessionState='f4385db2-ac84-4736-9a33-dab6531bb798', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@28fd4a4a, involvedClients=null, sessionAttributes={auth_step=1, acr=auth_ldap_server, remote_ip=197.234.160.247, auth_external_attributes=null, auth_user=admin, scope=openid email user_name, response_type=code, redirect_uri=https://sso.sphereict.co.za/idp/Authn/oxAuth, state=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJjb252ZXJzYXRpb24iOiJlMXMxIiwic3RhdGUiOiI4VXZRN0hWMUNnIn0., nonce=BndReILKNd, client_id=@!4A5D.C0F9.C614.6A20!0001!1C7C.279D!0008!607F.AB55}, persisted=true} ==> /opt/gluu-server-3.1.4/opt/gluu/jetty/oxauth/logs/oxauth.log <== 2018-10-24 16:13:21,019 INFO [qtp804611486-9] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:541) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@6d25bbe ==> /opt/gluu-server-3.1.4/opt/gluu/jetty/oxauth/logs/2018_10_24.jetty.log <== 2018-10-24 16:13:21,019 INFO [qtp804611486-9] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:541) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@6d25bbe ==> /opt/gluu-server-3.1.4/opt/gluu/jetty/oxauth/logs/oxauth.log <== 2018-10-24 16:13:21,021 INFO [qtp804611486-9] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:365) - Authentication success for User: 'admin' ==> /opt/gluu-server-3.1.4/opt/gluu/jetty/oxauth/logs/2018_10_24.jetty.log <== 2018-10-24 16:13:21,021 INFO [qtp804611486-9] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:365) - Authentication success for User: 'admin' ==> /opt/gluu-server-3.1.4/opt/gluu/jetty/oxauth/logs/oxauth.log <== 2018-10-24 16:13:21,196 INFO [qtp804611486-16] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:224) - Authentication success for Client: '@!4A5D.C0F9.C614.6A20!0001!1C7C.279D!0008!607F.AB55' ==> /opt/gluu-server-3.1.4/opt/gluu/jetty/oxauth/logs/2018_10_24.jetty.log <== 2018-10-24 16:13:21,196 INFO [qtp804611486-16] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:224) - Authentication success for Client: '@!4A5D.C0F9.C614.6A20!0001!1C7C.279D!0008!607F.AB55'
Ubuntu 16.04
closed

Answers

By Aliaksandr Samuseu staff 24 Oct 2018 at 11:30 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Gerhard. Let us look into it, the situation with nameids is not clear in the recent package, it seems.

By Aliaksandr Samuseu staff 24 Oct 2018 at 11:33 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
One thing to note: the feature of setting nameid via web UI is not functional in 3.1.4, it seems. So please refrain from using it, and disable it if you already did.

By Michael Schwartz Account Admin 24 Oct 2018 at 11:40 a.m. CDT

Copy
Michael Schwartz gravatar
It would be helpful if you could add to this ticket the full XML for the SAML request. Also, if you could paste in the relevant portions of the Shibbleth IDP XML configuration for NameID and the custom attribute. And finally, paste in any screenshots of how you configured the Trust Relationship in the Gluu Server. The oxAuth error logs only tell you so much.

By Gerhard De Mohr user 24 Oct 2018 at 11:55 a.m. CDT

Copy
Gerhard De Mohr gravatar
Hi Thanks for the reply. I have now left the office will log in to the gluu server tonight to get all the info as requested. Thanks for being willing to help Sincerely Gerhard De Villiers-MohrSent from my Samsung Galaxy smartphone.

