Re: Google Apps Login Unable to add NameID:

715 views
Skip to first unread message
Message has been deleted

Kevin Shier

unread,
May 11, 2011, 7:19:32 PM5/11/11
to simple...@googlegroups.com
I found the solution.

I disabled the ability for SimpleSAMLphp to convert the userID to a urn:oid.

After that it worked fine.


On 2011-05-11, at 1:43 PM, Kevin Shier wrote:

> I am setting up SimpleSAMLphp to allow login from Google Apps.
>
> I have configured and tested SimpleSAMLphp and can successfully log in and retrieve my users attributes from Active Directory. I can see them in the SS webpage and it all looks good.
>
> When I configure the Google Apps link, and I try to log in, I get the error message from Google in the web browser of: Google Apps - Invalid Email
>
> In the SimpleSAMLphp log file, with debugging turned on I get the following section. To me, this indicates that the attribute I want to read from AD is not being passed to the Google login. I am using the attribute "givenName" and it appears in the list of attributes and also gets assigned a urn:oid.
>
> Can you help?
>
> Library - LDAP getAttributes(): Getting all attributes from DN 'CN=UserName,OU=Parents,OU=Household,DC=domain,DC=com'
> Library - LDAP getAttributes(): Found attributes '(objectClass,cn,sn,description,givenName,distinguishedName,instanceType,whenCreated,whenChanged,displayName,uSNCreated,memberOf,uSNChanged,name,objectGUID,userAccountControl,badPwdCount,codePage,countryCode,homeDirectory,homeDrive,badPasswordTime,lastLogoff,lastLogon,pwdLastSet,primaryGroupID,objectSid,adminCount,accountExpires,logonCount,sAMAccountName,sAMAccountType,userPrincipalName,lockoutTime,objectCategory,dSCorePropagationData,lastLogonTimestamp,mail)'
> Deleting state: '_39ba4a4c81532d9907f7c9111643bf18de343e156c'
> Session: doLogin("XXX-ldap")
> Session: Valid session found with 'XXX-ldap'.
> Session: Valid session found with 'XXX-ldap'.
> Filter config for https://xxx.xxx.xx/simplesaml/saml2/idp/metadata.php->google.com: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 30, )), 1 => sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute' => 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' => 45, )), 2 => sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes' => array ( ), 'isDefault' => false, 'priority' => 50, )), 3 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 99, )), 4 => sspmod_core_Auth_Process_AttributeMap::__set_state(array( 'map' => array ( 'aRecord' => 'urn:oid:0.9.2342.19200300.100.1.26', 'aliasedEntryName' => 'urn:oid:2.5.4.1', 'aliasedObjectName' => 'urn:oid:2.5.4.1', 'associatedDomain' => 'urn:oid:0.9.2342.19200300.100.1.37', 'associatedName' => 'urn:oid:0.9.2342.19200300.100.1.38', 'audio' => 'urn:oid:0.9.2342.19200300.100.1.55', 'authorityRevocationList' => 'urn:oid:2.5.4.38', 'buildingName' => 'urn:oid:0.9.2342.19200300.100.1.48', 'businessCategory' => 'urn:oid:2.5.4.15', 'c' => 'urn:oid:2.5.4.6', 'cACertificate' => 'urn:oid:2.5.4.37', 'cNAMERecord' => 'urn:oid:0.9.2342.19200300.100.1.31', 'carLicense' => 'urn:oid:2.16.840.1.113730.3.1.1', 'certificateRevocationList' => 'urn:oid:2.5.4.39', 'cn' => 'urn:oid:2.5.4.3', 'co' => 'urn:oid:0.9.2342.19200300.100.1.43', 'commonName' => 'urn:oid:2.5.4.3', 'countryName' => 'urn:oid:2.5.4.6', 'crossCertificatePair' => 'urn:oid:2.5.4.40', 'dITRedirect' => 'urn:oid:0.9.2342.19200300.100.1.54', 'dSAQuality' => 'urn:oid:0.9.2342.19200300.100.1.49', 'dc' => 'urn:oid:0.9.2342.19200300.100.1.25', 'deltaRevocationList' => 'urn:oid:2.5.4.53', 'departmentNumber' => 'urn:oid:2.16.840.1.113730.3.1.2', 'description' => 'urn:oid:2.5.4.13', 'destinationIndicator' => 'urn:oid:2.5.4.27', 'displayName' => 'urn:oid:2.16.840.1.113730.3.1.241', 