InvalidNameIDPolicy error with Gitlab SP

By: Daniel Toma user 07 Mar 2019 at 2:45 p.m. CST

5 Responses
Daniel Toma gravatar
I wish to implement SAML SSO auth for a web application (Gitlab). I have no previous experience in the field of identity management or SAML. The current issue is experienced in a sandbox environment for learning purposes and I can provide any details. The scope of this deployment is to evaluate Gluu as a potential product to use in a large scale environment. The current Gluu and Gitlab servers install is in a FreeNAS bhyve VM with 8Gb of RAM and 2 vCPUs. I have followed both Gitlab and Gluu docs to setup SAML SSO up to the point where I can initiate a request to the Gluu server from Gitlab, am presented with the login prompt from Gluu but the callback fails on the Gitlab side. Following resources on the internet I've captured payload data with Firefox's SAML Tracer as well as saved a HAR file of the transaction. Also enabled debug log level for the idp component in Gluu as advised on this here forums. The current setup is configured as follows: 1. Created a CA in FreeNAS and signed server certs for both Gitlab and Gluu 2. Imported the root CA cert in Firefox, SSL requirements are met between the browser and both servers. The green lock shows in the address bar. 3. Imported the root CA in both Gitlab and Gluu in order for server certs to validate as signed between the two servers. 4. Added the server and root CA certs into Gluu /etc/certs folder, updated the java keystore for all services including the shibboleth keystore. 5. I have created the trust relationship and validation is successful. 6. I have added a custom nameid based of the emailAddress attribute. 7. I have added an user with the same data in both Gluu and Gitlab 8. I have NOT added any custom attributes. The password is the post subject but replace white space with underscores.
CentOS 7.0
closed

Answers

By Michael Schwartz Account Admin 07 Mar 2019 at 10:18 p.m. CST

Copy
Michael Schwartz gravatar
Did you see the [docs section on creating a custom NameID](https://gluu.org/docs/ce/3.1.5/admin-guide/saml/#configure-nameid)? What NameID format does Gitlab want? By default, the Gluu Server uses `transientid`, which is a nonpersistent identifer.

By Aliaksandr Samuseu staff 08 Mar 2019 at 12:47 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Chonko. In addition to questions rised by Michael above, could you also expand a bit on your current setup? >I have followed both Gitlab and Gluu docs to setup SAML SSO up to the point where I can initiate a request to the Gluu server from Gitlab Could you provide links to all documentation you were trying to follow? One thing I would like you to dismiss is that whether or not Passport-SAML takes any part in your flow, as I see its script enabled on one of your screenshots. Despite this, it seems like you try to configure regular SAML Trust Relationship (i.e. Outbound SAML flow) The HAR file you provided contains only the final few requests (error from Gitlab), with no context. Please capture the failing flow again, using steps listed [here](https://www.inflectra.com/support/knowledgebase/kb254.aspx) - please use Firefox for that task, Chrome's HARs are flawed. Also don't forget to set "Persist log" and "Disable cache" checkboxes in the console to save everything, not just the recently loaded page. Also, make sure you set "Encrypt assertions" to "never" in Relying Party Configuration for this TR before proceeding with the capture and restart "idp" service after applying the changes. Finally, I've noted that your HAR capture doesn't seem to be taken at the same moment as your log files (03.07 vs 03.06). Please make sure you gather your logs around the same time you export the HAR file, we need to see corellations between those. Overall, it seems you are currently sending nameid of type "transient" to Gitlab, and no attributes whatsoever - despite I see "Email" attribute in your "Released" list. Have you tried to restart "idp" service since the moment you added this attribute to the list?

By Daniel Toma user 08 Mar 2019 at 1:44 p.m. CST

Copy
Daniel Toma gravatar
Hi there, Today was quite busy at work and didn't get the chance to reply and also wanted to collect data. I have configured a custom attribute "gitlabTest" as per the docs here: https://gluu.org/docs/ce/3.1.5/admin-guide/attribute/#custom-attributes From the docs on how to setup SAML it was not clear that you MUST configure a custom attribute for this to work. The configuration was done to the best of my understanding. restarts of the idp service were done after each major config change. I have also disabled the passport custom script. The docs used can be found at: https://gluu.org/docs/ce/admin-guide/saml/ https://docs.gitlab.com/ee/integration/saml.html In the attached archive, with the same password as previous, i have added the files that I've manually changed, all the logs under /opt, another HAR file as well as a SAML Tracer export. Thank you for your help!
Video or screenshot link

By Mohib Zico staff 20 Mar 2019 at 10:20 a.m. CDT

Copy
Mohib Zico gravatar
Seems like files deleted from shared links. Closing this ticket.

By Daniel Toma user 20 Mar 2019 at 1:42 p.m. CDT

Copy
Daniel Toma gravatar
Yeah, the file sharing service keeps files for a week. It's been almost two weeks without interaction on this ticket since my last data upload. Anyway, I moved on to simplesaml since it was a piece of cake to setup. Good luck with your product!

Post an answer