Interesting... What does 'idp-process.log' saying when this happening?

Dear Mohib, Many thanks for looking into this with me. Here are the log files: 1 Successfully login into Salesforce 2020-03-22 10:48:47,650 - 178.148.71.4 - INFO [org.gluu.idp.externalauth.ShibOxAuthAuthServlet:134] - Procession authorization response 2020-03-22 10:48:47,808 - 178.148.71.4 - INFO [org.gluu.oxauth.client.OpenIdClient:412] - Using default claims to attributes mapping 2020-03-22 10:48:47,809 - 178.148.71.4 - INFO [org.gluu.idp.externalauth.AuthenticatedNameTranslator:59] - Created an IdP subject instance with principals containing attributes for dusan 2020-03-22 10:48:47,944 - 178.148.71.4 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:139] - Profile Action ValidateExternalAuthentication: External authentication succeeded for Subject: [IdPAttributePrincipal{attribute=IdPAttribute{id=username, displayNames={}, displayDescriptions={}, encoders=[], values=[StringAttributeValue{value=dusan}]}}, UsernamePrincipal{username=dusan}, IdPAttributePrincipal{attribute=IdPAttribute{id=email, displayNames={}, displayDescriptions={}, encoders=[], values=[StringAttributeValue{value=dusan@vlajkovic.com}]}}] 2020-03-22 10:48:48,083 - 178.148.71.4 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:74] - Ignoring NameIDFormat metadata that includes the 'unspecified' format 2020-03-22 10:48:48,185 - 178.148.71.4 - INFO [Shibboleth-Audit.SSO:275] - 20200322T104848Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_2CAAAAXGSDdcBME8wOUUwMDAwMDA0Qzk0AAAA3hfsaWukdbNpwYh1sriPCJLWQydN71ZJQe4GwIxweMoWdS01WgmGqTFcdWZ4GWIyGO5t20WmDZV_DreoQEAfJnnAbjerLFe2cakr4pphgjmL1ylMqrABUMnDtaWmCOM98onVRiSHMm64sWivjwYxZT5vZwpfmQ5JTQNJlkWNmF4ctvdiwFbBiSoMoGBxEPLQM-HpwIXW6ftif6rRDagepMFYQEq2nuPYB_UJqVpXC4Itu3oMzK3AxElqXc-aNgfGNw|https://directklantcontact--test.my.salesforce.com/|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://access.dev.macs.co/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_66dda99ff5c79630b45deefd0ad4f40c|dusan|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid|AAdzZWNyZXQxm+dFb+6QwlcEQJPfdQpCNOXHbujiEAkRjsmboQddV91AKdNGl/daTCItqmGbj2B/IecFJkg24LHzanxppf47ULSzpMvWTZDyDSmQpVP2Pmas45fbI/t20Fk+8ZmwYvuIoyZOuftAbwZO2uYC2tAHoGlm5YeFBg4=|_e5aff7367a89c885576dca3d851a2c73|false 2 Failed login into Wordpress 2020-03-22 10:49:59,397 - 178.148.71.4 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Value cannot be null or empty at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227) 2020-03-22 10:49:59,399 - 178.148.71.4 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException Kind regards, Dusan

