Mapping Inbound SAML

By: Jake Reva user 21 Jan 2021 at 10:35 a.m. CST

11 Responses
Jake Reva gravatar
I'm trying to integrate external ADFS SAML IdP with Gluu. I have working processing of SAMLRequest. After authentication I can see in passport log base-64 SAMLResponse. Decoded XML looks good. I need to map saml assertion attributes to Gluu user. I tried customization of buit-in saml_ldap_profile. I created new js file under mappings/opt/gluu/node/passport/server/mappings and set "Mapping" in Provider with the file name. Also I added a line with debug as documentation recommends. ``` module.exports = profile => { console.log(JSON.stringify(profile)) return { uid: profile.CommonName || profile["urn:oid:2.5.4.3"], //memberOf: profile["urn:1.3.6.1.4.1.48710.1.3.121"], mail: profile.emailaddress || profile.email || profile["urn:oid:0.9.2342.19200300.100.1.3"] || profile["urn:oid:1.2.840.113549.1.9.1"], cn: profile.CommonName || profile["urn:oid:2.5.4.3"], displayName: profile.CommonName || profile["urn:oid:2.5.4.3"], givenName: profile.CommonName || profile["urn:oid:2.5.4.42"], sn: profile["urn:oid:2.5.4.4"] } } ``` I can't see any income from that - I am not able to see output of debug line as well as any mapping effect. So I can't access consent page and demo page with user details. Help me please to setup this mapping. SAML Assertion includes the following ``` <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">jake@contoso.corp</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_5d50186e07482efc75bf" NotOnOrAfter="2021-01-21T15:22:18.021Z" Recipient="https://gluu/passport/auth/saml/ContosoADFS/callback" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2021-01-21T15:17:18.019Z" NotOnOrAfter="2021-01-21T16:17:18.019Z"> <AudienceRestriction> <Audience>urn:passport</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>jake@contoso.corp</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName"> <AttributeValue>jake</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> <AttributeValue>jake</AttributeValue> </Attribute> </AttributeStatement> ``` CentOS7 Gluu4.1
Gluu 4.2.1 Ubuntu 20.0
closed

Answers

By Michael Schwartz Account Admin 25 Jan 2021 at 9:28 p.m. CST

Copy
Michael Schwartz gravatar
@Chris.Eland, can you take a look at this? Hideez is one of our technology partners.

By Mohib Zico staff 08 Feb 2021 at 8:05 a.m. CST

Copy
Mohib Zico gravatar
Hi Jake, Do you think it's possible for you to facilitate connection from your external ADFS SAML IdP to our test Gluu Server? Will be easier for us to replicate and troubleshoot.

By Chris Eland staff 09 Feb 2021 at 6:22 a.m. CST

Copy
Chris Eland gravatar
Hi Jake > Do you think it's possible for you to facilitate connection from your external ADFS SAML IdP to our test Gluu Server? Will be easier for us to replicate and troubleshoot. > Please let us know.

By Chris Eland staff 12 Feb 2021 at 5:33 a.m. CST

Copy
Chris Eland gravatar
Hello Jake, did you had time to check our messages? Best, Chris

By Jake Reva user 12 Feb 2021 at 6:50 a.m. CST

Copy
Jake Reva gravatar
Hi Chris, I am sorry for delay. I was extremely busy! What Gluu version do you use for your testing server? Could you send me metadata and other data and tips. These are my data: cert: https://drive.google.com/file/d/1q-NEHe80zQmHyLPuLjxawl8zyllrEH5E/view?usp=sharing entryPoint: https://fs.contoso.corp/adfs/ls/ identifierFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress no compression, no encryption Attributes: Email Address Common Name UPN NameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

By Chris Eland staff 15 Feb 2021 at 6:58 a.m. CST

Copy
Chris Eland gravatar
Hello Jake, don't worry, all good. I gonna run a test server based on your specs. So you are running 4.2.1 on ubuntu, right? Could you please confirm you are not using `4.2.0` (just double checking)? I'm asking because there is a known error on mapping regarding 4.2.0.

By Jake Reva user 15 Feb 2021 at 10:25 a.m. CST

Copy
Jake Reva gravatar
Let's play with Centos7 I get packages from wget https://repo.gluu.org/centos/Gluu-centos7.repo -O /etc/yum.repos.d/Gluu.repo as https://gluu.org/docs/gluu-server/4.2/installation-guide/install-centos/ points

By Chris Eland staff 22 Feb 2021 at 11:19 a.m. CST

Copy
Chris Eland gravatar
Ok so after doing all scripts enabling specified in our documentation, you end up setting a provider like this, right? (please see attached screenshot)
Screenshot_from_2021-02-22_14-18-33.png

By Chris Eland staff 09 Mar 2021 at 8:04 a.m. CST

Copy
Chris Eland gravatar
Hello Jake, hope you are fine. Would you like to proceed with this issue?

By Jake Reva user 13 Mar 2021 at 1 a.m. CST

Copy
Jake Reva gravatar
Hi Chris, At last I found a quantum of time and went through Inbound SAML again with the latest Gluu: Gluu Server 4.2.3, CentOS 8 I was able to complete the setup including mapping and authentication. I created a custom mapping file which looks like: ``` module.exports = profile => { return { mail : profile["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"], displayName : profile["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"], uid : profile["http://schemas.xmlsoap.org/claims/CommonName"], cn : profile["http://schemas.xmlsoap.org/claims/CommonName"], givenName: profile["http://schemas.xmlsoap.org/claims/CommonName"], sn: profile["http://schemas.xmlsoap.org/claims/CommonName"] } } ``` and used it in appropriate Passport provider. I hope this mapping is exactly what it has to be.

By Mohib Zico staff 10 Apr 2021 at 11:06 p.m. CDT

Copy
Mohib Zico gravatar
Hello Jake, Thanks! Please feel free to reopen the ticket if required.

Post an answer