This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Community Blog

Subscribe to the official SecurID Community blog for information about new product features, industry insights, best practices and more.

Need a demo SAML Service Provider? We got you covered...

IngoSchubert
Respected Contributor Respected Contributor
Respected Contributor
10 15 39.3K
‎2016-05-19 06:47 AM

Quick... give me a SAML Service Provider to test with!

Did you ever encounter the scenario where you have to show a SAML integration working and you (or your customer/partner) doesn't have a demo/test SAML application available?

Silly question... of course you did!

 

While there are cloud services out there that offer trial/test instances they are usually time limited and you have to go thru the process of requesting such a trial - not impossible but certainly an annoyance. The time restriction (e.g. 30 days) also means your demo system will need to be reconfigured every month and you have to go thru the process again to get a new test instance... doable but certainly not pretty.

 

Because of all of this we created a simple SAML service provider and deployed it on a host that is accessible from anywhere.

Feel free to use it yourself, tell your colleagues and friends, customers, partners...

If you can't wait to start, here is the URL: https://sptest.iamshowcase.com

The site itself should have all the instructions needed but just in case you need some hand-holding here are more detailed descriptions and instructions.

 

This works perfectly with the SAML Identity Provider that RSA SecurID Access provides but any other SAML 2.0 compliant IDP should work too. In fact this Demo Service Provider is used with non-RSA IDPs on a constant basis. 

 

What the demo site does

The demo site acts as a SAML service provider and supports IDP and SP initiated SSO.

Once you configured everything correctly you can federate into the demo SP and see things like the user ID (SAML Subject), attributes (if any...) and more. If you want you can also get the raw SAML assertion from the page.

 

This is what you'll get:

Screenshot_20180129_193715.png

 

The site is responsive - meaning it should work fine on any device and scale accordingly. Great for demos from your phone/tablet!

 

Screenshot_20180117_134438.png

 

Getting IDP initiated SSO working

 

IDP initiated SSO only requires that you download the metadata from the demo SP and import it into your IDP and configure whatever needs to be configured on your side.

The start page of the demo site has the download link for the metadata.

For RSA SecurID Access here is what you need to do:

1. Create a SAML application

Screenshot_20180131_151541.png

Give it a cool name.

"Demo SAML Application" is what I chose. I'm not cool.

2. Import the SP metadata

 

Click the "Import Metadata" button on the "Connection Profile" section and import the metadata file from the demo SP you download previously.

It'll fill out a couple of things like the ACS URL and SP Entity ID.

Just accept the defaults.

Screenshot_20160519_113906.png

3. Set other configuration parameters

Select the "IDP-initiated" radio button - don't worry, if you like to get SP initiated working this won't stop you from doing this so don't worry.

You can leave the  "Connection URL" (which is the RelayState) empty or put in there a color scheme name you want the demo site to use (more on that later).

 

 

Create (or re-use) a certificate bundle.

 

Set the User Identity to whatever you like. The SP doesn't really care. EMail is fine but if you like to send something else feel free to do so.

In my example I chose "Attribute Hunting" as I have two LDAP directories setup.

 

You can also send any other attributes over - in my example I chose to send "Firstname" and "Lastname". You can send whatever you like and name the attributes to your liking too. If you do send over things like firstname, givenname etc, those will be used to greet the user instead of displaying just the nameID.

 

Screenshot_20180131_152102.png

 

 

 

Screenshot_20160519_113947.png

 

Finally select the policy this app should be protected with, publish the changes and Bob's your uncle.

4. Test!

Log into the portal with a user that has access to the newly created application. You should see the icon you chose.

Click it...

Screenshot_20160519_114027.png

 

You should see something similar to this (depending on the screen resolution it might look slightly differently):

Screenshot_20180129_193613.png

See this wonderful pink color? You can control how the page looks like by setting the RelayState to one of the support color schemes - see the documentation on the site itself.  This can be useful if you want to show e.g. different colors for different authentication policies done at the IDP.

Scroll down and you'll see further information like the NameID and NameID format as well as the attributes:

Screenshot_20180129_193751.png

... and your IDP entity ID, timing information and the raw SAML assertion in case you want to take a closer look can also be displayed:

Screenshot_20180129_193822.png

Getting SP initiated SSO working

OK, IDP initiated SSO works but 9/10 times somebody will ask for SP initiated SSO. Rightfully so!

To get SP initiated SSO working you need to first export the IDP metadata and import it into the demo SP site.

