Hi Kwadwo Obeng! Thanks for reaching out at gluu. Can you please share the document link here? Did you install `Gluu Server 4.0` in `Ubuntu 20`? Thanks & Regards ~ Shakil

Yes Ubuntu 20.04 LTS

Well, you have to configure `apache shibboleth SP` on your owncloud server side. then download sp metadata and create a `Trust Relationship` on your Gluu Server. Thanks ~ Shakil

Please install gluu server updated version `4.2`. Gluu server `4.0` doesn't support on `ubuntu 20.04`. > https://support.gluu.org/single-sign-on/9199/sso-documentation/#at66396 > follow this link: https://gluu.org/docs/gluu-server/4.2/ Thanks & Regards ~ Shakil

Thank You I did exactly as you said. But when I enter my owncloud url I am redirected to this page: https://samltest.quantumgroupgh.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest...... and I get 400 error. this is what I gathered from my saml tracer GET https://samltest.quantumgroupgh.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=jZLNbsIwEIRfJfIdnJigUosgpXAoEi2IpD30UjnOQiwldvDa%2FXn7JkBVKlWoZ89%2BszPrKYqmbnnqXaW3cPCALvhoao38%2BJAQbzU3AhVyLRpA7iTP0ocVZ8OQt9Y4I01NghQRrFNGz41G34DNwL4pCU%2FbVUIq51rklLoObt61HB680M43e2t8u6%2BG0jQ0q1RRmBpcNUQ0tLdgdLPOchIsujGlRU%2F%2FYfXb9by%2FWKpsabfaTtVwBm2hVBako1m2JsFykZBXyca7iYAo3O3imMlROSkjKZmI47hg4%2FFNJ0P0sNToOoOEsJCFg4gNojAPbzkb8XD8QoLNuYE7pUul99frKk4i5Pd5vhmcwj2DxWOwTkBm0z4WPxrbizNcx4rv7snsP00jSG9hSi%2BsTr4tf%2BzYy8XG1Ep%2BBmldm%2Fe5BeEgIRGhs9PI778y%2BwI%3D&RelayState=ss%3Amem%3A429855102d88b00884b9e719899ce9b6668c03af27e8acc482b1640472c49726 HTTP/1.1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: org.gluu.i18n.Locale=en; session_state=24e8f7acec7aeed776f12a9abc0a3c5f904fd9fcfadd1db1ef908d8a25792677.c203f361-feb6-4b49-b218-8450a5c4d4c4; opbs=efdc9772-2644-4d3d-b517-a943702d0ee1; current_sessions=["32c3a1f0-d365-43b2-b476-aefe90b80284"]; session_id=32c3a1f0-d365-43b2-b476-aefe90b80284 HTTP/1.1 400 Bad Request Date: Thu, 10 Dec 2020 09:37:53 GMT Server: Apache/2.4.41 (Ubuntu) X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Length: 320 Connection: close Content-Type: text/html; charset=iso-8859-1

Then this; POST https://<my_gluu_server>/identity/trustmanager/trustRelationships.htm?cid=1 HTTP/1.1 Faces-Request: partial/ajax User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Origin: https://<my_gluu_server> Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://<my_gluu_server>/identity/trustmanager/trustRelationships.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=node0sjtn06j4oyjo17f13xp2mnu4f0.node0; org.gluu.i18n.Locale=en; session_state=24e8f7acec7aeed776f12a9abc0a3c5f904fd9fcfadd1db1ef908d8a25792677.c203f361-feb6-4b49-b218-8450a5c4d4c4; opbs=efdc9772-2644-4d3d-b517-a943702d0ee1; current_sessions=["32c3a1f0-d365-43b2-b476-aefe90b80284"]; session_id=32c3a1f0-d365-43b2-b476-aefe90b80284 HTTP/1.1 200 OK Date: Thu, 10 Dec 2020 09:37:56 GMT Server: Apache/2.4.41 (Ubuntu) X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Type: text/xml;charset=utf-8 Cache-Control: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked And lastly; GET https://<my_gluu_server>/identity/javax.faces.resource/jq/ui/i18n/dt/datatable-en.json.htm?ln=bsf HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 X-Requested-With: XMLHttpRequest Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://<my_gluu_server>/identity/trustmanager/trustRelationships.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=node0sjtn06j4oyjo17f13xp2mnu4f0.node0; org.gluu.i18n.Locale=en; session_state=24e8f7acec7aeed776f12a9abc0a3c5f904fd9fcfadd1db1ef908d8a25792677.c203f361-feb6-4b49-b218-8450a5c4d4c4; opbs=efdc9772-2644-4d3d-b517-a943702d0ee1; current_sessions=["32c3a1f0-d365-43b2-b476-aefe90b80284"]; session_id=32c3a1f0-d365-43b2-b476-aefe90b80284 HTTP/1.1 200 OK Date: Thu, 10 Dec 2020 09:37:57 GMT Server: Apache/2.4.41 (Ubuntu) X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Type: application/json Expires: Thu, 17 Dec 2020 09:37:57 GMT Last-Modified: Mon, 17 Aug 2020 11:59:14 GMT Content-Length: 724 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive

Did you create trust relationship on Gluu Server? Please share your `TR` configuration.

