By: Maxime Rouillard user 07 Nov 2018 at 9:39 a.m. CST

7 Responses
Maxime Rouillard gravatar
Hello, I try to setup a simple SAML authentication : gluu as the IDP and my app, spring-security-saml2-sample, as SP. I have set up my Trust Relationship and I have specified 4 additional attributes : Email, First Name, Last Name and Username : <blockquote class="imgur-embed-pub" lang="en" data-id="a/XSACYnw" data-context="false"><a href="//imgur.com/XSACYnw"></a></blockquote><script async src="//s.imgur.com/min/embed.js" charset="utf-8"></script> [Imgur](https://i.imgur.com/gWHh0m2.png) Here are the two SAML message : ``` POST https://test-gluu.com/idp/profile/SAML2/POST/SSO HTTP/1.1 Host: test-gluu.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://192.168.1.41:8080/ Content-Type: application/x-www-form-urlencoded Content-Length: 3918 DNT: 1 Connection: keep-alive Cookie: JSESSIONID=node08jb14zz6p0cazrg3sjytfkc00.node0; shib_idp_session_ss=AAdzZWNyZXQxjD9P1y2GlNlqzr9q%2BfUSoFCUW%2F6tinmm71a3LU6TPzbupYMltcNmeia7YyRQQk6EnTz3VRNPNu97mTRP3J2zAXR8xgNMnh4Z%2BUcrmshX3163i9tcu79%2F8zYqQWCenrcP9TVoXJ0W%2BGy%2F%2BVcSqhvJknj5oQycqKIFi3W%2F8kCEC6LXUprB4PC3lRyEazHV1TtIxQ7En%2BcSc9F36f61YsP4KhpEiCTSrxxM4Q6ZQxkr8i2Fy6LBKCG0CW8tm7sQ%2B4WYUOLHBUYDhX5QFKpEzolpeVfPGwdVssUMPfjIN6Gs9QtIAsAlyp%2Btn84G628kdQQWpN9aRBX1GBwlBM2%2BasuIuvrlHM7Ybhsiw%2FbZUTqx%2FidNZ4DSUvylnHmtCjhpBmFAAAgjfOMO4i2nSIm3V7ZmN6Cgj6NsAnlKM2BhKwpWg7LcyE2FCz3v6wqaZp90cmRCyw%3D%3D; shib_idp_session=e15e11fb74ba1c71d4c9a71472e5a14e5c7c52774c69a5f8e121cf5f0ba11ce7; org.gluu.i18n.Locale=en; session_id=d010133d-435d-4817-b938-ef79f0737ad3; session_state=7a52a6d0-4da8-4feb-a305-6ca796fd0e26 Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Date: Wed, 07 Nov 2018 14:00:19 GMT Server: Jetty(9.4.12.v20180830) X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html;charset=utf-8 Expires: Thu, 01 Jan 1970 00:00:00 GMT Vary: Accept-Encoding Content-Encoding: gzip Set-Cookie: shib_idp_session_ss=AAdzZWNyZXQxLDdKpbyLBEHdnuCdv%2BQ9Sav6Bc3ZA%2FfXd4jYrFftvbVJlqDReEgaHA3asc3YhEAIcijHPtpC456GbraStMu4obPQ02nQnc5%2FWt7Hde471h3DrP5YwN1voJHGox5UuQ%2FfDD7yoPSZm3pZCIo8SRdhhUcEm6ENVFUjkzk0CzNkGn428acb%2Fd0a2TtIC0iLWS%2F99%2BRtWW6Sl%2FKZ3KzZ20%2FB10lUB1trcmPJXtpTK%2Fsk5SRjO7W%2BdD6pVTi2F54zP1YGxSxNmuxwycL6d8TjosIS4W6NZlQyrpyq2eFtH7JwBa2xrN41AeFL%2FEYoirsUV6W4TGdR8vlYff9EUlB3SI2OEo6FhPvlfJlgkhmdDKg8SeDoIw3EqfDDKw6ujr9mRNSKtkei02Oc2kBOn5rSWe%2B7VR3EyOmSwggnO81K8amMqpMyneisLqzKBgDTpuuGHprSyA%3D%3D;Path=/idp;HttpOnly;HttpOnly Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://192.168.1.41:8080/spring-security-saml2-sample/saml/SSO" Destination="https://test-gluu.com/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="a91ai5c9cd0jhh34bi1g44ia4egf45" IsPassive="false" IssueInstant="2018-11-07T13:59:55.304Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://192.168.1.41:8080/spring-security-saml2-sample/saml/metadata</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#a91ai5c9cd0jhh34bi1g44ia4egf45"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>NSBpuqhnYnjNkcxcAvaKIJjRSDA=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>cmSVDliOU29cwlO2PmKmrMgjgwNNIpTymbq37DQTF/hYcKTVlUz5bUtgDpaT1w1Bx6uy1inSasBOX97ezf4/sOnlz+4fPj/nIN9r56qwrznvN5HFoSHRfy/ymEHM9SxvwnhFpk+7FhP5M8FoqWV2lccHjE8gHT3NbFtxUF4RRn4M36MkLIoKaSVdXOKNRbQd4cllJHGv3g7FYEpMxlaWwmUT6CxfgA8MqTX4IT2TeWH5YdCTwqXxaLK86mapZjl6OSdcIpxrUVsArP/0GykwX89Gf1elKimoCc/nd3kPB1thzGrL44ufvl/u/M1jghnc7YsaSLOrtebauQR+V6GQXQ==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E 5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13 F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg 0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL 82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A 8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml2p:AuthnRequest> ``` ``` POST http://192.168.1.41:8080/spring-security-saml2-sample/saml/SSO HTTP/1.1 Host: 192.168.1.41:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 15845 DNT: 1 Connection: keep-alive Cookie: JSESSIONID=842157ECB8880D06BF5EB1B55F81FC6E Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Wed, 07 Nov 2018 13:59:57 GMT <saml2p:Response Destination="http://192.168.1.41:8080/spring-security-saml2-sample/saml/SSO" ID="_b5fe1483b876c7865e008778f64b3af4" InResponseTo="a91ai5c9cd0jhh34bi1g44ia4egf45" IssueInstant="2018-11-07T14:00:19.322Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://test-gluu.