By Gerhard De Mohr user 24 Oct 2018 at 2:51 p.m. CDT

Copy
Gerhard De Mohr gravatar
SAML REQUEST <?xml version="1.0" encoding="UTF-8" standalone="no"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://sptest.iamshowcase.com/acs" ID="_f66a497f3ae4a6514e51dd7960ebc127" InResponseTo="a18e0f2768b99f42638ce89683434ad8173a0f60f" IssueInstant="2018-10-24T19:36:54.189Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.sphereict.co.za/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_f66a497f3ae4a6514e51dd7960ebc127"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>KuXoW10P4gXok0Zt2o2JLLEzD3vXluOGpuD2gDY2Ivk=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> l5glBJoLfWAiM+08gzLSgFQGPJAPcDwAAG8bEOB+4TN7UgA/l1wx/R5i//pekVtxR0dJocVFrqIs Qevg2M7KV1zYYV8h8mvRQcRFyxa2nB4tvkGPS569ygjBF3se7XT+tJgGQphqfoy85NIbYe08fe5x 2oDRywpC9/IqryL7IolaRjRFyl4BnH6tRbYt7i0YIWKrjYfsnvJSYe/QnahiWFWbRDel0lO8P87J 8wQ7zdlegZSpaq6e6aR15UrQ/scgA1DNtQZg3eaZWGGWydaQ/BEAmFptLfnaVFV59qnIqArKOsK7 r1rqwt27jaKpoy8sQTn34jOFZ3jljaSAxXns4Q== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDgjCCAmoCCQCHVGY6lkXuYDANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCc2ExCzAJBgNV BAgMAnphMRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3Nv LnNwaGVyZWljdC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwHhcN MTgxMDIyMjIzMjQwWhcNMTkxMDIyMjIzMjQwWjCBgjELMAkGA1UEBhMCc2ExCzAJBgNVBAgMAnph MRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVy ZWljdC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRS74n6D2M+JbBQCR61K3EWt+DlUHOwFLTkM8MhYaEAAeE hKY+kf44EfHjs7XJXiCdfSUdohO4EN8g/9kMortxkiJM91pko7a23kVT9/gJWr3V4F9fQcileeQM tkK1VpntXZzKETqe7A8zL3k9MKN5sd45cVPhOR858J9tAupz0s+pg7bfvqxAqaAYcZ1iO1cpElzk jfqlxsOMETKF5s4ezMBv5Xm2a0ETm0nj2qfS8LutJh2IlDfV4CzVi3aStiy+pGiMhZ1cDBgGqAWj h9lhDBRABuBOD+VBBARjV+5GR4ilVYVELAA9J8yO54YyRT7O/v9v036xzWtLP7C3j/WlAgMBAAEw DQYJKoZIhvcNAQELBQADggEBAEQZC5h/3lEzBx14/96iMLl5CoXMokowOSfmOkyyIDCZGvcPV43B Ja7Cum2QrDuhZm4rUxvUbgHxz36Nbt7A/AirsOMO0GZj1J6DolCFvsbpbQiTIdtWXiLgxhA8no6M VpmhO4QMhDd3x+5IRJjRybEy2KBOgiDGhERQINRXEnfftM54YOT2cQ73NQE4edBQbLVMVm8tI5Tz 2H6y+gXlZQL4avavU6u3r1UNbmi+pC+zfU6dP8fahzZIKVS4I1CCL3VB/ojZFEki1E03dZYEZ+hH uln/XGUrk+UfKtYN99yq+QxgJ112c2tALl13CFaT8jpXVBPPyJkKnGL/olpzXAU=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"/> </saml2p:StatusCode> <saml2p:StatusMessage>authn</saml2p:StatusMessage> </saml2p:Status> </saml2p:Response> Shobboleth XML File --- This is all there is <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" entityID="https://sso.sphereict.co.za/idp/shibboleth"> <script/> <script/> <IDPSSODescriptor errorURL="https://sso.sphereict.co.za/identity/feedback.htm" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <Extensions> <shibmd:Scope regexp="false">sso.sphereict.co.za</shibmd:Scope> </Extensions> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDgjCCAmoCCQCHVGY6lkXuYDANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMC c2ExCzAJBgNVBAgMAnphMRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNl Y3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVyZWljdC5jby56YTEjMCEGCSqGSIb3DQEJ ARYUZ21vaHJAc3BoZXJlaXQuY28uemEwHhcNMTgxMDIyMjIzMjQwWhcNMTkxMDIy MjIzMjQwWjCBgjELMAkGA1UEBhMCc2ExCzAJBgNVBAgMAnphMRIwEAYDVQQHDAlj YXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVyZWlj dC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRS74n6D2M+JbBQCR61K3EWt+D