SAML Failed to get CustomScriptConfiguration. auth_step: 1, acr_values: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

By: Andrew Ibarra user 28 Oct 2020 at 12:11 p.m. CDT

5 Responses
Andrew Ibarra gravatar
**System info** Fresh install of Gluu 4.2 Ubuntu 18.04. Running on GCP 4 vCPUs, 16GB ram, 100GB disk I'm trying connect OnlyOffice and Gluu. I followed the 4.1 guide here https://gluu.org/docs/gluu-server/4.1/integration/saas/onlyoffice/ though the shibolleth file from OnlyOffice needed some tweaking, i used https://www.samltool.com/sp_metadata.php to build a working one. **SP metadata file contents:** ```` <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-10-30T15:43:16Z" cacheDuration="PT604800S" entityID="https://office.inctrg.io/sso/metadata"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://office.inctrg.io/sso/acs" /> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:transient</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://office.inctrg.io/sso/acs" index="1" /> </md:SPSSODescriptor> </md:EntityDescriptor> ```` I got that uploaded and under "Trust Relationships" it says success and active. When i try the single sign on from onlyoffice i get an error saying ```` OOPS An unexpected error has occurred at null login.errorSessionInvalidMessage ```` **output of oxauth.log** ```` ERROR [qtp790067787-14] [gluu.oxauth.authorize.ws.rs.AuthorizeAction] (AuthorizeAction.java:285) - Failed to get CustomScriptConfiguration. auth_step: 1, acr_values: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport ```` **output of oxauth_script.log** ```` 2020-10-28 16:45:08,843 INFO [qtp790067787-20] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - RPT Policy. Authorizing ... 2020-10-28 16:45:08,844 INFO [qtp790067787-20] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - UmaRptPolicy. client_id = 1502.752bfbcf-ece9-4fa8-88ff-f770dc51176f 2020-10-28 16:45:08,844 INFO [qtp790067787-20] [org.gluu.service.PythonService$PythonLoggerOutputStream] (PythonService.java:243) - UmaRptPolicy. Authorizing client ```` Also, I verifed setup with these steps found in another post ```` *1) Go to https://sptest.iamshowcase.com/ 2) Navigate to instruction --> Idp inititated SSO. 3) download the meta data xml 4) Login to gluu server 5) Add trust relationship with downloaded metadata 6) configured nameid 7) back to https://sptest.iamshowcase.com/ 8) place the content of https://yourgluuserver/idp/shibboleth. 9) on completion you will get the link to test SSO 10) Test the SSO flow. I have just tested this and this works for me. Thanks and Regards Mohit Mali* ```` that works fine. I'm not sure where else to look for issues, or if this is a problem on the Service Provider (onlyoffice) side. thanks for your help, i've been stumped for days.
Ubuntu 18.04
closed

Answers

By Mobarak Hosen Shakil staff 29 Oct 2020 at 10:09 a.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Hi Andrew Ibarra! Thanks for reaching out at gluu. ``` OOPS An unexpected error has occurred at null login.errorSessionInvalidMessage ``` Regarding this type of error: At first, let me look at the **trust relationship** configuration. Can you please share the screenshot of your TR configuration? Thanks and Regards ~ Mobarak Hosen Shakil