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_b5fe1483b876c7865e008778f64b3af4"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>GbXfkncu8NUL9hcoQHnZHevYD/ZZJvw4YhjYBB6COc8=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> H+VRDamVzVh+wQfX0nRI6gncr7jCuLkWnCo3yrl+AqzmMlvsBBXeHS/UWTiFUA+Z+4b9dXFY5Dl5 vktL4VURbXDbXQsSdYizv9tU7dRr4LWhEnEanTkd75DLZBwvKV4D+qSczdp7k2y1XZEVS+RL3W5x nRCwxTkdr8CtrcLl3ZVF3vimZOpGGH3hHJ4ZnrFLMhK5UjBEmESq4S9DRnoCW6UFJEyEk61+/XL2 aG4myaMFrDtKMGGsyejWd+po5zGBxeZiXFEomjHnYugCfGLMUgaouf4NQkl6Ad+v+7/oSslspfS+ IGX/4vvFX6w2ZPvw4HIStFMSUiwx7Ek4P2rBjw== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDYDCCAkgCCQCeivohphI2zTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJjaDELMAkGA1UE CAwCdmQxETAPBgNVBAcMCGxhdXNhbm5lMQwwCgYDVQQKDANJVEMxFjAUBgNVBAMMDXRlc3QtZ2x1 dS5jb20xHTAbBgkqhkiG9w0BCQEWDnN1cHBvcnRAaXRjLmNoMB4XDTE4MTEwNTEyNDc1MloXDTE5 MTEwNTEyNDc1MlowcjELMAkGA1UEBhMCY2gxCzAJBgNVBAgMAnZkMREwDwYDVQQHDAhsYXVzYW5u ZTEMMAoGA1UECgwDSVRDMRYwFAYDVQQDDA10ZXN0LWdsdXUuY29tMR0wGwYJKoZIhvcNAQkBFg5z dXBwb3J0QGl0Yy5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOP57h39+6LotOWX gcuB+FouHD2Kn2yEc/AoZDhVMOqwLVuE5l2Ze9khoN+ymd/Hn1iBXWdDBFfb1quMnYWhWW3AsXz3 PJvOyoQJ7pXi76144af6ICn5lX8p86QnLYrDqRaxBmUPCGcZWsUPe4BR3DPtNtHJ76u3tTt0RpOT p1RXOOCqJKQJismAgFJDFxNuTmMPY2cgo4eSqRzqWVLzbldkeqStgtKnmh40x1LPECT9rf646aio 130liHOBzhw+Ho9bP0FPtGGbfFuTXBXM4TapcUwTG1UyWAApqbppDuLA1gwwX19u5quBMAjIeNb6 v6dVrnyJ1QPJpzpU7GT64CkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAEpELUbn7u2Ok5mFs2z5X 1Nf2QhtVPUhD9x07rB/0ygmTscpPlznx/4MKAIdGk2nVnSdYjnmaoUyOUkPTGplvip+C+4FE1fc6 z5xrvI4Am3WbVRMeFhNdax1KVIxw4GJ/wQdVhEwYn+xaWau5gj8J6wPyqUGYYPI5sD8oJEaWKUF+ jDSw5xQsTT/AyslFY9vhPF+1mYvIHZz67yGP1EoEQN2VExfC4rG9hhMARhynF4cdcWxedGLjSO2B wTRx3psXrSRbxB7sNEi1ZQF3XGbk5fmGIyZBYsfpMx/EeKpeSciEs0L/qUGh3bqWySiSuOzhNs4X ZJeMHLu1XIv4aiA1TA==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData Id="_384369dff894b92611c7aa2c51faa155" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" > <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey Id="_57e799133ba1d3b3dc79164e93fc0d1a" Recipient="http://192.168.1.41:8080/spring-security-saml2-sample/saml/metadata" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" > <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /> </xenc:EncryptionMethod> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E 5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13 F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg 0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL 82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A 8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>WEDjQCv9t5dvzyFnwCEBc68D20E7OfJZvSkrz0DqqmT7SbZPYCbeMHpZGwLw4ZenDsQ4gVLK9cw/ lTiuqqtR1s4tkL4/YTY86RVC5GzrhKi+2/2I4xy0nasBaqFH4idEPs6cfKz1HigY6I/xEPBuqivp f7SFG6KL9U/Kuba+vp6+bmaLbQBoI74nshPwARtdOJ+xeGZDO/6+PadlBdZTPLePM/fm2TpBmtNP NBKJgtDpM9wA7TkB3zlknXTlc35XfNJ2rFhVLSZPifrlUsQ01uLScfyk2RAE3M3tGlq0TsfW+Xg2 14ceF87e4MResTeoHmnszZXX3SJf7R4JN5Vy6A==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>FQaNXTuPwjupPneFN5N0BYP3ey8qOEhsLl3+sfWmUTCeb1CE0iUPlHhQaS3hX1nvIuSA0qEZYmU6 7GdrlIMrgoxVVBBlJTdtS56JCBVii3RT7GorgDqC/PPrGD/24cMkQdHatavjvt1oBox/usNKPK4z fw64hFrN8psKP2K21R/1o9/cDs6yTtGi4iDpO3n/HLMUW5hJG8LVurHf9WWWpcfkzHFbDGLYbnva zdECkU5TbJN8Tw7vrgHpGFhPrYEPhiQkol6lxyIITbs5rBQbWijD5oYjsI4hTevPn0po+YYvkWQG Iw77QYRRHlrnDucsdULFru0fzI2paeDcMHtZ6MxtBLZkV9rn+uFjXvvOXNOzecH5O6Jh0lKvar1b XzVHMGXU5MRm24pH0BqIYrUzAzUoIvjU+YaYSs0FS2Bd5I2BQ/Td8Gdul6j0kkX4PSuyH8CHUoc4 qqIMNBT/brpLzQNR1W7G8vDzSW2aTgtAId3brtPXj6WlDOw+aTnKgQb1xuXIVkAk9YD89IwYfN5B L+PPI47UVK1nvyXlKmq8pz29CBK5/r4e/oZZIEdipjCVucmfp4D4mNcEy8wlz/g6AIWwIn04o0jf BPi9iJbfe5enRfj8+Kq6nKB/G+fOYavh54CVacuOOEedVu7OL82ovSA2A+hyp4arQayU45xGAJcf 1fp/tt3nvd/5GJKuM/GA7HtSs9gI5ZoBa8T5kz4xvVIM+Lz3MH1c5TR3zZqUZgekyvW/MzRGACfZ ye+kcibufO0He4c+k1zuuJKVB+jM0xuwnLFY3VItRW+YqYhCvQbdGWJaG/odpWTfByea9sR8IbkR /OGB1rjE0kKvR+F5dkyyB1oVgG+F97xXnbc79jwHlFUXWMYscI7kEhV5kTezY8dyLrjaMlOEKV0b EyvdW8pWryr9VvMkfONgHuhwlCIVs07PmZXtBsu4UVqq6vLPz0I3te+QOh/fN8Ctr7jmNGe8eyoP