'distinguishedName' => 'urn:oid:2.5.4.49', 'dmdName' => 'urn:oid:2.5.4.54', 'dnQualifier' => 'urn:oid:2.5.4.46', 'documentAuthor' => 'urn:oid:0.9.2342.19200300.100.1.14', 'documentIdentifier' => 'urn:oid:0.9.2342.19200300.100.1.11', 'documentLocation' => 'urn:oid:0.9.2342.19200300.100.1.15', 'documentPublisher' => 'urn:oid:0.9.2342.19200300.100.1.56', 'documentTitle' => 'urn:oid:0.9.2342.19200300.100.1.12', 'documentVersion' => 'urn:oid:0.9.2342.19200300.100.1.13', 'domainComponent' => 'urn:oid:0.9.2342.19200300.100.1.25', 'drink' => 'urn:oid:0.9.2342.19200300.100.1.5', 'eduOrgHomePageURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.2', 'eduOrgIdentityAuthNPolicyURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.3', 'eduOrgLegalName' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.4', 'eduOrgSuperiorURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.5', 'eduOrgWhitePagesURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.6', 'eduPersonAffiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1', 'eduPersonEntitlement' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7', 'eduPersonNickname' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.2', 'eduPersonOrgDN' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.3', 'eduPersonOrgUnitDN' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4', 'eduPersonPrimaryAffiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.5', 'eduPersonPrimaryOrgUnitDN' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.8', 'eduPersonPrincipalName' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'eduPersonScopedAffiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'eduPersonTargetedID' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'email' => 'urn:oid:1.2.840.113549.1.9.1', 'emailAddress' => 'urn:oid:1.2.840.113549.1.9.1', 'employeeNumber' => 'urn:oid:2.16.840.1.113730.3.1.3', 'employeeType' => 'urn:oid:2.16.840.1.113730.3.1.4', 'enhancedSearchGuide' => 'urn:oid:2.5.4.47', 'facsimileTelephoneNumber' => 'urn:oid:2.5.4.23', 'favouriteDrink' => 'urn:oid:0.9.2342.19200300.100.1.5', 'fax' => 'urn:oid:2.5.4.23', 'federationFeideSchemaVersion' => 'urn:oid:1.3.6.1.4.1.2428.90.1.9', 'friendlyCountryName' => 'urn:oid:0.9.2342.19200300.100.1.43', 'generationQualifier' => 'urn:oid:2.5.4.44', 'givenName' => 'urn:oid:2.5.4.42', 'gn' => 'urn:oid:2.5.4.42', 'homePhone' => 'urn:oid:0.9.2342.19200300.100.1.20', 'homePostalAddress' => 'urn:oid:0.9.2342.19200300.100.1.39', 'homeTelephoneNumber' => 'urn:oid:0.9.2342.19200300.100.1.20', 'host' => 'urn:oid:0.9.2342.19200300.100.1.9', 'houseIdentifier' => 'urn:oid:2.5.4.51', 'info' => 'urn:oid:0.9.2342.19200300.100.1.4', 'initials' => 'urn:oid:2.5.4.43', 'internationaliSDNNumber' => 'urn:oid:2.5.4.25', 'isMemberOf' => 'urn:oid:1.3.6.1.4.1.5923.1.5.1.1', 'janetMailbox' => 'urn:oid:0.9.2342.19200300.100.1.46', 'jpegPhoto' => 'urn:oid:0.9.2342.19200300.100.1.60', 'knowledgeInformation' => 'urn:oid:2.5.4.2', 'l' => 'urn:oid:2.5.4.7', 'labeledURI' => 'urn:oid:1.3.6.1.4.1.250.1.57', 'localityName' => 'urn:oid:2.5.4.7', 'mDRecord' => 'urn:oid:0.9.2342.19200300.100.1.27', 'mXRecord' => 'urn:oid:0.9.2342.19200300.100.1.28', 'mail' => 'urn:oid:0.9.2342.19200300.100.1.3', 'mailPreferenceOption' => 'urn:oid:0.9.2342.19200300.100.1.47', 'manager' => 'urn:oid:0.9.2342.19200300.100.1.10', 'member' => 'urn:oid:2.5.4.31', 'mobile' => 'urn:oid:0.9.2342.19200300.100.1.41', 'mobileTelephoneNumber' => 'urn:oid:0.9.2342.19200300.100.1.41', 'nSRecord' => 'urn:oid:0.9.2342.19200300.100.1.29', 'name' => 'urn:oid:2.5.4.41', 'norEduOrgAcronym' => 'urn:oid:1.3.6.1.4.1.2428.90.1.6', 'norEduOrgNIN' => 'urn:oid:1.3.6.1.4.1.2428.90.1.12', 'norEduOrgSchemaVersion' => 'urn:oid:1.3.6.1.4.1.2428.90.1.11', 