You can upload the metadata file on the instructions page of the demo site.#

Screenshot_20180129_193857.png

Once you did that you'll be presented with a screen that shows you your unique logon URL:

 

pastedImage_25.png

That URL (e.g. https://sptest.iamshowcase.com/ixs.jsp?idp=cie8348382093) you need to remember. Copy it and make a bookmark out of it.

If you hit that URL the demo SP will send a SAML Authentication Request to your IDP which in turn will respond with a SAML Assertion. You might have to log into the IDP if you don't have a session there already.

 

That is how the "IDP discovery" is done - similar to what e.g. Google or SFDC do. They also provide unique login URLs that will trigger an AuthNRequest.

 

After a successful SAML SSO transaction you can also logout and click on the link to the protected page again - it'll trigger a SAML AuthNRequest again.

 

Should you forget/loose the URL simply re-upload the metadata again and the same URL will be displayed again.

 

Using the RSA SecurID Access Cloud Authentication Service IDP (aka Cloud IDP)

The Cloud IDP works independently of the IDP on the Identity Router and it's main purpose is to be used by 3rd party SSO solutions (such as VMware Workspace, Citrix Netscaler, Ping Federate or Microsoft Azure AD).

Of course the demo service provider can be used with this IDP too.

In face... you can demo/test things like putting a NameID into the authentication request or ask for a specific Authentication Context Class (to require the Cloud IDP to evaluate a specific policy). How do that part is described in the section following this one.

In this section however we concentrate on how to set up the Cloud IDP to work with the demo service provider.

 

1. Create a new SAML Relying party

Who doesn't like parties? Relying parties in RSA SecurID Access are "attached" to the Cloud IDP.

To create one you need to select "Authentication Clients->Relying Parties", then click on "Add a Relying Party" and finally select to add a "SAML" relying party. You'll end up with a screen like this:

 

pastedImage_1.png

 

Give that new Service Provider a name and continue to the "Authentication" tab.

2. Define how authentication is done

In this screen you have to decide on whether to require RSA SecurID Access to handle the primary and additional authentication or just the additional authentication.

 

In the example below, RSA SecurID Access is only used for additional authentication. This means the SP needs to send a SAML Authentication Request containing a NameID (email address) that can be mapped to an existing user record inside RSA SecurID Access.

The service provider may also send a policy name with the request as a Authentication Context Class Reference inside the SAML authentication request. This part is optional however. If no AuthNContextClassRef is sent, the default policy will be evaluated. 

 

pastedImage_3.png

 

The example below shows a configuration that tells RSA SecurID Access to do the primary and additional authentication.

A AuthNContextClassRef might be provided in the request but if it is not there the default one will be used.

 

pastedImage_4.png

 

As primary authentication you can either select "Password" or "SecurID".

So pick whatever you desire and continue on to the next screen.

 

3. Connection Profile

In this final screen you do all the SAML specific configs. The best approach is to upload the SAML metadata file from the service provider and finish the configuration.

pastedImage_6.png

 

4. Download IDP metadata file and import into sptest.iamshowcase.com

After you finished the configuration the IDP side the last thing to do there is to download the metadata. To do that, click on the arrow besides the "Edit" button besides the Service Provider you just created. Then choose to view or download the metadata.

pastedImage_8.png

 

You'll be presented with a screen like this:

pastedImage_9.png

 

Either just copy the content or download the file.

 

Go to SAML 2.0 Test Service Provider  and either select the file you downloaded or past the content into the text area. and press the corresponding "Submit" button.

 

pastedImage_10.png

 

After that you'll see the login URL you have to hit to trigger a SAML AuthNRequest:

pastedImage_12.png

If you configured your IDP to do primary and additional authentication you are good to go - just use this URL and you should end up on the login page of your IDP:

 

pastedImage_13.png

 

 

Creating custom SAML Authentication Requests

The SAML Authentication Requests send by the demo site by default pretty blant... they just ask the IDP to authenticate this unknown user somehow - it's entirely up to the IDP to determine what policy to use for example. 

There is however a way to customize the AuthNRequest before it is send to the IDP.

For this to work, you first need to setup SP-initiated SSO (see above) and federate from that IDP at least once. Then the "AuthNRequest Wizard" shows up in the menu bar. 

You can use this to add a NameID  and/or to add a AuthenticationContextClassRef to the request. 

