* I followed documentation of gluu 4.2 from https://www.gluu.org/docs/gluu-server/4.2/integration/saas/dropbox/ for dropbox integration. * I created custom attribute for dropbox by following steps from https://www.gluu.org/docs/gluu-server/4.2/admin-guide/attribute/#custom-attributes . * Custom attribute 'emailnid' created in following file /opt/opendj/config/schema/77-customAttributes.ldif in ldap docker. My file looks like this: ``` dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema attributeTypes: ( 1.3.6.1.4.1.48710.1.3.1400 NAME 'emailnid' DESC 'Custom Attribute for Dropbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Gluu custom attribute' ) objectClasses: ( 1.3.6.1.4.1.48710.1.4.101 NAME 'gluuCustomPerson' SUP ( top ) AUXILIARY MAY ( emailnid $ telephoneNumber $ mobile $ carLicense $ facsimileTelephoneNumber $ departmentNumber $ employeeType $ cn $ st $ manager $ street $ postOfficeBox $ employeeNumber $ preferredDeliveryMethod $ roomNumber $ secretary $ homePostalAddress $ l $ postalCode $ description $ title ) X-ORIGIN 'Gluu - Custom persom objectclass' ) ``` * Added this attribute to oxtrust with following attributes in gluu server name: emailnid SAML 1 URL: urn:gluu:dir:attribute-def:emailnid SAML 2 URL: urn:old:emailnid Display Name: emailnid Type: text Edit Type: admin View Type: admin, user Usage Type: Not specified Description: Custom nameID, base: mail / EmailAddress Status: Active * Created Trust relationship in gluu server with following attributes Display Name: Dropbox Description: External SP / File method Metadata Type: File SP Metadata File: 'dropbox_metadata.xml' Configure Specific RelyiningParty: Yes signResponses: conditional signAssertions: never signRequests: conditional encryptAssertions: never encryptNameIds: never Released attribute emailnid for this trust relationship dropbox_metadata.xml file: ``` <EntityDescriptor entityID="Dropbox" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.dropbox.com/saml_login" /> </SPSSODescriptor> </EntityDescriptor> ``` * In Dropbox admin console in SSO Authentication i provided : Sign In URL : https://<hostname_of_Gluu_server>/idp/profile/SAML2/Redirect/SSO and uploaded certs: Uploaded certs found in oxtrust docker. oxtrust:/etc/certs/shibIDP.crt * Also created a user in dropbox and gluu server * When i try to signin with dropbox user, it shows Single sign-on enabled behaviour, which seems fine and on signin it redirects to Gluu authentication. * Saml Request: ``` <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" IssueInstant="2020-09-14T07:12:19Z" ID="id-f2101d4c882b496a866447ede9cf71be" AssertionConsumerServiceURL="https://www.dropbox.com/saml_login" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Dropbox</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </samlp:AuthnRequest> ``` * When i authenticate user on gluu, it redirects to dropbox and shows error : **You aren't a member of this team. Please reach out to your admin for help.** And getting following Saml response: ``` <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.dropbox.com/saml_login" ID="_ff66ce7a24ec54a1c3ae3e36662eb75c" InResponseTo="id-f2101d4c882b496a866447ede9cf71be" IssueInstant="2020-09-14T07:14:09.657Z" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://one.cytex.io/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_ff66ce7a24ec54a1c3ae3e36662eb75c"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>TBk7Od2HrvZIXUmgX8NR9Vkvowyl6l5wTNHbeVym1nc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /> </saml2p:StatusCode> <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage> </saml2p:Status> </saml2p:Response> ``` This seems to be the issue ``` <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /> </saml2p:StatusCode> <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage> </saml2p:Status> ``` If anyone have any idea about this issue please help me.