lUHOwFLTkM8MhYaEAAeEhKY+kf44EfHjs7XJXiCdfSUdohO4EN8g/9kMortxkiJM 91pko7a23kVT9/gJWr3V4F9fQcileeQMtkK1VpntXZzKETqe7A8zL3k9MKN5sd45 cVPhOR858J9tAupz0s+pg7bfvqxAqaAYcZ1iO1cpElzkjfqlxsOMETKF5s4ezMBv 5Xm2a0ETm0nj2qfS8LutJh2IlDfV4CzVi3aStiy+pGiMhZ1cDBgGqAWjh9lhDBRA BuBOD+VBBARjV+5GR4ilVYVELAA9J8yO54YyRT7O/v9v036xzWtLP7C3j/WlAgMB AAEwDQYJKoZIhvcNAQELBQADggEBAEQZC5h/3lEzBx14/96iMLl5CoXMokowOSfm OkyyIDCZGvcPV43BJa7Cum2QrDuhZm4rUxvUbgHxz36Nbt7A/AirsOMO0GZj1J6D olCFvsbpbQiTIdtWXiLgxhA8no6MVpmhO4QMhDd3x+5IRJjRybEy2KBOgiDGhERQ INRXEnfftM54YOT2cQ73NQE4edBQbLVMVm8tI5Tz2H6y+gXlZQL4avavU6u3r1UN bmi+pC+zfU6dP8fahzZIKVS4I1CCL3VB/ojZFEki1E03dZYEZ+hHuln/XGUrk+Uf KtYN99yq+QxgJ112c2tALl13CFaT8jpXVBPPyJkKnGL/olpzXAU= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDgjCCAmoCCQDHhVhbx4TRpzANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMC c2ExCzAJBgNVBAgMAnphMRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNl Y3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVyZWljdC5jby56YTEjMCEGCSqGSIb3DQEJ ARYUZ21vaHJAc3BoZXJlaXQuY28uemEwHhcNMTgxMDIyMjIzMjQwWhcNMTkxMDIy MjIzMjQwWjCBgjELMAkGA1UEBhMCc2ExCzAJBgNVBAgMAnphMRIwEAYDVQQHDAlj YXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVyZWlj dC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/ZgwZ1IUa4x8HJEZCk56vUUwr HVqTJdRiJ31ITiO1SYPtqiCI1nosvAB+6+Zo4lNHPMlEOgcrbSv9mtW21BVvLuHN 8WfP0+6ZySxxH61ch/dRM74JLv0E84+DSs4viDliSpi1/w3rONfBS1URdjG6/Vmv gC9S7obCniEpkAXKLTpTWMupUVZBp0Uw0UyTd2LuqCJCOsQc4amHnhCk8dV1XZSB SLTIzZTaZ478fNgK2ScVVeosP2oBv5uByT83DzyJnxQP8xeBrfsOxE6ec/lmFPBp Vnt59zC0tzMxD3d8xC3kuGsDtRXYIRjuiYhI9uZKdhmNbj0mbxIK4qSv6xaFAgMB AAEwDQYJKoZIhvcNAQELBQADggEBAEc8sa0EctGp7v9AqvG/nDtcugrRLsWZnpQG t7SDI5s/EjPBqKCjQbDBQ9SrzvEEeAav+5aqdMQsejAv+3c/fHvgBB23hYgxJShA kxBWF7CwmpqhSgOhuQZf9tn2cjRraKhdIPw5kkke2o86sQarSjTIdXrD2SkFYoHW lItWKIXTClmsb3mjPTQ3zR3tVu6jcmVJDtoYvPkFXS8YEN9YJ9Xe4IKVJgcDeQ0x N3eCTsLJGLHtF7QkkcBj/rxzFSrKlHHwSWqjTe7BCV03PyYzHQbLcUDqZpmOtEVA e7OfPrb9JiPncxcahwBSPqnVJaLXy8mNvZtOynZoOKJgfM67ses= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sso.sphereict.co.za/idp/profile/SAML2/SOAP/ArtifactResolution" index="1"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.sphereict.co.za/idp/profile/SAML2/Redirect/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.sphereict.co.za/idp/profile/SAML2/POST/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://sso.sphereict.co.za/idp/profile/SAML2/POST-SimpleSign/SLO"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sso.sphereict.co.za/idp/profile/SAML2/SOAP/SLO"/> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <SingleSignOnService Binding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" Location="https://sso.sphereict.co.za/idp/profile/SAML2/Unsolicited/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.sphereict.co.za/idp/profile/SAML2/POST/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://sso.sphereict.co.za/idp/profile/SAML2/POST-SimpleSign/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.sphereict.co.za/idp/profile/SAML2/Redirect/SSO"/> </IDPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <Extensions> <shibmd:Scope regexp="false">sso.sphereict.co.za</shibmd:Scope> </Extensions> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDgjCCAmoCCQCHVGY6lkXuYDANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMC c2ExCzAJBgNVBAgMAnphMRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNl Y3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVyZWljdC5jby56YTEjMCEGCSqGSIb3DQEJ ARYUZ21vaHJAc3BoZXJlaXQuY28uemEwHhcNMTgxMDIyMjIzMjQwWhcNMTkxMDIy MjIzMjQwWjCBgjELMAkGA1UEBhMCc2ExCzAJBgNVBAgMAnphMRIwEAYDVQQHDAlj YXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVyZWlj dC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRS74n6D2M+JbBQCR61K3EWt+D lUHOwFLTkM8MhYaEAAeEhKY+kf44EfHjs7XJXiCdfSUdohO4EN8g/9kMortxkiJM 91pko7a23kVT9/gJWr3V4F9fQcileeQMtkK1VpntXZzKETqe7A8zL3k9MKN5sd45 cVPhOR858J9tAupz0s+pg7bfvqxAqaAYcZ1iO1cpElzkjfqlxsOMETKF5s4ezMBv 5Xm2a0ETm0nj2qfS8LutJh2IlDfV4CzVi3aStiy+pGiMhZ1cDBgGqAWjh9lhDBRA BuBOD+VBBARjV+5GR4ilVYVELAA9J8yO54YyRT7O/v9v036xzWtLP7C3j/WlAgMB AAEwDQYJKoZIhvcNAQELBQADggEBAEQZC5h/3lEzBx14/96iMLl5CoXMokowOSfm OkyyIDCZGvcPV43BJa7Cum2QrDuhZm4rUxvUbgHxz36Nbt7A/AirsOMO0GZj1J6D olCFvsbpbQiTIdtWXiLgxhA8no6MVpmhO4QMhDd3x+5IRJjRybEy2KBOgiDGhERQ INRXEnfftM54YOT2cQ73NQE4edBQbLVMVm8tI5Tz2H6y+gXlZQL4avavU6u3r1UN bmi+pC+zfU6dP8fahzZIKVS4I1CCL3VB/ojZFEki1E03dZYEZ+hHuln/XGUrk+Uf KtYN99yq+QxgJ112c2tALl13CFaT8jpXVBPPyJkKnGL/olpzXAU= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDgjCCAmoCCQDHhVhbx4TRpzANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMC c2ExCzAJBgNVBAgMAnphMRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNl Y3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVyZWljdC5jby56YTEjMCEGCSqGSIb3DQEJ ARYUZ21vaHJAc3BoZXJlaXQuY28uemEwHhcNMTgxMDIyMjIzMjQwWhcNMTkxMDIy MjIzMjQwWjCBgjELMAkGA1UEBhMCc2ExCzAJBgNVBAgMAnphMRIwEAYDVQQHDAlj YXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVyZWlj dC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/ZgwZ1IUa4x8HJEZCk56vUUwr HVqTJdRiJ31ITiO1SYPtqiCI1nosvAB+6+Zo4lNHPMlEOgcrbSv9mtW21BVvLuHN 8WfP0+6ZySxxH61ch/dRM74JLv0E84+DSs4viDliSpi1/w3rONfBS1URdjG6/Vmv gC9S7obCniEpkAXKLTpTWMupUVZBp0Uw0UyTd2LuqCJCOsQc4amHnhCk8dV1XZSB SLTIzZTaZ478fNgK2ScVVeosP2oBv5uByT83DzyJnxQP8xeBrfsOxE6ec/lmFPBp Vnt59zC0tzMxD3d8xC3kuGsDtRXYIRjuiYhI9uZKdhmNbj0mbxIK4qSv6xaFAgMB AAEwDQYJKoZIhvcNAQELBQADggEBAEc8sa0EctGp7v9AqvG/nDtcugrRLsWZnpQG t7SDI5s/EjPBqKCjQbDBQ9SrzvEEeAav+5aqdMQsejAv+3c/fHvgBB23hYgxJShA kxBWF7CwmpqhSgOhuQZf9tn2cjRraKhdIPw5kkke2o86sQarSjTIdXrD2SkFYoHW lItWKIXTClmsb3mjPTQ3zR3tVu6jcmVJDtoYvPkFXS8YEN9YJ9Xe4IKVJgcDeQ0x N3eCTsLJGLHtF7QkkcBj/rxzFSrKlHHwSWqjTe7BCV03PyYzHQbLcUDqZpmOtEVA e7OfPrb9JiPncxcahwBSPqnVJaLXy8mNvZtOynZoOKJgfM67ses= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sso.sphereict.co.za/idp/profile/SAML2/SOAP/AttributeQuery"/> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> </AttributeAuthorityDescriptor> <Organization> <OrganizationName xml:lang="en">secure</OrganizationName> <OrganizationDisplayName xml:lang="en">secure</OrganizationDisplayName> <OrganizationURL xml:lang="en">https://xxx.xxxxx.co.za</OrganizationURL> </Organization> </EntityDescriptor> This is our test server listed above which is what we will do same for production server once all issues are resolved. XML of TEST SP can be found here : https://sptest.iamshowcase.com/testsp_metadata.xml The above is same issue with actual SP Let me know if there is anything else you need. Below is the link for the screenshots as I cannot paste it here. Link will be active 24 hours. https://cloud.sphereict.co.za/owncloud/index.php/s/ubUS5zo2nYWBRHx