kGdOQV0L83x5LnmXomXc5bMPtjWIgY3CcQRseiwNnyU1iP5NUVnZjGcHbTpnk56nLjWygAQ3qNcC LMili3e5YA1uzAVR97elb2q6q7JyRMGQKdCh400D97v2pa/1SQJ/ZrDIp17MgSwsskvsKLYKF+as Cs/ZslZFlzokyAhstMGgY657BaKw6GLTnCRcdrB+7GmzQq6eFCnrMNmuVwVG86vRyilDAAvqv3MP 2UDj+Ii4PxsDvSMHORMjxYeJZLfcvId7RvOuvfLZBZJ7UUzon3+NPmhSYyLSxQXb+0+ysNPMnW+F kmrOm1WvbR/NmaWNYGbXG/D24IX8iTPn+oalHG7onftKej4GU6aWXoeJ+xVSgqkAS0hWf3pJFhSX rQZhnsfTFOJ1PeZq6DX4coDRNlWJDKQDbKlFaFdlNf5lJHjBzBz7h+75fNVSrap3qEpya6nWrNs2 rtRwzT4BjQxoVdHxalvaUngQvDzGKZmcU0yovGNyDVA1u0ZTTKH1U7DIijSCXyGBfi7PL+f96Mul 8dd8IOp8RSt1EzfuD7NjxPIzmsk9w7ehIrFPgiNTSvEHR2sa1JP22IIzdsOth0/Pst0bo5/Vq4ie mqRkIv890RTGCN1I4w0asmQqU4aEKZ/TFvFUv6K2UdXbDkp4gBesqAcTweTL6HCywYVvTQqzSy+L xs5lqJta20ZMn6GLLt6l3/kIVRc2JvH0VthaTxGVbbi6o+ut9CG/IE0gkScAt/WT0VHCTIDyBUCD YQ2urfGAjnOeNaUFXk2Czj8OHznzlR22dcwyMOdS1fPS4lUDQcqpAwhrL0Y8QvyHS9zTxT4buBWo euEygJhiNomz1s6W57t6vSH1y6hNvxM0tCXsAcSckALh9N8MTs/N3VhkKlK6ICIqBSbxSjhbJJ1b g6bz4UCyr4YP49QP1HjN1Okhiw4FMXxXefmrKGW6Oom5RRstEtLnxtpSBF0CPJYBkyOi6Ip5fO+4 g0rq/wbz1w1l0HP/n/UVU1eDvqMhBf7zyWTzijdiMlhLKV0PaYSDEgJ3FZYBAbZ3FiDa/IIvZwxK jTkzcb1UfKE8uBwnN0SjwQvhVrmLTglMDcotm9Gsqa/rcwIm69znwdJPHQvN7bfliwaX96H6bRlu GPjdNkC/gRovS5WnUEpxjHDdudHDAQN/zuUuLjXdMaSPhr1u59NQTAn8/ZzPrZxmo9M1pQBUTusO A3UWdTM9W3xhzs1ACBa6WIG5KgTMxwPbLPUZqJe5r59EC7OgwXIN+6RR+P/Gb/cTzuRJxtkOOrhu N8+0Yu1dTVxJsrmKNajQdI+UnfNbR/+IOGOZxJmcRBb4OU0VnRsS7EvdzP/SQBWyr+oSUHbuD1rp dz7Jtiai2DCxzN3KK5Fbpxmp2G8ZAGzOQ9Qx8AlYzz0HYmbubfcyix+cvplkOnjGZlG/4P7c4hO5 WutpQ8YWoGjE3nVM4nwjry5KEEuzxE2TG2UNZGyluhd82R/aQm/8DmDTeMk1JSkntXCPGonQPDM3 UykIURRli3e8MOib2p1RKZWWvbWQ4uCWFRpi9bmJJBj6Tv1j/+NAjUQNZruZZQ4WzqQwpntYoUX/ a4NXhIfltTzYkE5BIpYSx0hzbQROaJM7R7hu50B3esEh2JC4mXrPSlSdM6Wowxcn9IJJYMfMdLxY bbruwgxe/0wGcEtArilsim/AteM4wqoOxrVsylIEJSqTwMgu2tUJSUhJtEF0moXDXeCMgh0gFKMm /64zBoyftdyInj1CEU6R6LHNFeQWLQ/iYmZU+qv2l0uCoWUagsgZB4wyFgaHTVgWjjxjb8A0v16Q PNjIKk1d/NcU7OzgjFRzVfTw67Mpk46jaYF3bBZyi71rojB4BbpWdqNXlpN4if3KfecdsorHtCYK QWNKAYYM9JMfxYdch2RWig641lqlUGDI0D09okyby+HYasRfssr+K8IkF2GPJAHN0RXOOCt4QBwF 6xmrICgOL65mw21GxCvBsm83glaELVpqL35A6CV+UM7Wybse27BPwwqy3H8sGW6omaQYqcdLTpno dls54Qjos7X24aqpWxuc8KQ3Vymw+8e6kNIOKAqPdgha878WkXxn51lH0QxAKWhWrBrWXv8htC1q Hs2Eo71vbvJNmsZ/HUyxUaEAznFhyYVuzBp0WFB5Nx1EhsyKXQKKwozXXWH7sdd+VACNDz6nkXI1 JLl7pc2tizfcn7HzeV7vIAIu78b2NnrHArdLdpc9888tQfPKBXeRQJ5OKDZTQ0KudDuLcQNqbpYd o+SUG+K7WAvf8tp0Fjv8GdwH1cI7XiyKy1Qnw7aoVBoXMHG8d3KxeTcmFn+U1HU8EfE3flYQQuWf ToHWBiRVFXAuJYUEln2DQ4Rs62Qyv/sm8gPHzRKtsgmjqQ04ML6MAc9fHZy50PUlHrfFXtLAFK8k uPRCcGn0v57d5AhrfU/S/qmI0LZ7OpkuDfsOtNchfjwUNH/eIwSRLpA1UcSNiryo17qVVm8ifhv3 gHvyDja3y60ztAAnsLR9mOscPImdm6EFGe4H6LI75P0ou1cazK5dcwz+U85Z1zJNp2QVbWYTBxIm l9bkjsNCHxMoJCVTbqCjM73x741XdvhtPihk404rBrh9B9wC54v/RK1ngSUEoaj3n097kwFmoYjT c2j6+vwOHO8kDQ2tCJTm4Z+/w9WxwZEooqTIFqhFDgBd9JWd0dmEfFPbNBKFr75UP/CATnEvCMkB NNoKw2nVuQUM06Ktlm/AZmuYE2h3/Yk1E6g3plw+LXs43DU8GWrLRoqVfqJxQ5VeILJEfAVyi6n6 bKeIUj71EvrG49yLsHKe/Oy93cpp7sl47lGYYjmeP/+nk2re/lIYNgYCnrZpvF4tBEevPZeAoApv PqnvSFPkN5Auwr1nhHDm/XG/CCNRvsIMEoVuFxW5syn6K5ef/iHEWCcVsZMsQbXhfJLyLaPWB+49 nAYHEsNfedfTtWsc3TXmNzLQih43gps5F8chvN+TcKItjavZWMxqKhoBf38jOeu7haDIDLfENYgG Ta0pT+dyYfL2O1MPZbBvAdiQPjI+Ucd2ZhBMpBZXTF1iJgj0Ob3LtLOAsELAC3rwwpmvF5v4duxw AG48dbgNcJhYbesSk9j1PYrPcQW6viC45TFesH/j1ecKQ1Jb9iZU1Zv0iPcqacD3axvrxYZx2loM 9bKDbOoGGpQDxzSZYUVjJ1wb9ph/uOS8PjtWQRTwefQGPMK9Qanr9enCqT5M54tAHgmyjM8TqiNG ENn08umQt64PnLXNssZQwOnqcaLvIpIM6T/DmsCFgxidIc8gWQSk6GgNzD8sfrNSQlTNsk9piSJI 5IKsQsKo5m1hUNbSvHm9pK3YJt+VPXp15ZdxZM5QWu/DBgYny5/Z8/DlA+HLBATv5KAT+xHlT64d TWPHbLKITTMyxAYa+POW71IW8Hag6u70RafqIqCtQuPtfCtc3CQPd+NqdIoiTP7IHu0kgMuuIbzN lqqHGcdZzgL+llBwTD2gLDJsvnM6RNRPqpA+M6T+V+meJqxRJio+LXWX1Oabg6fLlJVHI4wBnsPu Is5HectFD0CM6YqjV36MFJsDh7dgJYAZXq6Rxhxuj/wapgo5eGxU6TW1gKWlQTgeIap+vm67J3nE JkvEFwHZVJzrsejWhYjQQF3pibmR/dRxR8FTDIsPvic9FIzTnqiNRViomE6CJS66W9T1nQ3ZqxOh 5FCM9rXpr47AFVSLKdzlZwhBZH6Z8OWb5NlTs5NLAzo6ycIioA91l55RYltnK3seQeCNL/cD4Csn ZMsIudQ/hBXO4C7m1ov4MSEJM/FgdD2AI37EbZFG5tujOO3Iptnspmv2XuX80N9M8h0bqv79m5r2 jRD0aasWFGF743iztU9pwpfgd5d9uey51Hoczm5MCGQ6Im3W9OVQBp2E3Gkfle3CXFcrRhxRomrq nwqL7j8ZffivM0I798MBtEt9+d91JbBVAcwZXCG5uur5/xrRQnAn5T3hnM9iVmeUH7rezA3KiiCF ydmL7PWxpglAEeEPRNKR6Kpe+V0eYE7Y6/uUoaFOqVuQ1OoFSYLAx9razo6zqiHbp20Kk24OV4ig 