'norEduOrgUniqueIdentifier' => 'urn:oid:1.3.6.1.4.1.2428.90.1.7', 'norEduOrgUniqueNumber' => 'urn:oid:1.3.6.1.4.1.2428.90.1.1', 'norEduOrgUnitUniqueIdentifier' => 'urn:oid:1.3.6.1.4.1.2428.90.1.8', 'norEduOrgUnitUniqueNumber' => 'urn:oid:1.3.6.1.4.1.2428.90.1.2', 'norEduPersonBirthDate' => 'urn:oid:1.3.6.1.4.1.2428.90.1.3', 'norEduPersonLIN' => 'urn:oid:1.3.6.1.4.1.2428.90.1.4', 'norEduPersonNIN' => 'urn:oid:1.3.6.1.4.1.2428.90.1.5', 'o' => 'urn:oid:2.5.4.10', 'objectClass' => 'urn:oid:2.5.4.0', 'organizationName' => 'urn:oid:2.5.4.10', 'organizationalStatus' => 'urn:oid:0.9.2342.19200300.100.1.45', 'organizationalUnitName' => 'urn:oid:2.5.4.11', 'otherMailbox' => 'urn:oid:0.9.2342.19200300.100.1.22', 'ou' => 'urn:oid:2.5.4.11', 'owner' => 'urn:oid:2.5.4.32', 'pager' => 'urn:oid:0.9.2342.19200300.100.1.42', 'pagerTelephoneNumber' => 'urn:oid:0.9.2342.19200300.100.1.42', 'personalSignature' => 'urn:oid:0.9.2342.19200300.100.1.53', 'personalTitle' => 'urn:oid:0.9.2342.19200300.100.1.40', 'photo' => 'urn:oid:0.9.2342.19200300.100.1.7', 'physicalDeliveryOfficeName' => 'urn:oid:2.5.4.19', 'pkcs9email' => 'urn:oid:1.2.840.113549.1.9.1', 'postOfficeBox' => 'urn:oid:2.5.4.18', 'postalAddress' => 'urn:oid:2.5.4.16', 'postalCode' => 'urn:oid:2.5.4.17', 'preferredDeliveryMethod' => 'urn:oid:2.5.4.28', 'preferredLanguage' => 'urn:oid:2.16.840.1.113730.3.1.39', 'presentationAddress' => 'urn:oid:2.5.4.29', 'protocolInformation' => 'urn:oid:2.5.4.48', 'pseudonym' => 'urn:oid:2.5.4.65', 'registeredAddress' => 'urn:oid:2.5.4.26', 'rfc822Mailbox' => 'urn:oid:0.9.2342.19200300.100.1.3', 'roleOccupant' => 'urn:oid:2.5.4.33', 'roomNumber' => 'urn:oid:0.9.2342.19200300.100.1.6', 'sOARecord' => 'urn:oid:0.9.2342.19200300.100.1.30', 'searchGuide' => 'urn:oid:2.5.4.14', 'secretary' => 'urn:oid:0.9.2342.19200300.100.1.21', 'seeAlso' => 'urn:oid:2.5.4.34', 'serialNumber' => 'urn:oid:2.5.4.5', 'singleLevelQuality' => 'urn:oid:0.9.2342.19200300.100.1.50', 'sn' => 'urn:oid:2.5.4.4', 'st' => 'urn:oid:2.5.4.8', 'stateOrProvinceName' => 'urn:oid:2.5.4.8', 'street' => 'urn:oid:2.5.4.9', 'streetAddress' => 'urn:oid:2.5.4.9', 'subtreeMaximumQuality' => 'urn:oid:0.9.2342.19200300.100.1.52', 'subtreeMinimumQuality' => 'urn:oid:0.9.2342.19200300.100.1.51', 'supportedAlgorithms' => 'urn:oid:2.5.4.52', 'supportedApplicationContext' => 'urn:oid:2.5.4.30', 'surname' => 'urn:oid:2.5.4.4', 'telephoneNumber' => 'urn:oid:2.5.4.20', 'teletexTerminalIdentifier' => 'urn:oid:2.5.4.22', 'telexNumber' => 'urn:oid:2.5.4.21', 'textEncodedORAddress' => 'urn:oid:0.9.2342.19200300.100.1.2', 'title' => 'urn:oid:2.5.4.12', 'uid' => 'urn:oid:0.9.2342.19200300.100.1.1', 'uniqueIdentifier' => 'urn:oid:0.9.2342.19200300.100.1.44', 'uniqueMember' => 'urn:oid:2.5.4.50', 'userCertificate' => 'urn:oid:2.5.4.36', 'userClass' => 'urn:oid:0.9.2342.19200300.100.1.8', 'userPKCS12' => 'urn:oid:2.16.840.1.113730.3.1.216', 'userPassword' => 'urn:oid:2.5.4.35', 'userSMIMECertificate' => 'urn:oid:2.16.840.1.113730.3.1.40', 'userid' => 'urn:oid:0.9.2342.19200300.100.1.1', 'x121Address' => 'urn:oid:2.5.4.24', 'x500UniqueIdentifier' => 'urn:oid:2.5.4.45', ), 'priority' => 100, )),)
> LanguageAdaptor: Language in session was set [en]
> saml20-idp-SSO-first google.com https://xxx.xxx.xx/simplesaml/saml2/idp/metadata.php NA
> saml20-idp-SSO google.com https://xxx.xxx.xx/simplesaml/saml2/idp/metadata.php NA
> LanguageAdaptor: Language in attribute was set [en]
> LanguageAdaptor: Language in session was set [en]
> Sending SAML 2.0 Response to 'google.com'
> Unable to add NameID: Missing 'givenName' in the attributes of the user.
> Falling back to transient NameID.
>
> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.