Hi Mohib, For the sake of the argument, here are the logs the other way around: 1 Successful login into Wordpress 2020-03-22 10:54:24,075 - 178.148.71.4 - INFO [org.gluu.idp.externalauth.ShibOxAuthAuthServlet:134] - Procession authorization response 2020-03-22 10:54:24,237 - 178.148.71.4 - INFO [org.gluu.oxauth.client.OpenIdClient:412] - Using default claims to attributes mapping 2020-03-22 10:54:24,237 - 178.148.71.4 - INFO [org.gluu.idp.externalauth.AuthenticatedNameTranslator:59] - Created an IdP subject instance with principals containing attributes for dusan 2020-03-22 10:54:24,374 - 178.148.71.4 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:139] - Profile Action ValidateExternalAuthentication: External authentication succeeded for Subject: [IdPAttributePrincipal{attribute=IdPAttribute{id=username, displayNames={}, displayDescriptions={}, encoders=[], values=[StringAttributeValue{value=dusan}]}}, UsernamePrincipal{username=dusan}, IdPAttributePrincipal{attribute=IdPAttribute{id=email, displayNames={}, displayDescriptions={}, encoders=[], values=[StringAttributeValue{value=dusan@vlajkovic.com}]}}] 2020-03-22 10:54:24,472 - 178.148.71.4 - WARN [org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy:74] - Ignoring NameIDFormat metadata that includes the 'unspecified' format 2020-03-22 10:54:24,485 - 178.148.71.4 - INFO [net.shibboleth.idp.saml.session.impl.SAML2SPSessionCreationStrategy:125] - Creating BasicSPSession in the absence of necessary information 2020-03-22 10:54:24,512 - 178.148.71.4 - INFO [Shibboleth-Audit.SSO:275] - 20200322T105424Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ONELOGIN_2c952dc900a5b90dfcfc3e9cf7a5c691652471b8|https://staging.macs.mati.se/sso/metadata|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://access.dev.macs.co/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_b3249b07af178ffe1b329360bb314941|dusan|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid||_a77c0430619b3513c794bc32706005bf|false 2 Failed login into Salesforce 2020-03-22 10:54:51,216 - 178.148.71.4 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Value cannot be null or empty at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227) 2020-03-22 10:54:51,218 - 178.148.71.4 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException Kind regards, Dusan

Hi Mohib, Just to give you some background: I am a Salesforce consulting partner and am currently suggesting to use Gluu for SSO for a Dutch company. I already spoke to their CEO and explained the value of Gluu because there is a commercial company behind it and that they could purchase premium support. I am currently setting up a DEV environment for them and it would be great to make it work. If it works, I think the customer will want to go forward with Gluu as a solution. I'd be happy to jump onto a sales call with you guys and discuss in details, but right now I have to make this work to even have a shot at a meaningful conversation. With kind regards, Dusan +381 61 668 00 44

>> 2020-03-22 10:54:51,216 - 178.148.71.4 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Value cannot be null or empty at net.shibboleth.utilities.java.support.logic.Constraint.isNotNull(Constraint.java:227) 2020-03-22 10:54:51,218 - 178.148.71.4 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException "Value cannot be null or empty at" ... that error is same for both cases. Can you please check oxauth.log ? See if Username / UID not being processed -- see if you are getting some error or something like that.