By Gerhard De Mohr user 24 Oct 2018 at 2:53 p.m. CDT

Copy
Gerhard De Mohr gravatar
sorry the SAML copied incorrectly <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://jsandorskidemo.egnyte.com/samlconsumer/ADFS3" ID="_38587805c0767de0366e99b6937ce0b5" InResponseTo="_ad0ba37f-84e4-44c7-b38d-faacd9f5bed7" IssueInstant="2018-10-24T12:52:33.798Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.sphereict.co.za/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod> <ds:Reference URI="#_38587805c0767de0366e99b6937ce0b5"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod> <ds:DigestValue>2FtOpkO07hTQRCFMzxbDIgc8tbscRo5Y6u3+oUAf0hE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> emAZOWl0rakId8DpsuYOKrGZeFuqSsOEJlA8ys27FuWM4okO9PaiXmhmFuJqQII7mBhlBPq8OzwP tdMPIgfEsaeYRK9nUowgaNWN/c3lLPCfYiYW44ba/NSoNgc1DeqpK83y3QwRHCOf3/aAu+iCr4cB phmVlizBIeZcCIjyMWTnmIaUojoYAOLKNybswvRN6QqB59ONssepVYAOTqI7XoaraFvAoCmPp+ji 8rolQUTMHKaUb6YLjlnAe+sHsNpFJwoR25hP0Ns/wvX4D4REwPVDJzgKNjlt8xP6v6Gz2lrY0vAm CSu4N4sErP4e5ez2168ClyJstSjM4CkaUbOhwA== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDgjCCAmoCCQCHVGY6lkXuYDANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCc2ExCzAJBgNV BAgMAnphMRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3Nv LnNwaGVyZWljdC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwHhcN MTgxMDIyMjIzMjQwWhcNMTkxMDIyMjIzMjQwWjCBgjELMAkGA1UEBhMCc2ExCzAJBgNVBAgMAnph MRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVy ZWljdC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRS74n6D2M+JbBQCR61K3EWt+DlUHOwFLTkM8MhYaEAAeE hKY+kf44EfHjs7XJXiCdfSUdohO4EN8g/9kMortxkiJM91pko7a23kVT9/gJWr3V4F9fQcileeQM tkK1VpntXZzKETqe7A8zL3k9MKN5sd45cVPhOR858J9tAupz0s+pg7bfvqxAqaAYcZ1iO1cpElzk jfqlxsOMETKF5s4ezMBv5Xm2a0ETm0nj2qfS8LutJh2IlDfV4CzVi3aStiy+pGiMhZ1cDBgGqAWj h9lhDBRABuBOD+VBBARjV+5GR4ilVYVELAA9J8yO54YyRT7O/v9v036xzWtLP7C3j/WlAgMBAAEw DQYJKoZIhvcNAQELBQADggEBAEQZC5h/3lEzBx14/96iMLl5CoXMokowOSfmOkyyIDCZGvcPV43B Ja7Cum2QrDuhZm4rUxvUbgHxz36Nbt7A/AirsOMO0GZj1J6DolCFvsbpbQiTIdtWXiLgxhA8no6M VpmhO4QMhDd3x+5IRJjRybEy2KBOgiDGhERQINRXEnfftM54YOT2cQ73NQE4edBQbLVMVm8tI5Tz 2H6y+gXlZQL4avavU6u3r1UNbmi+pC+zfU6dP8fahzZIKVS4I1CCL3VB/ojZFEki1E03dZYEZ+hH uln/XGUrk+UfKtYN99yq+QxgJ112c2tALl13CFaT8jpXVBPPyJkKnGL/olpzXAU=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_5996eeea9512c04d40f1c484bdc2093c" IssueInstant="2018-10-24T12:52:33.798Z" Version="2.0"> <saml2:Issuer>https://sso.sphereict.co.za/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod> <ds:Reference