By: Bert Robin user 22 Jan 2021 at 11:34 a.m. CST

7 Responses
Bert Robin gravatar
I'm trying to setup SSO for our GitLab using Gluu server as IdP. I setup GitLab as SP and Gluu SAML TR with Email and First Name as additional attributes. When I try to login to GitLab using SSO I'm redirected to IdP login but after login I get "Error 422 Sign-in failed because Email can't be blank and Notification email can't be blank". So I checked SAML response with SAML-tracer and there is no Email or First Name attributes. ``` <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://git.example.com/users/auth/saml/callback" ID="_62f4a02d32e61f63c972a2fe2dd7406e" InResponseTo="_8218efcd-bcbf-4966-bc6f-84c521aa63db" IssueInstant="2021-01-22T16:31:14.053Z" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_62f4a02d32e61f63c972a2fe2dd7406e"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>sghu1+dSNxfsnwkOLMsJ9KxZQ9SC2QS8SxV5hjTZaMc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>HJE7nub4xEfqtW0hrsLgzU+1ReDd28celLTjq9yHfWzePkruGEnbrB5XHyLU1ShFq3IQzts/n/eomdHj95tn97sSWSPguIdRMnulVFKRAIwAtbjv4aK/7Z21exd01V22M5Y/T62l4/zWdDSvwQxUxVl+h0SOg1ChGbB9kLioogeA3o1LgOsbTs2pM4pY137j0Gk8eNLvHGP5NwtR8HYeR22DbZ5aZaNQqe4pNqI0VLC1i3lvHaOCEdx7pJIH8d3Ai+HXyCDgryt7XPB5c8mDMaPva6F2TbjNniG4vQDAPIkGpquQ5Syz9XvAHj9O9qECi6zNAVeQJkcesVM2kSxntg==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDnTCCAoUCFCe7DanAs9OuWngKsy2b2roQX3JgMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYDVQQG EwJTSTERMA8GA1UECAwIU2xvdmVuaWExEjAQBgNVBAcMCUxqdWJsamFuYTESMBAGA1UECgwJbm92 aVNwbGV0MRowGAYDVQQDDBFpZHAubm92aXNwbGV0LmNvbTEkMCIGCSqGSIb3DQEJARYVbnNhZG1p bkBub3Zpc3BsZXQuY29tMB4XDTIxMDEyMDEyMzAxMloXDTIyMDEyMDEyMzAxMlowgYoxCzAJBgNV BAYTAlNJMREwDwYDVQQIDAhTbG92ZW5pYTESMBAGA1UEBwwJTGp1YmxqYW5hMRIwEAYDVQQKDAlu b3ZpU3BsZXQxGjAYBgNVBAMMEWlkcC5ub3Zpc3BsZXQuY29tMSQwIgYJKoZIhvcNAQkBFhVuc2Fk bWluQG5vdmlzcGxldC5jb20wggEaMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdB3Fk+ZEO JVR1whj0dSFHFHjsAoZwlcmEnxTVoM6JryMzXI5UvxI2bQMR/Pp3qo3a9JPMAqX7E+Nzx8rDtalK pJ2IobJEPNBcWQ3vDz3fjSa9Mx5NeUb0EOp0GiWfAGyVyBwNPKeCkVdlo6vNhvmAYWthhujzyY/7 gRtdpmeLTOeTroPd7ulp896HID1Hy2SO5CPX2BqbOk8JV48I7d6oSClxbsiAioq/mcXBmtxe8vz6 hr3au1i6OlNwHq/0pK2Qyp4N52m9aS+GLcerQb9+AAI7MyfNM1bs9xIPgMHIMKTKXzyDLXT0H4f6 QeOftVQmDex3DDCRa37SwIsIf7MNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAB6QN3z86/EkNYN8 wepn0rAPBHtfTLVUOYwQRoQOfeYnpBogh6/sjLeJnXkLUBeQVepi9HYFjD610+C+EBzw1Scco4gM IT6TGtzF0fIt90klC28PZc4DksTDSCpBZHCLWa7ShRyjTVzUwV82Ub8QGgx3onZGOcqAba5oa/m1 4SrgIMBcR579ojIlckxOwE+0B2zcdWi1Wq00ima63ATeoSq/ww37tPQqbj9zOPMvfEBPr3TiiKzJ M5XRe5iw6v62uMLpwKYW7PvquSbxLwuQOZ8CsBgpQ3Wx6Hb4AGrwpq5oQW+GcwWRIGTabbsWRFsq rnEmqtE5gBC2xrSZ9jvFVK0=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e07774f1507f5d7c19a1bc7e29c114ee" IssueInstant="2021-01-22T16:31:14.053Z" Version="2.0" > <saml2:Issuer>https://idp.example.com/idp/shibboleth</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.example.com/idp/shibboleth" SPNameQualifier="https://git.example.com" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >AAdzZWNyZXQxYL9w8lKqp/TIEEOBlp2jh8Zq+Cz+uLTMu7NRZip+edpvGuMBdHdbUWwCn4PeyYPukeFtSO/t8OoblJrJCsVjBP1SKQppE4uojU5fwcmFh9VTpQ2fXVD3/yMQcR4=</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="192.168.2.178" InResponseTo="_8218efcd-bcbf-4966-bc6f-84c521aa63db" NotOnOrAfter="2021-01-22T16:36:14.061Z" Recipient="https://git.example.com/users/auth/saml/callback" /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2021-01-22T16:31:14.053Z" NotOnOrAfter="2021-01-22T16:36:14.053Z" > <saml2:AudienceRestriction> <saml2:Audience>https://git.example.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2021-01-22T16:13:08.181Z" SessionIndex="_7458480a2f69bfe595047f6133a606be" > <saml2:SubjectLocality Address="192.168.2.178" /> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response> ```