1iVqseo58qcTwAFb5NnIqsUc4S+Nv2SVcX2wBap2tYS0OMntpsWGdj4U94Tr25FYo2AXrWNooho3 7WHZyoYj8aga2Dv5a24lVmbF+rOnPmwjC7Hcw/HISAEGFE/xcHtbcPNiIudz/2vhrz+r7Qou74EC L+07oj3r9vgLFCaJX8fyo2UIR5XRG7x+1GLNiXwWS65m38ffaCd76SMeL25E/dEy+kOajREOBq82 88Pxv2cnEytzXuFWAdPw165zAqeNOT5MQFcOrCCwlHtBxjscb0os5fWERFaAhC6QrIQcNeGucN+D Rql+lZeSp4ZX27tUTDbe3e6Be/tN3bCGmeJD9esz98/jNVpgKdwvNTt4ztYv/J1w4NWK1SMBsa4L J+ufjlnVmYzveEd4wyPa0BrjDq4HhT/qLPrL5bDyjYOoE33lghUaurB1o0D3qz1WdBGloHNxCDg0 Je0EI7kA9PdbtZkLlblZBpak0BAbKtWDT6m7kWvKmuI4Lf9RgUe0QSGwal77BasCYwYyOF6uWbhs StBeo1koc+cQnRajkZChWdZAVKS+BrvWwDOk1nenhow0dYDGOcfimOPwUcpPv405B+spZaFjChlA Q1DQvJ3fZd3GxMCnYt6G2hVV5RBoZFyratvHLIbcK1yF2kh/OU7J1oC9hxWH/OLnhot44cQUDIzP CqRRovIVun4hWGxKimqqOsaDWvsNYDb6V90o/8MngUBCd9Qy6vQdLHHTdI8WDT2IAeU3Mk9IsX8C o3BnW0XZ4Ql8rIGwSsQ6YawO86uhuJhu6S4BDVHiyuvbRoDkPTRss5LuCyO0eI25ncUB027VPhGR vHJ9qa1KUUTAKywC9ivrS/iF/Qw37ZFJBaUOSw/7pbQGe/NhuO0Nv+kZf9rpUTlXcf5gZUuIyyL9 TS+KlX4lBxMzNZGlNnLRK+LN8gA18AWGv+AyijuRhwFlnLa5VnZ9wzF7aFbJsqDYrrITlpUyKwTU</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAssertion> </saml2p:Response> ``` I read the following link : https://gluu.org/docs/ce/3.1.4/admin-guide/saml/#manual-configuration In my case I don't want to add a custom attribute, I just want to have the specified attributes in the SAML response. I have also try to edit the file /opt/gluu/jetty/identity/conf/shibboleth3/idp/saml-nameid.xml.vm with adding the following bean: ``` <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }"/> ``` Thanks for your help. Best regards, Maxime

By Aliaksandr Samuseu staff 08 Nov 2018 at 1:43 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Maxime. Not sure why did you try to change nameid generation configuration, as you don't seem to need to send a nameid of different type then default (transient). If you need to release some attributes just adding them to the list is enough. It's hard to say whether you release them at the moment, as attribute assertion in your SAML response is encrypted. Please disable the encryption for this TR, and retry your flow, providing SAML response it will produce. Also make sure the user you are testing with has some values assigned to these attributes.

By Maxime Rouillard user 09 Nov 2018 at 3:16 a.m. CST

Maxime Rouillard gravatar
Hello Aliaksandr, Thank you for your answer. My bad about the encryption of this TR. I disable it. I removed the bean definition in /opt/gluu/jetty/identity/conf/shibboleth3/idp/saml-nameid.xml.vm Here is the SAML response: ``` <saml2p:Response Destination="http://192.168.220.1:8080/spring-security-saml2-sample/saml/SSO" ID="_bae26f0a0dc29ae81401af1b86376831" InResponseTo="a51jg5371f80a1ha5b7gege3jj9ff9e" IssueInstant="2018-11-09T09:06:47.187Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://test-gluu.com/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion ID="_792ede6661022835e7c8eb683a6c7aad" IssueInstant="2018-11-09T09:06:47.187Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > <saml2:Issuer>https://test-gluu.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_792ede6661022835e7c8eb683a6c7aad"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>kUsasILu6CAjWQbMhrRwxQfk2NVxA8bohDSddIY8p7M=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> WCvOftvyX000VeaFtjElsMPGwpni1mGwROV8J6CW8bW2fRF2f8Hi5N9s5A0AClkmdiiWoulW4vCJ Pwb8gzp88G0qc0K1FBW+9EmmTnn2DOmUs4oea446HBLRPstkadA8xY4ZDYXLsQUPMepopYLwA5uJ VgkUINrzPFXiIZkxS3P2xJKIVb57QSE4ccKaSn6STmJrTAsHiY86vlW3H3E7yOzT004ZKcxd+Jeb 09qnxSJPcpWZSkrjldR2WDgavVofFvPbG6Fi7/CAQqujh1n7pzAHgb2tYggvrxmJ7nkjSSSD1HaR TwD5qAHlOJoYBt9B9LaBIG16oGS9iQQ/erP3BA== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDYDCCAkgCCQCeivohphI2zTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJjaDELMAkGA1UE CAwCdmQxETAPBgNVBAcMCGxhdXNhbm5lMQwwCgYDVQQKDANJVEMxFjAUBgNVBAMMDXRlc3QtZ2x1 dS5jb20xHTAbBgkqhkiG9w0BCQEWDnN1cHBvcnRAaXRjLmNoMB4XDTE4MTEwNTEyNDc1MloXDTE5 MTEwNTEyNDc1MlowcjELMAkGA1UEBhMCY2gxCzAJBgNVBAgMAnZkMREwDwYDVQQHDAhsYXVzYW5u ZTEMMAoGA1UECgwDSVRDMRYwFAYDVQQDDA10ZXN0LWdsdXUuY29tMR0wGwYJKoZIhvcNAQkBFg5z dXBwb3J0QGl0Yy5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOP57h39+6LotOWX gcuB+FouHD2Kn2yEc/AoZDhVMOqwLVuE5l2Ze9khoN+ymd/Hn1iBXWdDBFfb1quMnYWhWW3AsXz3 PJvOyoQJ7pXi76144af6ICn5lX8p86QnLYrDqRaxBmUPCGcZWsUPe4BR3DPtNtHJ76u3tTt0RpOT