Hi Mohib, Here is the log: 2020-03-22 10:48:47,002 INFO [qtp1590550415-11] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:589) - Attempting to redirect user: SessionUser: SessionId {dn='30dd202f-01dd-4e12-8963-b3d3c1cb9751', id='30dd202f-01dd-4e12-8963-b3d3c1cb9751', lastUsedAt=Sun Mar 22 10:48:46 UTC 2020, userDn='inum=d872deb0-f037-4ca2-a5a2-eb8588436142,ou=people,o=gluu', authenticationTime=Sun Mar 22 10:48:46 UTC 2020, state=authenticated, sessionState='609286f15967bd9de419fc2bd9979b6a6ff24aebd41fa9a5c94a686cef3f3a23.c9be9ee3-fa9f-404a-b097-513e61ff590d', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={1101.a046cab2-6b27-46d7-86ad-054cb59235d6=false}}, involvedClients=null, sessionAttributes={auth_external_attributes=null, opbs=a43606e0-2146-4de8-8162-bc989a1ec8d1, response_type=code, nonce=Yns9ZJ8hX9, client_id=1101.a046cab2-6b27-46d7-86ad-054cb59235d6, auth_step=1, acr=simple_password_auth, remote_ip=178.148.71.4, auth_user=dusan, scope=openid email user_name, redirect_uri=https://access.dev.macs.co/idp/Authn/oxAuth, state=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdGF0ZSI6IlJFWnNCZVVub2EiLCJjb252ZXJzYXRpb24iOiJlMXMxIn0.}, persisted=true} 2020-03-22 10:48:47,005 INFO [qtp1590550415-11] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:597) - Attempting to redirect user: User: org.gluu.oxauth.model.common.User@21352649 2020-03-22 10:48:47,009 INFO [qtp1590550415-11] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:430) - Authentication success for User: 'dusan' 2020-03-22 10:48:47,704 INFO [qtp1590550415-11] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:277) - Authentication success for Client: '1101.a046cab2-6b27-46d7-86ad-054cb59235d6' 2020-03-22 10:54:23,479 INFO [qtp1590550415-10] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:589) - Attempting to redirect user: SessionUser: SessionId {dn='0a972c8a-1298-4401-bec7-0bd6ad798580', id='0a972c8a-1298-4401-bec7-0bd6ad798580', lastUsedAt=Sun Mar 22 10:54:23 UTC 2020, userDn='inum=d872deb0-f037-4ca2-a5a2-eb8588436142,ou=people,o=gluu', authenticationTime=Sun Mar 22 10:54:23 UTC 2020, state=authenticated, sessionState='864ebdb68171f5b893e17169745ece615d39ddaa8d6587d8e37478b4bdab2e00.c38326c5-160b-4974-810a-be7de1c76b53', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={1101.a046cab2-6b27-46d7-86ad-054cb59235d6=false}}, involvedClients=null, sessionAttributes={auth_external_attributes=null, opbs=813747e1-6e3b-4540-8961-622f966b9aec, response_type=code, nonce=stnU26x1IC, client_id=1101.a046cab2-6b27-46d7-86ad-054cb59235d6, auth_step=1, acr=simple_password_auth, remote_ip=178.148.71.4, auth_user=dusan, scope=openid email user_name, redirect_uri=https://access.dev.macs.co/idp/Authn/oxAuth, state=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdGF0ZSI6IlNXa1oyT0lnWUYiLCJjb252ZXJzYXRpb24iOiJlMXMxIn0.}, persisted=true} 2020-03-22 10:54:23,480 INFO [qtp1590550415-10] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:597) - Attempting to redirect user: User: org.gluu.oxauth.model.common.User@3de724dc 2020-03-22 10:54:23,481 INFO [qtp1590550415-10] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:430) - Authentication success for User: 'dusan' 2020-03-22 10:54:24,132 INFO [qtp1590550415-14] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:277) - Authentication success for Client: '1101.a046cab2-6b27-46d7-86ad-054cb59235d6' root@ip-172-31-0-165:/# I see that there are two moments here, the first test with Salesforce going first and the second test with Wordpress going first. But interestingly, in neither of those do I see a failed second attempt. Any ideas?

It's like the second attempt on the same browser isn't even hitting Shibboleth, which might explain the 500 error? But why?

Mohib, It's worth nothing that I stumble on this issue as well, although I don't think it has impact. https://github.com/GluuFederation/oxTrust/issues/1928 Kind regards, Dusan

>> It's like the second attempt on the same browser isn't even hitting Shibboleth, which might explain the 500 error? Yes, that's the cause. oxAuth is not passing UID / Username / primary_attribute to Shibboleth... so Shibb has nothing to process and hence 500 error from Shibboleth. Question: Wordpress and Salesforce: both has 'same' test username? If yes... this username is 'allowed' in both SP? >> It's worth nothing that I stumble on this issue as well, although I don't think it has impact. It shouldn't be.. that's just validation issue. Even with failed validation... Shibboleth metadata works well in SSO.

Hi Mohib, It's a single user in Gluu with Username 'dusan' for both tests. In Salesforce, that attribute is mapped to the Federation Id field. In Wordpress, it is mapped to the Wordpress user field. I am not sure I understand what 'allowed' in both SP means? Thanks for your help and your time, Dusan

Mohib, Could it be that this is a cross-domain cookie issue, since Gluu runs on access.dev.macs.co Salesforce runs on directklantcontact--test.lightning.force.com Wordpress runs on staging.macs.mati.se Is there some documentation on this? Thanks, Dusan

Meanwhile, I confirm having tested with Chrome and Firefox, both manifest the same behavior. Thank you.

