By: David C. user 13 Nov 2019 at 5:05 a.m. CST

10 Responses
David C. gravatar
User calls page of service provider. Service provider redirects to gluu to perform login. in the browser we can see this requests: https://idp.learning-performance.cloud/idp/profile/SAML2/Redirect/SSO?SAMLRequest=nVPBjpswEP0V5DsYkzRVrSSrNFHVSNsuCrSHXipjT3atGpvaJqR%2FX0PCNocuh5yQZp7fm3nzWD6caxWdwDpp9AqRJEUP66VjtWropvUv%2BgC%2FW3A%2BCjDt6NBYodZqapiTjmpWg6Oe02Lz5ZFmSUoba7zhRqFov1uhnyzNsgWfp6J6T7KqYsd09g5F30fB8CIAnWthr51n2odSSj7EhMRkVpKUzjM6T5PZYvEDRfmV%2BqPUQurn6TmqC8jRz2WZx%2FlTUaJoFzaRmvlB%2BsX7xlGMpWgSBczqgI4bsEdja6Y5JFyZVvRtHHY6SgW4J8%2FwAYS0wD0uiicUbZwD2zNujXZtDbYAe5Icvh0e%2F2l0XTelocyz1PjEGsm0wb3JmDOlKsZ%2Focs16OCRvTnD9PZsnAqtr7QT%2Bkt8IzFe%2F2vg3O9yoyT%2Fc8%2F1P%2FUS%2Fm00SchQkSIepvEUaibVRggLzgVflTLd1gLzsELetoDwONo1kyCGhAbfPZzvSujW1A2z0vVxgDPjfnT7lnirgpkHON7j%2FSSMU95Th3IePp2xog94CBaI0jLtGmP99TT%2Fm2d96b1hx2v39i9e%2FwU%3D&RelayState=%2Fauthoring%2Fvapiano%2Fapp https://idp.learning-performance.cloud/idp/profile/SAML2/Redirect/SSO?execution=e2s1 https://idp.learning-performance.cloud/idp/Authn/oxAuth?conversation=e2s1 https://idp.learning-performance.cloud/oxauth/restv1/authorize?response_type=code&client_id=1101.8d3f26ad-50cb-4ffe-8451-6f4d6022e403&scope=openid+email+user_name&redirect_uri=https%3A%2F%2Fidp.learning-performance.cloud%2Fidp%2FAuthn%2FoxAuth&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdGF0ZSI6Inhsc3FuSWpvRUUiLCJjb252ZXJzYXRpb24iOiJlMnMxIn0.&nonce=cFeQjOzi8d&acr_values=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport&entityId=vapiano.learning-performance.cloud https://idp.learning-performance.cloud/oxauth/authorize.htm?scope=openid+email+user_name&acr_values=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3APasswordProtectedTransport&response_type=code&redirect_uri=https%3A%2F%2Fidp.learning-performance.cloud%2Fidp%2FAuthn%2FoxAuth&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdGF0ZSI6Inhsc3FuSWpvRUUiLCJjb252ZXJzYXRpb24iOiJlMnMxIn0.&nonce=cFeQjOzi8d&client_id=1101.8d3f26ad-50cb-4ffe-8451-6f4d6022e403 https://idp.learning-performance.cloud/oxauth/error.htm we can see following error in the oxauth.log : 2019-11-13 10:42:40,547 ERROR [qtp105704967-11] [gluu.oxauth.authorize.ws.rs.AuthorizeAction] (AuthorizeAction.java:251) - Failed to get CustomScriptConfiguration. auth_step: 1, acr_values: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Installation has been done using the available documentation. It is a compute engine in the google cloud with ubuntu 18.04: any idea how to solve the issue ? best regards, david c.

By Aliaksandr Samuseu staff 13 Nov 2019 at 11:31 a.m. CST

Aliaksandr Samuseu gravatar
Hi, David. We'll try to reproduce this one. Please double-check your current package version and let us know: 1. Outside container: `# dpkg-query -l | grep -i gluu` 2. Inside: `# cat /opt/jetty-*/temp/jetty-localhost-8081-oxauth.war-*.dir/webapp/META-INF/MANIFEST.MF` @Mohit.Mali , could you please look into this? If I understand correctly, you just need to configure SP trust relationship at try to log in to SP. You can use https://samltest.id/ as SP. You'll need a vm running Bionic.