p1RXOOCqJKQJismAgFJDFxNuTmMPY2cgo4eSqRzqWVLzbldkeqStgtKnmh40x1LPECT9rf646aio 130liHOBzhw+Ho9bP0FPtGGbfFuTXBXM4TapcUwTG1UyWAApqbppDuLA1gwwX19u5quBMAjIeNb6 v6dVrnyJ1QPJpzpU7GT64CkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAEpELUbn7u2Ok5mFs2z5X 1Nf2QhtVPUhD9x07rB/0ygmTscpPlznx/4MKAIdGk2nVnSdYjnmaoUyOUkPTGplvip+C+4FE1fc6 z5xrvI4Am3WbVRMeFhNdax1KVIxw4GJ/wQdVhEwYn+xaWau5gj8J6wPyqUGYYPI5sD8oJEaWKUF+ jDSw5xQsTT/AyslFY9vhPF+1mYvIHZz67yGP1EoEQN2VExfC4rG9hhMARhynF4cdcWxedGLjSO2B wTRx3psXrSRbxB7sNEi1ZQF3XGbk5fmGIyZBYsfpMx/EeKpeSciEs0L/qUGh3bqWySiSuOzhNs4X ZJeMHLu1XIv4aiA1TA==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="192.168.56.1" InResponseTo="a51jg5371f80a1ha5b7gege3jj9ff9e" NotOnOrAfter="2018-11-09T09:11:47.363Z" Recipient="http://192.168.220.1:8080/spring-security-saml2-sample/saml/SSO" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2018-11-09T09:06:47.187Z" NotOnOrAfter="2018-11-09T09:11:47.187Z" > <saml2:AudienceRestriction> <saml2:Audience>http://192.168.220.1:8080/spring-security-saml2-sample/saml/metadata</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2018-11-09T08:49:15.067Z" SessionIndex="_1865c50f881fb4ca572215250582119d" > <saml2:SubjectLocality Address="192.168.56.1" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>maxime</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>m@m.ch</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>maxime</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>maxime</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> ``` The attribute are there, but there is still no nameid. Did I miss something? Thanks for your help. Maxime

By Aliaksandr Samuseu staff 12 Nov 2018 at 5:12 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Maxime >The attribute are there, but there is still no nameid. Did I miss something? You can add "transientid" to the list of released attributes, this should result in "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" nameid be included in SAML responses to this SP. It's an auto-generated nameid and it should be enough for SPs following recommended practices for SAML. I'm not sure what your requirements can be (the ticket initially was about some attributes not being released, what I suppose is no longer an issue?) so if you need to release a nameid of a specific type, that's another kind of issue. First of all, you need to figure which one - but first try it with the transientid, it may be enough.

By Maxime Rouillard user 13 Nov 2018 at 3:15 a.m. CST

Maxime Rouillard gravatar
Hello Aliaksandr, Thank you for your answer. > You can add "transientid" to the list of released attributes, this should result in "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" nameid be included in SAML responses to this SP. That's what I tried, here is a screenshot of the trust relationship configuration : <blockquote class="imgur-embed-pub" lang="en" data-id="a/PX1LaUU" data-context="false"><a href="//imgur.com/PX1LaUU"></a></blockquote><script async src="//s.imgur.com/min/embed.js" charset="utf-8"></script> > the ticket initially was about some attributes not being released, what I suppose is no longer an issue? You are right, please let me know if I need to open a new ticket or if I can update this one. I have read in details this ticket but it doesn't help me to find a solution : https://support.gluu.org/single-sign-on/6189/nameid-not-being-passed-from-gluu-to-sp-via-the-saml-request/ Here my SP Metadata : ``` <?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="http___192.168.220.1_8080_spring-security-saml2-sample_saml_metadata" entityID="http://192.168.220.1:8080/spring-security-saml2-sample/saml/metadata"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E 5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13 F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg 0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL 82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A 8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E 5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13 F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg 0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL 82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A 8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://192.168.220.1:8080/spring-security-saml2-sample/saml/SingleLogout"></md:SingleLogoutService> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://192.168.220.1:8080/spring-security-saml2-sample/saml/SingleLogout"></md:SingleLogoutService> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://192.168.220.1:8080/spring-security-saml2-sample/saml/SSO" index="0" isDefault="true"></md:AssertionConsumerService> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://192.168.220.1:8080/spring-security-saml2-sample/saml/SSO" index="1"></md:AssertionConsumerService> </md:SPSSODescriptor> </md:EntityDescriptor> ``` the SAML Request ``` <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://192.168.220.1:8080/spring-security-saml2-sample/saml/SSO" Destination="https://test-gluu.com/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="a43gec3dj03572af13jde7d6i9fjeb9" IsPassive="false" IssueInstant="2018-11-13T08:52:46.479Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://192.168.220.1:8080/spring-security-saml2-sample/saml/metadata</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" ></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" ></ds:SignatureMethod> <ds:Reference URI="#a43gec3dj03572af13jde7d6i9fjeb9"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" ></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" ></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" ></ds:DigestMethod> <ds:DigestValue>8QLKze3I7GSbL0DGVRZuf1sFsvU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>XkMt6SDhCo66HnSnrwczjm2n5Y05yDLNvZDclzyBoOi6Mja1VfKpMs3lAyu+Fjadus4pQD2DxOVpIW1vwohygMzk66mNbwkkgTBPOOyH+AVVB2EfBeztyHmBJggjv5t3qc8I4C+V0nCrPBtnTeQD0Dc0GpEPC6ZPZVe5qSJqFllocebDFU6b1n/qiVgY8cJTSa8b0KCnC0lnT4DzaqMCVgZ3uMVJOcft/hWvyQFEMAgYbn5ohIm23GGE81A/F7eBgA8JRWSpZXbK9lSeAS5ZJ9wGRARao/PzY6BxaIwf2hTj43kPj4d/7gm3RF0P5iFCGzkvjhsWy/F0vE2+RVhuXQ==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDUjCCAjqgAwIBAgIEUOLIQTANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJGSTEQMA4GA1UE CBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kxGDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEM MAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcNMTMwMTAxMTEyODAxWhcNMjIxMjMwMTEy ODAxWjBrMQswCQYDVQQGEwJGSTEQMA4GA1UECBMHVXVzaW1hYTERMA8GA1UEBxMISGVsc2lua2kx GDAWBgNVBAoTD1JNNSBTb2Z0d2FyZSBPeTEMMAoGA1UECwwDUiZEMQ8wDQYDVQQDEwZhcG9sbG8w ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXqP0wqL2Ai1haeTj0alwsLafhrDtUt00E 5xc7kdD7PISRA270ZmpYMB4W24Uk2QkuwaBp6dI/yRdUvPfOT45YZrqIxMe2451PAQWtEKWF5Z13 F0J4/lB71TtrzyH94RnqSHXFfvRN8EY/rzuEzrpZrHdtNs9LRyLqcRTXMMO4z7QghBuxh3K5gu7K qxpHx6No83WNZj4B3gvWLRWv05nbXh/F9YMeQClTX1iBNAhLQxWhwXMKB4u1iPQ/KSaal3R26pON UUmu1qVtU1quQozSTPD8HvsDqGG19v2+/N3uf5dRYtvEPfwXN3wIY+/R93vBA6lnl5nTctZIRsyg 0Gv5AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFQwAAYUjso1VwjDc2kypK/RRcB8bMAUUIG0hLGL 82IvnKouGixGqAcULwQKIvTs6uGmlgbSG6Gn5ROb2mlBztXqQ49zRvi5qWNRttir6eyqwRFGOM6A 8rxj3Jhxi2Vb/MJn7XzeVHHLzA1sV5hwl/2PLnaL2h9WyG9QwBbwtmkMEqUt/dgixKb1Rvby/tBu RogWgPONNSACiW+Z5o8UdAOqNMZQozD/i1gOjBXoF0F5OksjQN7xoQZLj9xXefxCFQ69FPcFDeEW bHwSoBy5hLPNALaEUoa5zPDwlixwRjFQTc5XXaRpgIjy/2gsL8+Y5QRhyXnLqgO67BlLYW/GuHE=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </saml2p:AuthnRequest> ``` and the SAML response : ``` <saml2p:Response Destination="http://192.168.220.1:8080/spring-security-saml2-sample/saml/SSO" ID="_b1367bb41480ad5f74bdf914244c2799" InResponseTo="a43gec3dj03572af13jde7d6i9fjeb9" IssueInstant="2018-11-13T08:53:11.920Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://test-gluu.com/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" ></saml2p:StatusCode> </saml2p:Status> <saml2:Assertion ID="_04a65b06dabb13ff19f307ecc3299d7d" IssueInstant="2018-11-13T08:53:11.920Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > <saml2:Issuer>https://test-gluu.