Screenshot_20180131_153804.png

Screenshot_20180131_153822.png

The fields for NameID Format and AuthenticationContextClassRef have some pre-configured options - just type in "email" or "unspecified" for the NameID Format and you'll be able to pick the full format identifier from a list. Same goes for the authNcontextClass - there is e.g. "password". However if you want to use the RSA SecurID Access Cloud IDP I suggest you create a policy first and use that together with the "urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:" prefix - type in "rsa" into the field and see some suggestions. If you name your policy after such a suggested name it'll just work (promised!). 

 

Is it secure?

We do not store any part of your metadata except the ACS URL of the IDP - that is what we use to create that unique login URL.

We do not store your subject names, attributes etc.

We do also not validate the SAML signature - at least in the current release. This is a demo site and not really concerned about security. So if you send a SAML assertion with a invalid signature don't expect it to trigger any alarms.

Labels
15 Comments
RicardoArmand
Employee
Employee
‎2016-06-10 11:29 PM

pretty cool! will have to give it a whirl

0 Likes
IngoSchubert
Respected Contributor Respected Contributor
Respected Contributor
‎2017-12-13 12:55 PM

I sent you a direct message. I'll look into this...

0 Likes
JasonLehrhoff
Beginner
Beginner
‎2017-12-28 10:14 AM

I'm trying to set this up in Quest (Dell) Cloud Access Manager and if I choose IDP initiated i don't have a connection URL option, but tried the base URL in "Relay State" field that is available only when IDP-initiated is chosen, to no avail.  Also if I leave it as the default SP initiated and put in that base URL it directs me there but says I'm not federated.  If I try to upload our metadata I get a 500 (see screenshot) errorIAM-ShowcaseError1.PNG

0 Likes
IngoSchubert
Respected Contributor Respected Contributor
Respected Contributor
‎2018-01-29 01:35 PM

Hi Jason,

 

I'm about to publish a new version of this. Are you still getting the error mentioned above?

 

Regards,

 

Ingo

0 Likes
AlexArthur
Beginner
Beginner
‎2018-02-07 06:30 PM

Hi Ingo!

 

Thank you for producing this site so that I can concentrate on Auth, rather than the APP content!  How's that for a switch?  I've been trying to use this site to test my SSO hub (idp).  Authenticating into the SSO hub gives no trouble and a session is persisted containing all of the required fields.

 

When the following response is sent to this SP, the web page indicates  "Hello Stranger. Something went terribly wrong!  Error parsing the SAML Assertion/Reponse..."  Can you suggest what's wrong?  The assertion looks basically right to me.

 

Thanks,

Alex

 

Here's my SAML response...

 

