Leapsome SAML

By: Benjamin Fries user 11 Sep 2020 at 1:43 a.m. CDT

12 Responses
Benjamin Fries gravatar
Hello Gluu Team! I am trying to use the SSO features with Leapsome, only SAML is supported. I have made a post-installation, of the Shibboleth plugin. ### AT LEAPSOME ### The Fields at Leapsome: - Metadata URL (Read only) - Entity ID (Read only) - Login URL (point your users here to start login) - Reply URL (receives response from your identity provider) - SSO Login URL (supplied by identity provider) <-- What should I put here? - Certificate (supplied by identity provider) <--- What certificate is it? I have read that I can find the certificate here: https://--urltogluu--/idp/shibboleth But which one should I use? urn:oasis:names:tc:SAML:2.0:protocol? The one for Signing or Encryption? ### AT GLUU ### - SAML: - Trust Relationships: I created a new relationship: - Entity Type: Single SP - Metadata Location: URI - Metadata URL: The Metadata URL from in the Metadata URL field of Leapsome. - SP Logout: -empty- - Configure Relying Party: Added al profiles, default options. SAVED - Attributes: Display Name, Email, First Name, Last Name, Organization, Picture URL, User Permission, - Username In Custom NameId: - Enabled: Yes - Id Source: Email - Id Type: SAML 1.1 nameid ### TESTS ### In Leapsome I used https://--urltogluu--/idp/profile/SAML2/POST/SSO I get a Bad request when tying to use SSO. Could you please tell me what to set where? Thank you in advance. Ben
Debian 10.0
closed

Answers

By Mohib Zico staff 11 Sep 2020 at 2:34 a.m. CDT

Copy
Mohib Zico gravatar
Hello Benjamin, >> SSO Login URL (supplied by identity provider) <-- What should I put here? That would be `SingleSignOnService Binding` from your IDP's metadata. Start with HTTP-Redirect one. >> Certificate (supplied by identity provider) <--- What certificate is it? Signing cert. You can either get it from metadata as you stated or from file system. Inside chroot Gluu Server container --> `/etc/certs/idp-signing.crt` >> Attributes: Display Name, Email, First Name, Last Name, Organization, Picture URL, User Permission, - Username That depends on SP, whichever attribute they require. I would start with simpler one like Username, Email, First Name and Last Name. >> In Leapsome I used >>> https://--urltogluu--/idp/profile/SAML2/POST/SSO If it's SP initiated SSO, you should start from SP SSO link, not IDP. Something like [this](https://www.youtube.com/watch?v=IHUdZmw7oug&ab_channel=MohibZico)

By Benjamin Fries user 11 Sep 2020 at 4:43 a.m. CDT

Copy
Benjamin Fries gravatar
Hello Mohib, thanks for the help. The content of the Metadata URL at leapsome is: ``` <EntityDescriptor entityID="https://www.leapsome.com" ID="https___www_leapsome_com"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.leapsome.com/api/users/auth/saml/xxxxxxxxxxxxxx/assert"/> </SPSSODescriptor> </EntityDescriptor> ``` - In Leapsome, I applied the certificate. - In Gluu, I have Validation Status: Success, and Active. - I don't understand the video...

By Benjamin Fries user 11 Sep 2020 at 7:36 a.m. CDT

Copy
Benjamin Fries gravatar
Is it normal that I have only 3 entries in the SAML menu? - Trust Relationships - Add Trust Relationships - Configure Custom NameId While googling I found other people using SAML with Gluu and they seem to have more options.

By Benjamin Fries user 11 Sep 2020 at 8:16 a.m. CDT

Copy
Benjamin Fries gravatar
I have set the SSO Login URL at Leapsome to: ``` https://xxx.xxx.xxx/idp/profile/SAML2/Redirect/SSO ``` The URL changes to: ``` https://xxx.xxx.xxx/idp/Authn/oxAuth?conversation=e10s1 ``` But the screen stays blank. Is this any progress? I have tried all URLs... I get bad requests. I don't know what to do anymore.