URI="#_5996eeea9512c04d40f1c484bdc2093c"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod> <ds:DigestValue>vmqtGQ4YAokLbdl+XRyniwsdkQ7NqIIE8eykJ2/8dGU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> HwpZ0pNqLkffZ3HaLuFrrUz1t1i0myaf+WV7Njfkr/CSocLVCSgIJgsoybq8baJvMIDFHzfQIgPA DHR4/KYr14234dJAifNIpvtI8Ik6m8VyMXDtdhM8DfBWXxv61CPcxgP1CCU/oD0yBeBJeVvUmNQg 3npVc3LXzjOYqpxE14eHeGE2p2kQf9clNDLAWE1Ii/Y+D3PL2axnqEKfwOCwssuWUPO0jgXFXr9v G2wQLYUiB1+HEhnbQrEhZKceSdHICmTYWiCRzcWA5M23ct/4ulA4a3wsBoR2SebzAS5O8gIwW01q VZUBSXm9h04jbmu1JlyOnXHzvAFrlPQ8wXj0aA== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDgjCCAmoCCQCHVGY6lkXuYDANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCc2ExCzAJBgNV BAgMAnphMRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3Nv LnNwaGVyZWljdC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwHhcN MTgxMDIyMjIzMjQwWhcNMTkxMDIyMjIzMjQwWjCBgjELMAkGA1UEBhMCc2ExCzAJBgNVBAgMAnph MRIwEAYDVQQHDAljYXBlIHRvd24xDzANBgNVBAoMBnNlY3VyZTEcMBoGA1UEAwwTc3NvLnNwaGVy ZWljdC5jby56YTEjMCEGCSqGSIb3DQEJARYUZ21vaHJAc3BoZXJlaXQuY28uemEwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRS74n6D2M+JbBQCR61K3EWt+DlUHOwFLTkM8MhYaEAAeE hKY+kf44EfHjs7XJXiCdfSUdohO4EN8g/9kMortxkiJM91pko7a23kVT9/gJWr3V4F9fQcileeQM tkK1VpntXZzKETqe7A8zL3k9MKN5sd45cVPhOR858J9tAupz0s+pg7bfvqxAqaAYcZ1iO1cpElzk jfqlxsOMETKF5s4ezMBv5Xm2a0ETm0nj2qfS8LutJh2IlDfV4CzVi3aStiy+pGiMhZ1cDBgGqAWj h9lhDBRABuBOD+VBBARjV+5GR4ilVYVELAA9J8yO54YyRT7O/v9v036xzWtLP7C3j/WlAgMBAAEw DQYJKoZIhvcNAQELBQADggEBAEQZC5h/3lEzBx14/96iMLl5CoXMokowOSfmOkyyIDCZGvcPV43B Ja7Cum2QrDuhZm4rUxvUbgHxz36Nbt7A/AirsOMO0GZj1J6DolCFvsbpbQiTIdtWXiLgxhA8no6M VpmhO4QMhDd3x+5IRJjRybEy2KBOgiDGhERQINRXEnfftM54YOT2cQ73NQE4edBQbLVMVm8tI5Tz 2H6y+gXlZQL4avavU6u3r1UNbmi+pC+zfU6dP8fahzZIKVS4I1CCL3VB/ojZFEki1E03dZYEZ+hH uln/XGUrk+UfKtYN99yq+QxgJ112c2tALl13CFaT8jpXVBPPyJkKnGL/olpzXAU=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="192.168.1.70" InResponseTo="_ad0ba37f-84e4-44c7-b38d-faacd9f5bed7" NotOnOrAfter="2018-10-24T12:57:33.849Z" Recipient="https://jsandorskidemo.egnyte.com/samlconsumer/ADFS3"></saml2:SubjectConfirmationData> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2018-10-24T12:52:33.798Z" NotOnOrAfter="2018-10-24T12:57:33.798Z"> <saml2:AudienceRestriction> <saml2:Audience>https://saml-auth.egnyte.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2018-10-24T12:17:08.514Z" SessionIndex="_08777ea6ac7031c80df1d9b8aef53152"> <saml2:SubjectLocality Address="192.168.1.70"></saml2:SubjectLocality> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>scs</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue>scs@cyber-security.co.za</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>