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" ></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" ></ds:SignatureMethod> <ds:Reference URI="#_04a65b06dabb13ff19f307ecc3299d7d"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" ></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" ></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" ></ds:DigestMethod> <ds:DigestValue>BrEMfhc1up80LtSXBD6IUFXoJF5cqjdToa9ERYSEgoE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> cArUUBkG2LFwLzxGgUB1yzbItbsK0xuUWpQFbqD3BtO2OGAPAbU1Cg6O/x8+5lw0E7lY7GhwOKL9 X+5WSp+johcPcGMEOXOlsVdy1YzSiZeVrasVoXAa98Of8Y/GFU1AnGBEyhZ7zz5Xh5bMihg3fW+0 zyx25YPieuTQzIuWK3nNKax89koWfK6Hbct3HIUtXyfxWq0i9YSa2DUPmnxXxhw1Il+0bVlPQ4vg Lvd8wNaF99VZscQxCPreiZg1oaoqZM+tOOL64FU4uEhWCV2Ou1VH41ke+ZVg3n1oMQnSI58rnGGJ foPqHPe9Y0PKY1kHod1RwOEHuLUoWqu+VQSRvA== </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDYDCCAkgCCQCeivohphI2zTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJjaDELMAkGA1UE CAwCdmQxETAPBgNVBAcMCGxhdXNhbm5lMQwwCgYDVQQKDANJVEMxFjAUBgNVBAMMDXRlc3QtZ2x1 dS5jb20xHTAbBgkqhkiG9w0BCQEWDnN1cHBvcnRAaXRjLmNoMB4XDTE4MTEwNTEyNDc1MloXDTE5 MTEwNTEyNDc1MlowcjELMAkGA1UEBhMCY2gxCzAJBgNVBAgMAnZkMREwDwYDVQQHDAhsYXVzYW5u ZTEMMAoGA1UECgwDSVRDMRYwFAYDVQQDDA10ZXN0LWdsdXUuY29tMR0wGwYJKoZIhvcNAQkBFg5z dXBwb3J0QGl0Yy5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOP57h39+6LotOWX gcuB+FouHD2Kn2yEc/AoZDhVMOqwLVuE5l2Ze9khoN+ymd/Hn1iBXWdDBFfb1quMnYWhWW3AsXz3 PJvOyoQJ7pXi76144af6ICn5lX8p86QnLYrDqRaxBmUPCGcZWsUPe4BR3DPtNtHJ76u3tTt0RpOT p1RXOOCqJKQJismAgFJDFxNuTmMPY2cgo4eSqRzqWVLzbldkeqStgtKnmh40x1LPECT9rf646aio 130liHOBzhw+Ho9bP0FPtGGbfFuTXBXM4TapcUwTG1UyWAApqbppDuLA1gwwX19u5quBMAjIeNb6 v6dVrnyJ1QPJpzpU7GT64CkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAEpELUbn7u2Ok5mFs2z5X 1Nf2QhtVPUhD9x07rB/0ygmTscpPlznx/4MKAIdGk2nVnSdYjnmaoUyOUkPTGplvip+C+4FE1fc6 z5xrvI4Am3WbVRMeFhNdax1KVIxw4GJ/wQdVhEwYn+xaWau5gj8J6wPyqUGYYPI5sD8oJEaWKUF+ jDSw5xQsTT/AyslFY9vhPF+1mYvIHZz67yGP1EoEQN2VExfC4rG9hhMARhynF4cdcWxedGLjSO2B wTRx3psXrSRbxB7sNEi1ZQF3XGbk5fmGIyZBYsfpMx/EeKpeSciEs0L/qUGh3bqWySiSuOzhNs4X ZJeMHLu1XIv4aiA1TA==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="192.168.56.1" InResponseTo="a43gec3dj03572af13jde7d6i9fjeb9" NotOnOrAfter="2018-11-13T08:58:11.946Z" Recipient="http://192.168.220.1:8080/spring-security-saml2-sample/saml/SSO" ></saml2:SubjectConfirmationData> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2018-11-13T08:53:11.920Z" NotOnOrAfter="2018-11-13T08:58:11.920Z" > <saml2:AudienceRestriction> <saml2:Audience>http://192.168.220.1:8080/spring-security-saml2-sample/saml/metadata</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2018-11-13T08:51:23.600Z" SessionIndex="_f000472b0b22b09c5fe3ea705be991d7" > <saml2:SubjectLocality Address="192.168.56.1" ></saml2:SubjectLocality> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>maxime</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>m@m.ch</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>maxime fn</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue>maxime ln</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> ``` What I understand from the shibboleth mailing list (http://shibboleth.1660669.n2.nabble.com/No-NameID-released-td7605312.html) is the presence of the nameID in the SAML response depends of the metadata of the SP. It's look like the metadata of my SP accept several format: ``` <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> ```

By Aliaksandr Samuseu staff 13 Nov 2018 at 1:51 p.m. CST

Aliaksandr Samuseu gravatar
>What I understand from the shibboleth mailing list (http://shibboleth.1660669.n2.nabble.com/No-NameID-released-td7605312.html) is the presence of the nameID in the SAML response depends of the metadata of the SP. Not exactly, but it may affect nameid selection process (though the nameid specified in SAML request has the highest priority, I believe - if present). If none requested explicitly, IDP should try to select one using its own priority list. That's strange that even though "transient" nameid is mentioned in SP's metadata, and none is mentioned in request it still fails to add it to response. Please provide your current `/opt/gluu/jetty/identity/conf/shibboleth3/idp/saml-nameid.xml.vm` file and `/opt/shibboleth-idp/conf/saml-nameid.xml` files. Also consider editing `/opt/shibboleth-idp/conf/logback.xml` file changing log levels of loggers marked green on the attached picture to DEBUG; stop "idp" service and [re]move `/opt/shibboleth-idp/logs/idp-process.log` file; start "idp" service, wait 5 minutes for it to load, and re-try flow for this SP again. Then share re-generated `/opt/shibboleth-idp/logs/idp-process.log` with us.

