InvalidNameIDPolicy error when configuring SSO for Office 365 using Shibboleth IDP

By: Bala Gouthaman user 04 Jan 2019 at 8:46 a.m. CST

3 Responses
Bala Gouthaman gravatar
Hi, I am trying to set up Gluu SSO for Office 365 using Shibboleth IDP. When I try to login to Office 365, I get redirected to the Gluu server and the login is successful. However, I get the "InvalidNameIDPolicy" error in the SAML response. My Gluu version is 3.1.4. I have used the instructions in this page primarily: https://gluu.org/docs/ce/3.1.4/integration/saas/office/ I have gone through the Gluu support forums and understood that manual configuration should be used for the NameID in Gluu 3.1.4. Even after configuring the NameID manually, I still get the same InvalidNameIDPolicy error. This makes me think I have missed some configuration step. Would it be possible for someone to take a look at it and let me know where I have gone wrong? Please also let me know if any other information is required. My configuration files are shared below: 1) https://www.dropbox.com/s/80t42xmw0gkspx3/attribute-resolver.xml?dl=0 2) https://www.dropbox.com/s/kgnwt2e715952m1/saml-nameid.xml?dl=0 My first suspect is this: The Office 365 configuration page I referenced above had instructed me to add ImmutableID to the released attributes, but since I have now added ImmutableID through the .vm configuration files, I don't see it listed as an option under the Trust relationships GUI. Could this be the reason why the SAML response indicates failure?
Ubuntu 16.04
closed

Answers

By Mohib Zico Account Admin 04 Jan 2019 at 9:03 a.m. CST

Copy
Mohib Zico gravatar
Hi Bala, - There is a nameID format syntax difference between your attribute-resolver.xml and saml-nameid.xml for `ImmutableID`. >> I don't see it listed as an option under the Trust relationships GUI. - Did you create custom attribute `ImmutableID` from oxTrust?

By Bala Gouthaman user 07 Jan 2019 at 1:23 a.m. CST

Copy
Bala Gouthaman gravatar
Hi Mohib, Thank you for your inputs. I have now corrected the nameID format of ImmutableID to be consistent between attribute-resolver.xml and saml-nameid.xml. I have set it to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent The revised files are now shared here: 1) [attribute-resolver.xml](https://www.dropbox.com/s/a5vvwws5kazm8gs/attribute-resolver.xml?dl=0) 2) [saml-nameid.xml](https://www.dropbox.com/s/bhjv1qc5h0m235b/saml-nameid.xml?dl=0) 3) [custom-attributes.ldif](https://www.dropbox.com/s/dfh6k4i3d7d0qg6/custom-attributes.ldif?dl=0) As for adding custom attribute ImmutableID from oxTrust: If I do that, I see 2 contradicting definitions for ImmutableID in attribute-resolver.xml (it did not solve the InvalidNameIDPolicy error either). But, I do see Immutable ID listed as an option in the Trust Relationships GUI when I do that. If I have to add ImmutableID in oxTrust GUI, should I delete the definition that I configured from the velocity template file? When I added ImmutableID from the oxTrust GUI, I used these 2 values: - SAML1 URI: urn:gluu:dir:attribute-def:ImmutableID - SAML2 URI: urn:oid:1.3.6.1.4.1.48710.1.3.1002 Are they fine? **Edit:** The reason I configured ImmutableID using manual configuration as opposed to using oxTrust GUI was [this link](https://support.gluu.org/identity-management/6472/invalid-nameidpolicy-error/). It says the problem exists for Gluu version 3.1.4, which I am using.

By Bala Gouthaman user 09 Jan 2019 at 11:09 p.m. CST

Copy
Bala Gouthaman gravatar
I have solved my issue by switching to Gluu 3.1.2 and using the oxTrust GUI to create NameID settings. Closing this ticket.

Post an answer