By: Wasi Haider user 14 Sep 2020 at 7:48 a.m. CDT

0 Responses
Wasi Haider gravatar
For setting up google apps SSO with Gluu i have followed these steps: 1. created an app in G-suite admin console: Apps > SAML apps * provided ACS URL: https://www.google.com/a/my-domain.com/ * provided Entity ID: https://www.google.com/a/my-domain.comkName * Name ID format: Email * Name ID: Basic Information > Primary email 2. set up SSO with third-party identity provider in G-suite > Admin console > Security > Set up single sign-on (SSO) with a third party IdP and provided following attributes * Sign in URL: https://{gluu server name}/idp/profile/SAML2/Redirect/SSO * Sign-out page URL: https://{gluu server name}/idp/profile/SAML2/Redirect/SLO * uploaded certificate (idp-signing.crt) which i have downloaded from gluu > configuration > certificates * checked Use a domain specific issuer 3. Created a trust relationship on gluu for google apps: * Display Name: G-suite * Description: Google SSO * Entity Type: Single SP * Metadata Location: File * Sp Metadata File: google_metadata.xml * Configure Relying Party: yes * signResponses: never * signAssertions: never * signRequests: never * encryptAssertions: never * Support Unspecified NameIdFormat? yes * Selected NamedId Formats(in order of preference) * SAML:1.1:nameid-format:emailAddress * SAML:2.0:nameid-format:transient * Released attribute Email google_metadata.xml file looks like: ``` <EntityDescriptor entityID="google.com/a/domain.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/domain.com/acs" > </AssertionConsumerService> </SPSSODescriptor> </EntityDescriptor> ``` 4. uncomment the following sections in oxshibboleth docker, /opt/shibboleth-idp/conf/saml-nameid.xml ``` <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> <bean parent="shibboleth.SAML1AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> ``` 5. i have created user with my verified domain on g-suite and gluu After setting these things up i go accounts.google.com to signin with created user and traced SAML requests and response with SAML tracer extension. following is request sent when i sign in on google and it redirected me my gluu host server for authentication. ``` <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aiafneiclaibmnkpcefbaebgfocbjoibcciahddd" Version="2.0" IssueInstant="2020-09-14T12:37:51Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="google.com" IsPassive="false" AssertionConsumerServiceURL="https://www.google.com/a/cytex.io/acs" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com/a/cytex.io</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </samlp:AuthnRequest> ``` then i authenticated user on gluu which i have created. After that when it redirects back to google it says **G suite - Invalid Email** Invalid Email We are unable to process your request at this time, please try again later. Following is the SAML response: ``` <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.google.com/a/cytex.io/acs" ID="_b5bec8bc0bad9bfb71805cfc98350a00" InResponseTo="aiafneiclaibmnkpcefbaebgfocbjoibcciahddd" IssueInstant="2020-09-14T12:40:26.815Z" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://one.cytex.io/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_b5bec8bc0bad9bfb71805cfc98350a00"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>zAcIWIUt4k6Zyk7ugSuapOO/WZdGfLFoboPQwGmwXvU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_427cb8d42f6a15c49923fb453f588c2b" IssueInstant="2020-09-14T12:40:26.815Z" Version="2.0" > <saml2:Issuer>https://one.cytex.io/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://one.cytex.io/idp/shibboleth" SPNameQualifier="google.com/a/cytex.io" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >AAdzZWNyZXQxS+pmCh8eicGYWQirtAC2brtiMkfWWcVa8ZScEXrvLwBNXTQf3O1cMkY57SOsMbmUz2zrgxawoHJ/Sbj1N42DF4oK8p2fik8OgU/0WgxYdapWp9ctSSUCG02enzSAig==</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="203.128.27.61" InResponseTo="aiafneiclaibmnkpcefbaebgfocbjoibcciahddd" NotOnOrAfter="2020-09-14T12:45:26.839Z" Recipient="https://www.google.com/a/cytex.io/acs" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2020-09-14T12:40:26.815Z" NotOnOrAfter="2020-09-14T12:45:26.815Z" > <saml2:AudienceRestriction> <saml2:Audience>google.com/a/cytex.io</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2020-09-14T12:40:26.743Z" SessionIndex="_3441caffbac19cb5ca7cd15c0a8bca5d" > <saml2:SubjectLocality Address="203.128.27.61" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response> ``` I have followed this gluu document: https://www.gluu.org/docs/gluu-server/4.2/integration/saas/google/ I don't know why is it giving invalid email. please help!