By Maxime Rouillard user 14 Nov 2018 at 9:41 a.m. CST

Maxime Rouillard gravatar
Please, here are the config files: * https://pastebin.com/QgT9J95H /opt/shibboleth-idp/conf/saml-nameid.xml * https://pastebin.com/5Mrp1MPy /opt/gluu/jetty/identity/conf/shibboleth3/idp/saml-nameid.xml.vm And the logs : https://pastebin.com/wgYXeTde Perhaps the following error is the cause of the non generation of the nameid : ``` 2018-11-14 10:09:13,961 - WARN [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:551] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'net.shibboleth.idp.saml.nameid.impl.NameIdentifierGenerationServiceImpl#0' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Cannot create inner bean 'org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator#68b366e2' of type [org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator] while setting bean property 'SAML1NameIdentifierGenerator'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator#68b366e2' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Cannot resolve reference to bean 'shibboleth.SAML1NameIdentifierGenerators' while setting bean property 'generators'; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.SAML1NameIdentifierGenerators' available 2018-11-14 10:09:13,977 - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:181] - Service 'shibboleth.NameIdentifierGenerationService': Initial load failed net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'net.shibboleth.idp.saml.nameid.impl.NameIdentifierGenerationServiceImpl#0' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Cannot create inner bean 'org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator#68b366e2' of type [org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator] while setting bean property 'SAML1NameIdentifierGenerator'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator#68b366e2' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Cannot resolve reference to bean 'shibboleth.SAML1NameIdentifierGenerators' while setting bean property 'generators'; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.SAML1NameIdentifierGenerators' available at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:336) Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'net.shibboleth.idp.saml.nameid.impl.NameIdentifierGenerationServiceImpl#0' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Cannot create inner bean 'org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator#68b366e2' of type [org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator] while setting bean property 'SAML1NameIdentifierGenerator'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator#68b366e2' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Cannot resolve reference to bean 'shibboleth.SAML1NameIdentifierGenerators' while setting bean property 'generators'; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.SAML1NameIdentifierGenerators' available at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313) Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.opensaml.saml.saml1.profile.impl.ChainingSAML1NameIdentifierGenerator#68b366e2' defined in file [/opt/shibboleth-idp/system/conf/saml-nameid-system.xml]: Cannot resolve reference to bean 'shibboleth.SAML1NameIdentifierGenerators' while setting bean property 'generators'; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.SAML1NameIdentifierGenerators' available at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359) Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shibboleth.SAML1NameIdentifierGenerators' available at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanDefinition(DefaultListableBeanFactory.java:687) ``` Here is the saml-nameid-system.xml : https://pastebin.com/Fn3e6M8d I have not modified this file. Thanks for your help. Maxime

By Maxime Rouillard user 20 Nov 2018 at 11:27 a.m. CST

Maxime Rouillard gravatar
Hello, @Aliaksandr.Samuseu any news / idea about this issue? Please let me know if you need more logs or config files.