By Gerhard De Mohr user 24 Oct 2018 at 3:03 p.m. CDT

Copy
Gerhard De Mohr gravatar
followed these links to setup custom attributes https://gluu.org/docs/ce/admin-guide/attribute/ and https://gluu.org/docs/ce/admin-guide/saml/ Hope this all helps I am really out of ideas here. Regards Gerhard

By Gerhard De Mohr user 24 Oct 2018 at 3:05 p.m. CDT

Copy
Gerhard De Mohr gravatar
not sure what you mean setting it in web ui but yes I did that and the manual way as per the links and still it does not work for me. How do I disable it ?

By Gerhard De Mohr user 24 Oct 2018 at 3:07 p.m. CDT

Copy
Gerhard De Mohr gravatar
@michael Not seeing any xml file for "portions of the Shibbleth IDP XML configuration for NameID and the custom attribute"

By Mohib Zico Account Admin 02 Nov 2018 at 7:50 a.m. CDT

Copy
Mohib Zico gravatar
Gerhard, Do we know what kind of nameID SP need from Gluu Server?

By Gerhard De Mohr user 02 Nov 2018 at 7:52 a.m. CDT

Copy
Gerhard De Mohr gravatar
Email address or Username they accept both Sincerely Gerhard De Villiers-Mohr CEH|OSCP Management | Senior Ethical Hacker [cid:storage_emulated_0__EmailTempImage_1_TempSignature_signature_image003_jpg_1518888878710] Sent from my Samsung Galaxy smartphone.

By Mohib Zico Account Admin 02 Nov 2018 at 8:10 a.m. CDT

Copy
Mohib Zico gravatar
Ok. Then let's create a new custom attribute ( aka. nameID ) with [manual method](https://gluu.org/docs/ce/3.1.4/admin-guide/saml/#manual-configuration) If that doesn't work; please share those files which you will modify; we will double check.

By Gerhard De Mohr user 02 Nov 2018 at 8:12 a.m. CDT

Copy
Gerhard De Mohr gravatar
ok thanks Sincerely Gerhard De Villiers-Mohr CEH|OSCP Management | Senior Ethical Hacker [cid:storage_emulated_0__EmailTempImage_1_TempSignature_signature_image003_jpg_1518888878710] Sent from my Samsung Galaxy smartphone.

Post an answer