By: Faizan Zahid user 14 Sep 2020 at 2:57 a.m. CDT

2 Responses
Faizan Zahid gravatar
* I followed documentation of gluu 4.2 from for dropbox integration. * I created custom attribute for dropbox by following steps from . * Custom attribute 'emailnid' created in following file /opt/opendj/config/schema/77-customAttributes.ldif in ldap docker. My file looks like this: ``` dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema attributeTypes: ( NAME 'emailnid' DESC 'Custom Attribute for Dropbox' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX X-ORIGIN 'Gluu custom attribute' ) objectClasses: ( NAME 'gluuCustomPerson' SUP ( top ) AUXILIARY MAY ( emailnid $ telephoneNumber $ mobile $ carLicense $ facsimileTelephoneNumber $ departmentNumber $ employeeType $ cn $ st $ manager $ street $ postOfficeBox $ employeeNumber $ preferredDeliveryMethod $ roomNumber $ secretary $ homePostalAddress $ l $ postalCode $ description $ title ) X-ORIGIN 'Gluu - Custom persom objectclass' ) ``` * Added this attribute to oxtrust with following attributes in gluu server name: emailnid SAML 1 URL: urn:gluu:dir:attribute-def:emailnid SAML 2 URL: urn:old:emailnid Display Name: emailnid Type: text Edit Type: admin View Type: admin, user Usage Type: Not specified Description: Custom nameID, base: mail / EmailAddress Status: Active * Created Trust relationship in gluu server with following attributes Display Name: Dropbox Description: External SP / File method Metadata Type: File SP Metadata File: 'dropbox_metadata.xml' Configure Specific RelyiningParty: Yes signResponses: conditional signAssertions: never signRequests: conditional encryptAssertions: never encryptNameIds: never Released attribute emailnid for this trust relationship dropbox_metadata.xml file: ``` <EntityDescriptor entityID="Dropbox" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" /> </SPSSODescriptor> </EntityDescriptor> ``` * In Dropbox admin console in SSO Authentication i provided : Sign In URL : https://<hostname_of_Gluu_server>/idp/profile/SAML2/Redirect/SSO and uploaded certs: Uploaded certs found in oxtrust docker. oxtrust:/etc/certs/shibIDP.crt * Also created a user in dropbox and gluu server * When i try to signin with dropbox user, it shows Single sign-on enabled behaviour, which seems fine and on signin it redirects to Gluu authentication. * Saml Request: ``` <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" IssueInstant="2020-09-14T07:12:19Z" ID="id-f2101d4c882b496a866447ede9cf71be" AssertionConsumerServiceURL="" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Dropbox</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </samlp:AuthnRequest> ``` * When i authenticate user on gluu, it redirects to dropbox and shows error : **You aren't a member of this team. Please reach out to your admin for help.** And getting following Saml response: ``` <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="" ID="_ff66ce7a24ec54a1c3ae3e36662eb75c" InResponseTo="id-f2101d4c882b496a866447ede9cf71be" IssueInstant="2020-09-14T07:14:09.657Z" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"></saml2:Issuer> <ds:Signature xmlns:ds=""> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="" /> <ds:SignatureMethod Algorithm="" /> <ds:Reference URI="#_ff66ce7a24ec54a1c3ae3e36662eb75c"> <ds:Transforms> <ds:Transform Algorithm="" /> <ds:Transform Algorithm="" /> </ds:Transforms> <ds:DigestMethod Algorithm="" /> <ds:DigestValue>TBk7Od2HrvZIXUmgX8NR9Vkvowyl6l5wTNHbeVym1nc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /> </saml2p:StatusCode> <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage> </saml2p:Status> </saml2p:Response> ``` This seems to be the issue ``` <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" /> </saml2p:StatusCode> <saml2p:StatusMessage>An error occurred.</saml2p:StatusMessage> </saml2p:Status> ``` If anyone have any idea about this issue please help me.

By Wasi Haider user 14 Sep 2020 at 6:53 a.m. CDT

Wasi Haider gravatar
I am having the same issue. please someone answer!

By Mohib Zico staff 19 Sep 2020 at 12:38 a.m. CDT

Mohib Zico gravatar
Hi, Issue related with NameID. Two things you can check: - You created custom attribute but didn't 'make' it "nameID". [Here]( is the doc. - In your Dropbox metadata, metadata type is: `<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</NameIDFormat>`. So you have to prepare NameID in that way.