By: Bala Gouthaman user 04 Jan 2019 at 8:46 a.m. CST

3 Responses
Bala Gouthaman gravatar
Hi, I am trying to set up Gluu SSO for Office 365 using Shibboleth IDP. When I try to login to Office 365, I get redirected to the Gluu server and the login is successful. However, I get the "InvalidNameIDPolicy" error in the SAML response. My Gluu version is 3.1.4. I have used the instructions in this page primarily: I have gone through the Gluu support forums and understood that manual configuration should be used for the NameID in Gluu 3.1.4. Even after configuring the NameID manually, I still get the same InvalidNameIDPolicy error. This makes me think I have missed some configuration step. Would it be possible for someone to take a look at it and let me know where I have gone wrong? Please also let me know if any other information is required. My configuration files are shared below: 1) 2) My first suspect is this: The Office 365 configuration page I referenced above had instructed me to add ImmutableID to the released attributes, but since I have now added ImmutableID through the .vm configuration files, I don't see it listed as an option under the Trust relationships GUI. Could this be the reason why the SAML response indicates failure?

By Mohib Zico staff 04 Jan 2019 at 9:03 a.m. CST

Mohib Zico gravatar
Hi Bala, - There is a nameID format syntax difference between your attribute-resolver.xml and saml-nameid.xml for `ImmutableID`. >> I don't see it listed as an option under the Trust relationships GUI. - Did you create custom attribute `ImmutableID` from oxTrust?

By Bala Gouthaman user 07 Jan 2019 at 1:23 a.m. CST

Bala Gouthaman gravatar
Hi Mohib, Thank you for your inputs. I have now corrected the nameID format of ImmutableID to be consistent between attribute-resolver.xml and saml-nameid.xml. I have set it to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent The revised files are now shared here: 1) [attribute-resolver.xml]( 2) [saml-nameid.xml]( 3) [custom-attributes.ldif]( As for adding custom attribute ImmutableID from oxTrust: If I do that, I see 2 contradicting definitions for ImmutableID in attribute-resolver.xml (it did not solve the InvalidNameIDPolicy error either). But, I do see Immutable ID listed as an option in the Trust Relationships GUI when I do that. If I have to add ImmutableID in oxTrust GUI, should I delete the definition that I configured from the velocity template file? When I added ImmutableID from the oxTrust GUI, I used these 2 values: - SAML1 URI: urn:gluu:dir:attribute-def:ImmutableID - SAML2 URI: urn:oid: Are they fine? **Edit:** The reason I configured ImmutableID using manual configuration as opposed to using oxTrust GUI was [this link]( It says the problem exists for Gluu version 3.1.4, which I am using.

By Bala Gouthaman user 09 Jan 2019 at 11:09 p.m. CST

Bala Gouthaman gravatar
I have solved my issue by switching to Gluu 3.1.2 and using the oxTrust GUI to create NameID settings. Closing this ticket.