Peter Schober

unread,
May 7, 2013, 3:05:11 AM5/7/13
to simple...@googlegroups.com
* Thiago Cruz <thiag...@gmail.com> [2013-05-07 08:05]:
> Thankz Kevin, 2 years later the problems remains. I'm using SimpleSAMLPHP
> 1.10 !

The "problem" remains because it's not a SimpleSAMLphp code problem
but the way you configure the software. You certainly can configure
v1.10 to not work with a given SP, true. As such the problem remains.
-peter

Jaime Pérez Crespo

unread,
May 7, 2013, 3:58:24 AM5/7/13
to simple...@googlegroups.com
Hi,

Do you have the mail address in your AD? Have you checked that you are getting it into SSP? Did you configure Google Apps SP in SSP to receive the mail attribute? Have you checked that you are sending it in the SAML assertion, using SAML tracer plugin, for instance? And if you have done all of that and the response is positive to every question, did you provision all the user accounts to Google Apps? Bear in mind that you have to explicitly tell Google which addresses to handle, you cannot just configure federated access and expect it to create user accounts automatically.

Regards,

On May 7, 2013, at 00:06 AM, Thiago Cruz <thiag...@gmail.com> wrote:
Thankz Kevin, 2 years later the problems remains. I'm using SimpleSAMLPHP 1.10 !

To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

To post to this group, send email to simple...@googlegroups.com.

--
Jaime Pérez
UNINETT / Feide

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

Thiago Cruz

unread,
May 10, 2013, 11:10:54 AM5/10/13
to simple...@googlegroups.com
Hi Jaime,

Everything worked when I disabled the convertion. Please that a look. Here is my confs working Google Apps with Open LDAP

################## config.php
...
'enable.saml20-idp'             => true,
'enable.shib13-idp'             => false,
...

################## authsources.php
...
'example-ldapmulti' => array(
 'ldap:LDAPMulti',
 'username_organization_method' => 'none',
 'include_organization_in_username' => FALSE,
 'OpenLDAP' => array(
                        'description' => 'Base OpenLDAP',
                        'hostname' => 'ldap.XXX.XXX.XX',
                        'enable_tls' => FALSE,
                        'debug' => TRUE,
                        'timeout' => 0,
                        'attributes' => NULL,
                        'dnpattern' => 'uid=%username%,ou=Users,dc=XXX,dc=XXX,dc=XXX',
                        'search.enable' => FALSE,
                        'priv.read' => FALSE,
                        'priv.username' => NULL,
                        'priv.password' => NULL,
                ),
    ),
...

################## saml20-idp-hosted.php (convertion to oid disabled)

'auth' => 'example-ldapmulti',

'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
//      'authproc' => array(
//              // Convert LDAP names to oids.
//              100 => array('class' => 'core:AttributeMap', 'name2oid'),
//      ),



################## saml20-sp-remote.php
$metadata['google.com'] = array(
        'AssertionConsumerService' => 'https://www.google.com/a/XXXX.XXXX.com/acs',
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
        'simplesaml.nameidattribute' => 'givenName',
        'simplesaml.attributes' => FALSE,
);



By the way, using LDAPMULTI, Is it possible to use an OpenLDAP and an Active Directory but with different attributes? Of course both of them has same data.  Because in OpenLDAP I would like to check givenName attribute, but in Active Directory I'd like to use sAMAccountName. 
I've tried configuration below into saml20-sp-remote.php, but didn't worked.

      'simplesaml.nameidattribute' => 'sAMAccountName', 
      or
      'simplesaml.nameidattribute' => array ('sAMAccountName', 'uid'),


Thanks in advance,
Thiago Cruz
Ћiago ₢uz
Reply all
Reply to author
Forward
0 new messages