By: Jeudy Blanco user 02 Jun 2020 at 12:01 p.m. CDT

1 Response
Jeudy Blanco gravatar
We are evaluating using Gluu for our application. I set up a local instance of Gluu server (version 4.1.1) nd enabled SAML. I'm following [this documentation](https://www.gluu.org/docs/gluu-server/4.1/admin-guide/saml/#create-a-trust-relationship) and created the Trust Relationship using the SAML metadata file provided by our AzureAD admin. The SSO Login url we are setting on Azure side is https://{my-local-server}/idp/profile/SAML2/POST-SimpleSign/SSO (not sure that's the one). First think I notice in the Trust relationships list is that the Validatino status says Failed. Also, the status is Inactive (when creating the TR I see a button at the bottom of the page to Activate it, but in the docs is never mentioned if this is required. I pressed anyway but no effect). If I go to the details of the TR, I see the validation errors is reporting: ``` **Metadata Validation Log.** 2020-06-02 16:36:02 : ERROR : cvc-elt.4.2: Cannot resolve 'fed:SecurityTokenServiceType' to a type definition for element 'RoleDescriptor'. 2020-06-02 16:36:02 : ERROR : cvc-elt.4.2: Cannot resolve 'fed:ApplicationServiceType' to a type definition for element 'RoleDescriptor'. 2020-06-02 16:36:02 : ERROR : cvc-complex-type.2.4.a: Invalid content was found starting with element 'fed:TargetScopes'. One of '{"urn:oasis:names:tc:SAML:2.0:metadata":KeyDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":Organization, "urn:oasis:names:tc:SAML:2.0:metadata":ContactPerson}' is expected. 2020-06-02 16:36:02 : ERROR : cvc-type.2: The type definition cannot be abstract for element RoleDescriptor. 2020-06-02 16:36:02 : ERROR : cvc-complex-type.2.4.a: Invalid content was found starting with element 'fed:ClaimTypesOffered'. One of '{"urn:oasis:names:tc:SAML:2.0:metadata":KeyDescriptor, "urn:oasis:names:tc:SAML:2.0:metadata":Organization, "urn:oasis:names:tc:SAML:2.0:metadata":ContactPerson}' is expected. ``` Which sounds like syntax errors but this is weird because this is the file provided by the admin. I wonder, is AzureAD a valid SAML source for Gluu? During the TR creation, I selected Display Name and Email in the Release additional attributes section, not sure if that makes any difference. What we need is to allow users in our Active Directory to authenticate to our web app using their AD credentials through SSO. For this, we are planning to start with an instance of Gluu running on one of our servers and eventually using the commercial service. The setup of the server (in my local development machine for now) was smooth enough but configuring and getting this to work is being more difficult than I expected. What am I doing wrong in the TR creation for the validation to fail? Any special considerations on the AzureAD side when generating the SAML? After this is solved, what's the url that our app should send the users to. In the docs, this is mentioned in the **IDP-initiated outbound SAML flow** section: ``` Craft a URL like this: https://idp.gluu.host.loc/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsphost-shib.site%3a8443%2Fshibboleth, where: idp.gluu.host.loc is the DNS name of the target Gluu Server providerId URL query parameter contains the entityid of the target SP ``` Is that the right url? Because I have also seen references in the forum to https://{my-local-server}/idp/profile/SAML2/POST-SimpleSign/SSO and https://{my-local-server}/idp/profile/SAML2/POST/SSO But in any case, no matter what url I use to try to start the authentication process, I get the "**Web Login Service - Stale Request**" error message, but I'm guessing this is because of the validation and activation errors. Appreciate the assistance to get this working.

By Mohib Zico staff 05 Jun 2020 at 9:14 a.m. CDT

Mohib Zico gravatar
Hi, >> The SSO Login url we are setting on Azure side is https://{my-local-server}/idp/profile/SAML2/POST-SimpleSign/SSO (not sure that's the one). Using Redirect URI or only POST URI are standard. >> First think I notice in the Trust relationships list is that the Validatino status says Failed. It's a bug ( cosmetic one, not FATAL ), which should be fixed in latest version. >> the status is Inactive This is a problem. 'idp-process.log' and 'oxtrust.log' with DEBUG will reveal what's breaking. Mostly related with SP metadata. >> 2020-06-02 16:36:02 : ERROR : cvc-elt.4.2: Cannot resolve 'fed:SecurityTokenServiceType' to a type definition for element 'RoleDescriptor'. 2020-06-02 16:36:02 : ERROR : cvc-elt.4.2: Cannot resolve 'fed:ApplicationServiceType' to a type definition for element 'RoleDescriptor'. Seems like you need to modify AzureAD metadata so it can sync ( acceptable ) by Shibboleth. >> I wonder, is AzureAD a valid SAML source for Gluu? I don't have AzureAD test account handy atm so can't tell; however I used to 'modify' ADFS or similar product's metadata to make it acceptable by Shibboleth ( aka. Gluu as well ).