By Mobarak Hosen Shakil staff 22 Jan 2021 at 12:26 p.m. CST

Mobarak Hosen Shakil gravatar
Can you please share TR configuration? Did you release `Email` and `Username`? Thanks & Regards Shakil

By Bert Robin user 22 Jan 2021 at 2:07 p.m. CST

Bert Robin gravatar
[https://ibb.co/HVVwnhv](https://ibb.co/HVVwnhv) [https://ibb.co/RP4fL85](https://ibb.co/RP4fL85) SP metadata: ``` <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_34fd37b0-5f36-4cc9-b86b-f5e74b603287" entityID="https://git.example.com"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://git.example.com/users/auth/saml/callback" index="0" isDefault="true"/> <md:AttributeConsumingService index="1" isDefault="true"> <md:ServiceName xml:lang="en">Required attributes</md:ServiceName> <md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> </md:AttributeConsumingService> </md:SPSSODescriptor> </md:EntityDescriptor> ```

By Michael Schwartz staff 22 Jan 2021 at 3:43 p.m. CST

Michael Schwartz gravatar
I don't think the SAML2 URI's match for the requested attributes. Also, make sure you release the transientid in the Trust Relationship?

By Bert Robin user 22 Jan 2021 at 6:07 p.m. CST

Bert Robin gravatar
Added TransientId to list of released attributes [https://ibb.co/0KCCdj1](https://ibb.co/0KCCdj1) and there is no difference in SAML response. I don't know what do you mean by SAML2 URI's don't match?

By Mobarak Hosen Shakil staff 29 Jan 2021 at 9:40 a.m. CST

Mobarak Hosen Shakil gravatar
In TR configuration, I didn't see anything wrong. Is it possible to make `isRequired="true"` for these attribute? then test again please. ``` <md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> <md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/> ``` Thanks and Regards ~ Shakil

By Bert Robin user 29 Jan 2021 at 1:51 p.m. CST

Bert Robin gravatar
Sorry I can't test because I already deleted Gluu and went with the other product. I was trying everything for two days but just couldn't get attributes to SAML response... Thank you. You can close the ticket.

By Mobarak Hosen Shakil staff 29 Jan 2021 at 2:11 p.m. CST

Mobarak Hosen Shakil gravatar
sorry for the inconvenience. Please, reopen the ticket if require. Thanks & Regards ~ Shakil