By: Emma Richardson user 09 Apr 2019 at 6:42 p.m. CDT

5 Responses
Emma Richardson gravatar
I am trying to setup a SSO login for Freshdesk. I finally succeeded in getting to the log in screen but have an issue somewhere with the nameId. I have put all the related files and screenshots in this folder: https://www.dropbox.com/sh/3itm5c2s41ls468/AAB7HpCqmYPIF9qXzE2R_Dfea?dl=0 I am getting the following error message: ``` 2019-04-09 23:40:39,352 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:173] - Profile Action AddAttributeStatementToAssertion: Attempting to encode attribute zoomLogin as a SAML 2 Attribute 2019-04-09 23:40:39,353 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:203] - Profile Action AddAttributeStatementToAssertion: Attribute zoomLogin did not have a usable SAML 2 Attribute encoder associated with it, nothing to do 2019-04-09 23:40:39,353 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:173] - Profile Action AddAttributeStatementToAssertion: Attempting to encode attribute uid as a SAML 2 Attribute 2019-04-09 23:40:39,354 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:187] - Profile Action AddAttributeStatementToAssertion: Encoding attribute uid as a SAML 2 Attribute 2019-04-09 23:40:39,354 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154] - Beginning to encode attribute uid 2019-04-09 23:40:39,354 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] - Encoding value EmmaR of attribute uid 2019-04-09 23:40:39,355 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191] - Completed encoding 1 values for attribute uid 2019-04-09 23:40:39,355 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:173] - Profile Action AddAttributeStatementToAssertion: Attempting to encode attribute mail as a SAML 2 Attribute 2019-04-09 23:40:39,356 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:187] - Profile Action AddAttributeStatementToAssertion: Encoding attribute mail as a SAML 2 Attribute 2019-04-09 23:40:39,356 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154] - Beginning to encode attribute mail 2019-04-09 23:40:39,357 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] - Encoding value emmar@ecboces.org of attribute mail 2019-04-09 23:40:39,357 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191] - Completed encoding 1 values for attribute mail 2019-04-09 23:40:39,358 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:173] - Profile Action AddAttributeStatementToAssertion: Attempting to encode attribute displayName as a SAML 2 Attribute 2019-04-09 23:40:39,358 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:187] - Profile Action AddAttributeStatementToAssertion: Encoding attribute displayName as a SAML 2 Attribute 2019-04-09 23:40:39,358 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154] - Beginning to encode attribute displayName 2019-04-09 23:40:39,359 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] - Encoding value Emma Richardson of attribute displayName 2019-04-09 23:40:39,359 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191] - Completed encoding 1 values for attribute displayName 2019-04-09 23:40:39,360 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:173] - Profile Action AddAttributeStatementToAssertion: Attempting to encode attribute givenName as a SAML 2 Attribute 2019-04-09 23:40:39,361 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:187] - Profile Action AddAttributeStatementToAssertion: Encoding attribute givenName as a SAML 2 Attribute 2019-04-09 23:40:39,361 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154] - Beginning to encode attribute givenName 2019-04-09 23:40:39,362 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] - Encoding value Emma of attribute givenName 2019-04-09 23:40:39,362 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191] - Completed encoding 1 values for attribute givenName 2019-04-09 23:40:39,363 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:173] - Profile Action AddAttributeStatementToAssertion: Attempting to encode attribute sn as a SAML 2 Attribute 2019-04-09 23:40:39,363 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:187] - Profile Action AddAttributeStatementToAssertion: Encoding attribute sn as a SAML 2 Attribute 2019-04-09 23:40:39,364 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:154] - Beginning to encode attribute sn 2019-04-09 23:40:39,364 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.SAMLEncoderSupport:73] - Encoding value Richardson of attribute sn 2019-04-09 23:40:39,365 - DEBUG [net.shibboleth.idp.saml.attribute.encoding.AbstractSAMLAttributeEncoder:191] - Completed encoding 1 values for attribute sn 2019-04-09 23:40:39,365 - DEBUG [net.shibboleth.idp.saml.saml2.profile.impl.AddAttributeStatementToAssertion:116] - Profile Action AddAttributeStatementToAssertion: Adding constructed AttributeStatement to Assertion _797880deb675b71421c385cf3036fe44 2019-04-09 23:40:39,368 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:286] - Profile Action AddNameIDToSubjects: Attempting to add NameID to outgoing Assertion Subjects 2019-04-09 23:40:39,369 - DEBUG [org.opensaml.saml.common.profile.logic.AbstractNameIDPolicyPredicate:218] - Policy checking disabled for NameIDPolicy with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 2019-04-09 23:40:39,369 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:316] - Profile Action AddNameIDToSubjects: Request specified NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 2019-04-09 23:40:39,369 - DEBUG [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:396] - Profile Action AddNameIDToSubjects: Trying to generate NameID with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 2019-04-09 23:40:39,370 - DEBUG [org.opensaml.saml.common.profile.impl.ChainingNameIdentifierGenerator:106] - Trying to generate identifier with Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 2019-04-09 23:40:39,370 - WARN [org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects:337] - Profile Action AddNameIDToSubjects: Request specified use of an unsupportable identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 2019-04-09 23:40:39,378 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidNameIDPolicy 2019-04-09 23:40:39,379 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:184] - Error event InvalidNameIDPolicy will be handled with response 2019-04-09 23:40:39,387 - DEBUG [org.opensaml.saml.saml2.profile.impl.AbstractResponseShellAction:217] - Profile Action AddStatusResponseShell: Setting Issuer to https://login.ecboces.org/idp/shibboleth ``` I would greatly appreciate some assistance...