By David C. user 14 Nov 2019 at 6:23 a.m. CST

David C. gravatar
output of both commands: dpkg-query -l | grep -i gluu ii gluu-server 4.0~bionic amd64 Gluu Server Community Edition root@idp:~# cat /opt/jetty-*/temp/jetty-localhost-8081-oxauth.war-*.dir/webapp/META-INF/MANIFEST.MF Manifest-Version: 1.0 Implementation-Title: oxAuth Server Build-Branch: origin/version_4.0 Implementation-Version: 4.0.Final Archiver-Version: Plexus Archiver Built-By: jetty Implementation-Build: 146bdec8882c44df0f9c0872549795b16ebde19d Implementation-Vendor-Id: org.gluu Created-By: Apache Maven 3.3.9 Build-Jdk: 1.8.0_221 in our test stage it works as expected: dpkg-query -l | grep -i gluu ii gluu-server 4.0-rc1-88~bionic+Ub18.04 amd64 Gluu Server Community Edition root@idp-test:~# cat /opt/jetty-*/temp/jetty-localhost-8081-oxauth.war-*.dir/webapp/META-INF/MANIFEST.MF Manifest-Version: 1.0 Implementation-Title: oxAuth Server Build-Branch: origin/version_4.0.rc1 Implementation-Version: 4.0.rc1 Archiver-Version: Plexus Archiver Built-By: jetty Implementation-Build: cf0039e5bce15febfbfc4849e763cced22de1c6c Implementation-Vendor-Id: org.gluu Created-By: Apache Maven 3.3.9 Build-Jdk: 1.8.0_221 best regards david c.

By David C. user 14 Nov 2019 at 7:24 a.m. CST

David C. gravatar
SP trust relationships have been configured.

By Mohit Mali staff 15 Nov 2019 at 12:23 a.m. CST

Mohit Mali gravatar
Hi @David, I have just tested the SSO with https://samltest.id/ that's work fine for me . Can you give a try with this. Also please give me steps how you configured SP trust relationship. Thanks and regards Mohit Mali

By David C. user 15 Nov 2019 at 1:57 a.m. CST

David C. gravatar
hi, i've done a new installation, but unfortunately with same result. Setup has been done following the installation documentation. Please have a look on the pictures for the trustrelation: [link to files, use password: a](https://dataroom.elearning.de/owncloud/index.php/s/yCDdt3geRz9ruZf)

By David C. user 15 Nov 2019 at 5:03 a.m. CST

David C. gravatar
i've added oxauth debug session images. AuthorizeAction doesn't find a matching CustomScriptConfiguration. acrValuesList contains: [urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport] but the ExternalAuthenticationService has only "simple_password_auth" in customScripts. best regards, david c.

By Mohit Mali staff 18 Nov 2019 at 3:12 a.m. CST

Mohit Mali gravatar
Hi David C, I don't think SAML issue is anyhow related to externalauthenticationservice , Can you do the following thing for testing. 1) Go to https://sptest.iamshowcase.com/ 2) Navigate to instruction --> Idp inititated SSO. 3) download the meta data xml 4) Login to gluu server 5) Add trust relationship with downloaded metadata 6) configured nameid 7) back to https://sptest.iamshowcase.com/ 8) place the content of https://yourgluuserver/idp/shibboleth. 9) on completion you will get the link to test SSO 10) Test the SSO flow. I have just tested this and this works for me. Thanks and Regards Mohit Mali

By David C. user 19 Nov 2019 at 5:27 a.m. CST

David C. gravatar
the sptest works. but still no success with our service provider. what happens if it works: there is no acr_values request parameter in the sptest requests. In the AuthorizeAction class the acr_values is simple_password_auth which maches the custom script and all works as expected. what happens if it NOT works: on the other hand when we call our service provider acr_values is set in reply of /idp/Authn/oxAuth?conversation=e2s1 to ...PasswordProtectedTransport which doesn't find a custom script and results in the described error. please help to fix the bug. best regards david c.

By David C. user 19 Nov 2019 at 5:58 a.m. CST

David C. gravatar
after replacing the idp.war from 4.0.Final to 4.0.rc1 it works as expected.

By Mohit Mali staff 19 Nov 2019 at 7:32 a.m. CST

Mohit Mali gravatar
thanks for confirmation , for any other issue please feel free to reach out gluu support.