By Benjamin Fries user 11 Sep 2020 at 8:31 a.m. CDT

Copy
Benjamin Fries gravatar
I have watched your video again, I got the point now. Yes I always start the "login" process from the SP. In your video I see that you also go through the ?conversation step. I'm stuck here.

By Mohib Zico staff 11 Sep 2020 at 8:45 a.m. CDT

Copy
Mohib Zico gravatar
A good way to troubleshoot SAML or any other issue in Gluu server is log. First you need to find out, in which state you are getting error.... ( check the browser url for hint ). As for example, you are getting error from `idp` side .. which is shibboleth. Next action item is to find out what 'idp' logs saying about your failure. You will found log locations in our doc. If you don't get anything interesting in idp logs, make it DEBUG. How is make shibboleth log DEBUG is also available in our doc and obviously from Google searching.

By Benjamin Fries user 14 Sep 2020 at 2:14 a.m. CDT

Copy
Benjamin Fries gravatar
Good morning, Let me check, I come back to you in a few. Regards

By Benjamin Fries user 14 Sep 2020 at 5:43 a.m. CDT

Copy
Benjamin Fries gravatar
Hello Mohib, I think I have found the problem, maybe it's not related... Some time ago, we had to rename the server. It has been working since then for OpenID and OAuth2. We changed the hostname wherever we found it... but I think we have missed some places. In the log, I can see in the log a certificate error... maybe its related to that... it say says that Gluu was trying to use the cert but it does not match the domain name. I need to know the following: - Where I should look for, to find old host entries. - How to regenerate all of the internal certificates. EDIT: I just went to the Configuration --> Internal Gluu Certificates. I expanded the certs and all of the internal certs (OpenDJ SSL, HTTPD SSL, IDP SIGNING and IDP ENCRYPTION) have the old hostname. We don't get an error when visiting the Gluu website, because we edited Apache to use our own certificate. I still need to know how to regenerate the all of the internal certificates, I have seen the page with the cert-tool. But it's not helping, if you could tell me the commands. It'd be really grateful. Thanks in advance, Regards, Ben

By Benjamin Fries user 15 Sep 2020 at 9:41 a.m. CDT

Copy
Benjamin Fries gravatar
Hi, - I made a VM, installed Gluu, to create certificates with the correct domain name. - I copied them to the old server - Now there are no certificates listed. So... this did not work and probably made things worse. Any ideas?

By Mohib Zico staff 15 Sep 2020 at 10:06 a.m. CDT

Copy
Mohib Zico gravatar
Hello Benjamin, >> Some time ago, we had to rename the server. It has been working since then for OpenID and OAuth2. We changed the hostname wherever we found it... but I think we have missed some places. We suggest not to change hostname for any 'already-running-system'. Yes, there are some custom scripts for customers but unfortunately I can't share them here as they are highly modified for customer's environment. So, best option would be to install a new server with different hostname. >> I still need to know how to regenerate the all of the internal certificates, I have seen the page with the cert-tool. But it's not helping, if you could tell me the commands. It'd be really grateful. You might wanna read the 'setup.py' script which you used during installation. It has all commands included already.

By Benjamin Fries user 16 Sep 2020 at 4:55 a.m. CDT

Copy
Benjamin Fries gravatar
Hello Mohib, I've created a new instance, installed Gluu 4.2. I could connect via LDAP to Gluu 4.1.1 and just export the user tree, then import them on the new server Gluu 4.2. Or is there a better method? Regards, Ben

By Mohib Zico staff 16 Sep 2020 at 8 a.m. CDT

Copy
Mohib Zico gravatar
>> I could connect via LDAP to Gluu 4.1.1 and just export the user tree, then import them on the new server Gluu 4.2. You can use [Cache Refresh](https://www.gluu.org/docs/gluu-server/4.2/user-management/ldap-sync/) to pull user's information from 4.1 to 4.2. I do that all the time if I need to migrate userbase from older system to newer one. Thanks!

Post an answer