By Michael Schwartz staff 09 Apr 2019 at 8:38 p.m. CDT

Michael Schwartz gravatar
I see from [this article](https://support.freshdesk.com/support/solutions/articles/186796-single-sign-on-for-freshdesk-using-saml) that the NameID format required is emailAddress. The default nameid-format in Gluu is transientID, not emailAddress If you enable debug on the Shibboleth IDP, you should be able to see the SAML assertion in the log and compare it to the one below. ``` <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">example@test.freshdesk.com</saml:NameID> ```

By Emma Richardson user 09 Apr 2019 at 8:41 p.m. CDT

Emma Richardson gravatar
Yes, that is what I am trying to get to work...I have followed the Google SAAS setup because their xml files are very similar and they also use the emailAddress NameId to no avail... Thank you though - the error message is with debugging on...

By Emma Richardson user 09 Apr 2019 at 8:59 p.m. CDT

Emma Richardson gravatar
I added the SAML request and response from SAML tracer to the dropbox folder. Freshdesk definitely asks for the SAML 1.1 format and the response only mentions SAML 2.0 - I have uncommented the 1.1 nameid bean but I must have missed something somewhere... Oh, and I am using a nameid that is working with our other SP on email so thought it should work with this one but am realizing that I don't have something quite right with SAML1.1 nameid format.

By Aliaksandr Samuseu staff 19 Apr 2019 at 7:13 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Emma. Judging by what I see in your `attribute-resolver.xml.vm` file, you already added element for custom nameid before by hand: ``` <resolver:AttributeDefinition id="zoomLogin" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP"/> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:email" /> </resolver:AttributeDefinition> ``` You need to try to add another one, for this SP, this time of format `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`. Like this: ``` <resolver:AttributeDefinition id="freshdeskLogin" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP"/> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </resolver:AttributeDefinition> ``` Don't forget all the rest usual steps for addition of nameid, including registering an attribute to represent it in web UI. Then add this new attribute to the list of released attributes for this SP.

By Emma Richardson user 19 Apr 2019 at 10:27 p.m. CDT

Emma Richardson gravatar
I got on the Shibboleth forum and found out all I had to do was a add a bean for saml2 referencing the emailAddress name format and it started working. Didn't need another name id - in fact wondering if I even needed a name id for Zoom but it is working so will leave it alone for now!! Thank you for your response though!