Yes I did the trust relationship configuration. I'm having trouble uploading the pictures IS this how the link should look like? "![] (http: //file: ///C:/ Users/ User/Desktop/gluugluu.PNG)"

"Craft a URL like this: https://idp.gluu.host.loc/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fsphost-shib.site%3a8443%2Fshibboleth" I just saw this in the documentation.I dont get what it means.Should I enter that url in my browser or do that on apache.I don't understand

please upload your screenshot on a third party website like: imgur.com and share the link with me. I think you messed up wtih `TR` configuration. please follow this link: https://gluu.org/docs/gluu-server/4.2/admin-guide/saml/ you will get an idea how to setup `TR`. Thanks ~ Shakil

[Imgur](https://i.imgur.com/aPZ5qMW.png) [Imgur](https://i.imgur.com/n0RVFTZ.png) [Imgur](https://i.imgur.com/Rgrh2K3.png) [Imgur](https://i.imgur.com/3LD0yGk.png)

Please the links are in the previous comments. Thank You very much for responding MR.Shakil.

Please add `SAML:2.0:nameid-format:transient` on `Relying party Configuaration > SAML2SSO` and release `TransientId` from gluuPerson.

I did but the problem is still not resolved.I found this in my logs 2020-12-10 17:08:00,629 - 10.50.100.106 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:167] - Message Handler: No metadata returned for https://<my_own_cloud>/secure in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2020-12-10 17:08:00,633 - 10.50.100.106 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:118] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID https://<my_own_cloud>/secure) 2020-12-10 17:08:00,639 - 10.50.100.106 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration 2020-12-10 17:08:01,164 - 10.50.100.106 - INFO [org.opensaml.saml.common.binding.impl.SAMLMetadataLookupHandler:167] - Message Handler: No metadata returned for https://<my_own_cloud>/secure in role {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor with protocol urn:oasis:names:tc:SAML:2.0:protocol 2020-12-10 17:08:01,167 - 10.50.100.106 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:118] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID https://<my_own_cloud>/secure) 2020-12-10 17:08:01,170 - 10.50.100.106 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration

It seems there is a problem on your `SP`. https://gluu.org/docs/gluu-server/4.2/integration/sswebapps/saml-sp/#shibboleth-sp-configuration here, you have to add MetadataProvider, Entity ID, certificate key. Please, visit this url: `https://[your gluu server domain]/idp/shibboleth` You should get metadata of your gluu server.

Is the SP configuration at "https://gluu.org/docs/gluu-server/4.2/integration/sswebapps/saml-sp/#shibboleth-sp-configuration" done on the owncloud server or on my gluu server

https://gluu.org/docs/gluu-server/4.2/integration/sswebapps/saml-sp/#shibboleth-sp-configuration This should be done on your owncloud server. After completing `SP configuration` you will get `sp-metadata.xml` in `/etc/shibboleth/` on your owncloud server. Download this metadata then create a `TR` on your gluu server. **NB:** Please read the documents carefully. Thanks ~ Shakil

I did exactly that.Now when I enter the owncloud url, I get redirected to the oxAuth login page.But when I enter the credentials I get this error page. opensaml::FatalProfileException The system encountered an error at Tue Dec 15 14:42:27 2020 To report this problem, please contact the site administrator at root@localhost. Please include the following message in any email: opensaml::FatalProfileException at (https://testownc.quantumgroupgh.com/Shibboleth.sso/SAML2/POST) A valid authentication statement was not found in the incoming message. I don't know if this will help but I don't have any AD for my owncloud.Its just one admin account I am using for the test.

Please, check this two url: - https://[your-gluu-server-url]/idp/shibboleth - https://[your-owncloud-url]/Shibboleth.sso/Metadata This two are metadata url. and share your `TR` configuration again please. You don't need any `AD` for `sp/rp`.

Okay sure And this is my Service provider logs failed to decrypt assertion: Unable to resolve any key decryption keys. 2020-12-16 09:11:06 WARN Shibboleth.SSO.SAML2 [5] [default]: error processing incoming assertion: A valid authentication statement was not found in the incoming message

Does that two url generate `metadata`? It seems okay in your `TR` configurationn except: `encryptAssertions` in `SAML2 SSO profile` under `relying perty configuration`. change `encryptAsserstions` from `conditional` to `never`. update it. and check is it working or not.

on relying party configuration: ``` Check "Configure Relying Party", add the "SAML2SSO" profile to the list and configure it as follows: signResponses: conditional signAssertions: never signRequests: conditional encryptAssertions: never encryptNameIds: never ```

Yes they all generate metadata. And it works now.I get redirected to my owncloud site.But check this out.It might be from the owncloud server but check it out for me. This is where I am redirected to [Imgur](https://i.imgur.com/qIoSxrf.png) And Quick question.Does setting encryptAssertions to "never" pose any security problems

You can use `encryptAssertions` to `never` since it's in our official documentation. The image you provided doesn't make any sense. Can you please collect `oxauth.log`, `oxtrust.log` files? You may find something here.