I will perform a simple test... will run to SAML SP and will try to do SSO the way you are testing in incognito 4.1. If there is any massive issue.. it will be caught.

Mohib, Thanks. Please let me know. I know I am on Community support here, but this is a make-or-break for a commercial customer. If needed, we can also do a screensharing session via Hangouts or other. Thanks, Dusan

Dear Mohib, I have done a few more tests and here is what I can report. 1. Without prior loggin in Gluu, when I go to Salesforce and to Wordpress instances, and from there I click through to initiate SAML2, without logging in, I do get two Gluu login screens. 2. As soon as I log into one of the two and I try again with the other, I get a HTTP 500 error. I will now investigate into individual cookies and their impact. I will report back if I have some news. Thanks, Dusan

Dear Mohib, I think I am getting closer. I somehow believe that the session_id cookie is the problem on the domain access.dev.macs.co. I have two SAML2 Trust relationships in this Gluu server. I think that when I authenticate with one SP, I get a session_id, and then when I try to call the other SP authentication flow in the same browser, there is a conflict in the session_id cookie. Do you know if there is a way to resolve this situation? Thank you Sir, Dusan

I am still in the middle of testing. Will share my screencast with you in ticket.

Thank you Sir. I will continue testing a bit more on my side until I get your message. Kind regards, Dusan

Dear Mohib, In order to understand whether the issue is due to having two SAML2 trusts, I decided to try the following 1. Keep Salesforce on a SAML trust 2. Set up OpenID Connect for Wordpress Here are my findings in this setup: When I log in using Wordpress (OpenID Connect), and then I try to call the Salesforce SAML2 flow, I get the following error, which is very strange because at that point I am initiating a SAML2 flow, not an OAuth one https://www.docdroid.net/quLf9xo/untitled-document-1.pdf So, this leads me to conclude that Gluu is confused by having two SP sessions at the same time. I don't know for what reason, but as I said above: I think that there is an issue with the session_id cookie when I am trying to authenticate into Gluu from two different SPs. That's it for now, I will wait for your recommendations. Kind regards, Dusan

Dear Mohib, By manually deleting the cookie shib_idp_session in my browser, I no longer have the problem, but this is a manual workaround and not a proper solution that can be used. So, I can confirm the following now works with a manual workaround: 1. Go to Wordpress and log in using Gluu SAML2. Success. 2. Delete the shib_idp_session cookie manually from my browser 3. Go to Salesforce and log in using Gluu SAML2. No need to re-authenticate. Success. I confirm this manual workaround also works the other way around, by starting in Salesforce instead of Wordpress. So now my very specific question is: how can I get rid of the shib_idp_session cookie? Kind regards, Dusan

Dear Mohib, The good news for me is I got it working. The bad news for you is I think it's an issue on Gluu side. I confirm that by applying the following change, I no longer have an issue: edit /opt/gluu-server/opt/shibboleth-idp/conf/idp.properties replace idp.session.StorageService = shibboleth.GluuStorageService by idp.session.StorageService = shibboleth.StorageService Thanks for your help today. With kind regards, Dusan

Thanks for for finding the bug and workaround, Dusan. I was also able to reproduce the issue. Created a bug report as well: https://github.com/GluuFederation/oxShibboleth/issues/70 Thanks again!

Thanks Mohib. Happy to contribute. Could you please put me in touch with someone from Sales on your side? I'd like to discuss this client opportunity and understand your premium support model better. If someone can drop me an e-mail that would be great. Much obliged, Dusan

Sure. You can book a call [here](https://www.gluu.org/booking/). Some from business side will attend.

Thank you Sir. Have a **great** evening.

You too! Be safe.