By Andrew Ibarra user 29 Oct 2020 at noon CDT

Copy
Andrew Ibarra gravatar
Hello, I figured out the first part of the problem, it turns out i needed to active the "basic" custom script under "Person Authentication Scripts" (guess its not activated by default?). I'm now running into an issue where the "released attributes" are not actually being released. I verified this over at https://sptest.iamshowcase.com/ Here is the SAML Assertion ``` <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://sptest.iamshowcase.com/acs" ID="_db3d7bf751769a0925f45b5b943ca2d3" InResponseTo="a21ae2140d5898cd23f8d3482f00b46a21cc83487" IssueInstant="2020-10-29T16:45:46.919Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://gluu.inctrg.io/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4b953327dddc4fb837b27f3592d35a99" IssueInstant="2020-10-29T16:45:46.919Z" Version="2.0"> <saml2:Issuer>https://gluu.inctrg.io/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_4b953327dddc4fb837b27f3592d35a99"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>/aAdk8fsNYKUmq5K+A1ZfEZsF7dLKERlQWdfnAIbWtg=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>wjRPI4P7H1iXzq7E0+ns25p1q4/hVnrsUUH813faYSNIycMsftR/pr540L/z3TZ1Ax8EnN2NmLqwlSVmEDog0yEPSgfmHMgeJ0YPunKkWTEn6hrL62ej6srhJ+UUmpSrp4yqZhXALBiHH8ugp8YEKAxDjgUaZ9bF/tZ7LYc5QgS7OwEwRiaRDYYS5P6A+7t6LX1+omhXHgkhlWGGuGsdCS4NYQh0wILJvpL3atlb8jSEHilEaJ5JehcFR3QYmgjOKW8b1PKbsOCeR2sZatTowXtA82oB4ypZq7j9zWQh7eL25aZYkrzgqbB3GCAF0VYKahwf9qLiFWg2SQHwoeK5+g==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDezCCAmMCFDxKpD9Bs+g3EGt9v5Efr28ko3iJMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNVBAYT AlVTMQswCQYDVQQIDAJDQTETMBEGA1UEBwwKQnVybGluZ2FtZTEMMAoGA1UECgwDaW5jMRcwFQYD VQQDDA5nbHV1LmluY3RyZy5pbzEiMCAGCSqGSIb3DQEJARYTYS5pYmFycmFAaW5jdHJnLm5ldDAe Fw0yMDEwMjcyMTM1NTVaFw0yMTEwMjcyMTM1NTVaMHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJD QTETMBEGA1UEBwwKQnVybGluZ2FtZTEMMAoGA1UECgwDaW5jMRcwFQYDVQQDDA5nbHV1LmluY3Ry Zy5pbzEiMCAGCSqGSIb3DQEJARYTYS5pYmFycmFAaW5jdHJnLm5ldDCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBANticu4hCiWCxt3dQp5Brq5BURBwuqZUq78mQJCRo1jpbNEXMPLn50Rl F7Z88uNJQpjaNpLdLfKEPq9/Yx3xjog9kcHiQWj1y6SlcGgaoCaD2VBGPEMf18bsUSGlOKZ90l7m TlHTEilVP5FjTyd3WwtPjPnZug5uGZYBHMH/4KCCo9/cHYHxdMIc97Iq7tDWqIeFvmZliBo8sqbA vPyJeXH+AOhHmSKQW58y5zK00L29E+jPc+YYXQN99ecxI5yOKWOc1iNyobe9CKgl+ARgVSvAFF5r CNSsywRL3qaOiAv6B7PCn6BnRyWiQwzR3WEure7ZGVeux5lhXWXMglimDpMCAwEAATANBgkqhkiG 9w0BAQsFAAOCAQEAr833ZwKLU+rSeCb+gjI1en/pjCSAhhYWYfSJDeD1i50R8tdJHmxvKOE96MR0 YYKSmX7VziREGnOIcepQomTHa1JiTHcHTmR+XjELrWFnuFsxrK5OYm4hc8NqnvQFCevUMSMOsL9s ausvHqCEPr122SuBvA/blWrxtZMWFiiU+xaypGPKfQAUkYoIhTbiPBSMZmvqEA2qTVJ2xgGvqkyH hVFSSP4PqJ1XsMIQFEpwse8vNOzosf4bnBXyxeFXrNvgd8Vz7zjhhMuh1wwNZ5XKB4BhynRyKiZN Q3DPwnrNEvikMKMU8/szUSPqLGSec1kyJIJeUS8YbNk4aIcDzsKa5A==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://gluu.inctrg.io/idp/shibboleth" SPNameQualifier="IAMShowcase">AAdzZWNyZXQxvPZwLKt3tU2WWC3RyvAGk2XrrzuxHZhA9sK0qSIABgwgv0/pu4x5HpEtesZxzn+xEkr4GgaMK43q54PYTVgfMvie5sqR2/BCigVYl5UZKsg=</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="76.14.187.77" InResponseTo="a21ae2140d5898cd23f8d3482f00b46a21cc83487" NotOnOrAfter="2020-10-29T16:50:46.927Z" Recipient="https://sptest.iamshowcase.com/acs"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2020-10-29T16:45:46.919Z" NotOnOrAfter="2020-10-29T16:50:46.919Z"> <saml2:AudienceRestriction> <saml2:Audience>IAMShowcase</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2020-10-29T16:45:46.873Z" SessionIndex="_5b9eba24a2288bcf4858a165e1a84d0f"> <saml2:SubjectLocality Address="76.14.187.77"/> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response> ``` here is my Trust Config [https://drive.google.com/file/d/1-iKDrqR8jqLY5e4iZrnj9m2Uxo42cAe7/view?usp=sharing](https://drive.google.com/file/d/1-iKDrqR8jqLY5e4iZrnj9m2Uxo42cAe7/view?usp=sharing) [https://drive.google.com/file/d/1889uucCqQYTUKolZZwI1_PQQh0QDcndA/view?usp=sharing](https://drive.google.com/file/d/1889uucCqQYTUKolZZwI1_PQQh0QDcndA/view?usp=sharing) [https://drive.google.com/file/d/1Y6g3NgndjkthjWxG2aO3Usz78LHigkhS/view?usp=sharing](https://drive.google.com/file/d/1Y6g3NgndjkthjWxG2aO3Usz78LHigkhS/view?usp=sharing) [https://drive.google.com/file/d/1OwhrciLfD8g76lExZGRx1y7xPP7wpIgj/view?usp=sharing](https://drive.google.com/file/d/1OwhrciLfD8g76lExZGRx1y7xPP7wpIgj/view?usp=sharing)

By Mobarak Hosen Shakil staff 29 Oct 2020 at 12:33 p.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Hi Please try to update `TR` configuration as specified below: ``` signResponses: conditional signAssertions: never signRequests: conditional encryptAssertions: conditional encryptNameIds: never ``` Update those at the **SAML2SSO** profile configuration. From the available NameID formats add `transient` or `unspecified`. At the attributes release: choose ``TransientID, Email, username``, and others that you want to add. update, and restart gluu server. Follow this link: https://www.gluu.org/docs/gluu-server/4.1/integration/saas/onlyoffice/ Let me know the updated result. Regards ~ Shakil

By Andrew Ibarra user 29 Oct 2020 at 5:27 p.m. CDT

Copy
Andrew Ibarra gravatar
Hello, Restarting seemed to help. I had those settings there before. And now it works. Also, the returned attribute names don't match what's in the guide. i had to use urn:oid:0.9.2342.19200300.100.1.3 instead of "mail" (the friendly name). I'd be willing to create an updated guide for Gluu 4.2. Do you guys take pull requests for the docs? Thanks! -Andrew

By Mobarak Hosen Shakil staff 30 Oct 2020 at 8:45 a.m. CDT

Copy
Mobarak Hosen Shakil gravatar
Hello, Andrew! Finally it's working, that's great. > We really appreciate any kind of contribution from you. I'm closing this ticket. Reopen the ticket if required. Thanks. ~ Shakil

Post an answer