<Response Destination="https://sptest.iamshowcase.com/acs" ID="_5d6c946816a65262a9b6bda1a5062e797a0a" IssueInstant="2018-02-07T22:49:13Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">SampleSAMLIDP</ns1:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_5d6c946816a65262a9b6bda1a5062e797a0a">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>zLBEJXE91kdtzl6gcAS0zy409YE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>TaCOXZDrhKDnmCuSUjH/EdQZJS1RlvfMym1Ie9VkHtfe72/0rzpRN0jPmFSbgP6cXVGDpTi5zY3c
HCsIMb5OrmI+iU8+Ed976HsXNmeBlCQp6LsYPbFzn6i6AK1k+eM01aNJ+VFwIkUWRLZV5LoVNGFe
86O+0LlGGresDveMEXB+OhcJ1Fw3KTozkVQ7y15CBuJCm1vXCrPvcymhlAQQLT5bOH1Q5OzDFaIF
u1QSp5yr7rvDErTdbXAKCVm8JdmLu/obhtuyB85sNzllxrcD+JDoNcbUZBUVj3LdJlBHtR8MDSbI
NYxbX4rkERrthUpYsx6aJgy0UoVe3Uj36ZK9Fw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDEDCCAfigAwIBAgIEV2mQYzANBgkqhkiG9w0BAQsFADBKMRgwFgYDVQQKEw9DQSBUZWNobm9s
b2dpZXMxFjAUBgNVBAsTDVNlY3VyaXR5IFNXQVQxFjAUBgNVBAMTDVNhbXBsZVNBTUxJRFAwHhcN
MTYwNjIxMTkwNzE1WhcNMjYwNjE5MTkwNzE1WjBKMRgwFgYDVQQKEw9DQSBUZWNobm9sb2dpZXMx
FjAUBgNVBAsTDVNlY3VyaXR5IFNXQVQxFjAUBgNVBAMTDVNhbXBsZVNBTUxJRFAwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ80NUNNsL6/XY5uLkRTZaQxovMyuDNhJXhbot/GlZfYeC
40tjUbiNbwvAUfW9wg/rzqiLFvzSA4raNPa0ydy07yvKXbjGMGDqTyFZysLEbiFRlHHvPGtew0x8
CpSxUiDGXH+lH8hk/PDm3l2pjs37CoyX/W0yGbn2RYDzcKgCg6TST92L3gOPaBR3680Usyf8erpc
83+h8opCnDVRYztYfeJWJc03LzTnF7F5/H2mavGL6DeuNKlxiv/9kkjRt5ysJdcdEj2YEoKQIs7g
7HTWNNOpokXRBH8eqQHHI3kGbeNnzTip/yJZositVgle4w+zU7raYB+isEq/ryC5+iYvAgMBAAEw
DQYJKoZIhvcNAQELBQADggEBAG4oGnJWfqDuMuOwJ6rOzWqSv/JusY/wkGbwFEapO4G1SZhrH0Jb
3eistNNOemq+tCD2qG+W3vdlMeovgJTfMQUBQOvMplJR9KUp5rIN64HS6kcHZGsP0SB6Wj1a8vCV
3esoZHVoXrKrIskNGrXPr2H3y6hvSvPyqmWLrk8TQyeJFg3msrk03YbWErjvYxcC1FMKGiU+BnK3
tZ1zf46pCGjIbrJRk7Uy8AJpWWWj8f1AkVHflMNRd2bqYVtOkw5FxyqJz9aN33TmtJuS0pjd235D
fMdWI2A5zPM0gk1MZQN6bHoarNiPYQj+vOBU86ckN18QSDEslM+tJFg2+abPK3I=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<ns2:Assertion ID="_439b9590c261ac789a3af92e706666e105ae" IssueInstant="2018-02-07T22:49:13Z" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">SampleSAMLIDP</ns2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_439b9590c261ac789a3af92e706666e105ae">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ICAnwZ4MXzG4Ld//0rsLRV5DJv0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>A8znWy+X5TZOOjFHb1z2RlH+JHcnXT/CWZiV7BEJaLj4kmy8wViCI0tUeVKn45g6klLBaSpMwG3+
RVKDhJhdTmNQj64H1NyTQ4JhY3zVfX6vQnyUpusDESZTholiww9Z7VZsP9Oyj+ky68Cuh0xK2dUo
xPDoAFXRhv7+CdZ6mGF5g8J5+VOvG5yrEsx1PUSQ+7d32RpnEE8Rq7WMHBNLCGWh+6g6YGTcFura
3XTFMrQ1GE7DwePKr/tGw5RJgruEBI4hBHzB7BvWgxuasNpq67PdfI5GRZb77mYpFq2vXxcqFQWL
eYVZb1UwAIWe5DmIDIFdxy+QLt8CcoKtUeNXag==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDEDCCAfigAwIBAgIEV2mQYzANBgkqhkiG9w0BAQsFADBKMRgwFgYDVQQKEw9DQSBUZWNobm9s
b2dpZXMxFjAUBgNVBAsTDVNlY3VyaXR5IFNXQVQxFjAUBgNVBAMTDVNhbXBsZVNBTUxJRFAwHhcN
MTYwNjIxMTkwNzE1WhcNMjYwNjE5MTkwNzE1WjBKMRgwFgYDVQQKEw9DQSBUZWNobm9sb2dpZXMx
FjAUBgNVBAsTDVNlY3VyaXR5IFNXQVQxFjAUBgNVBAMTDVNhbXBsZVNBTUxJRFAwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ80NUNNsL6/XY5uLkRTZaQxovMyuDNhJXhbot/GlZfYeC
40tjUbiNbwvAUfW9wg/rzqiLFvzSA4raNPa0ydy07yvKXbjGMGDqTyFZysLEbiFRlHHvPGtew0x8
CpSxUiDGXH+lH8hk/PDm3l2pjs37CoyX/W0yGbn2RYDzcKgCg6TST92L3gOPaBR3680Usyf8erpc
83+h8opCnDVRYztYfeJWJc03LzTnF7F5/H2mavGL6DeuNKlxiv/9kkjRt5ysJdcdEj2YEoKQIs7g
7HTWNNOpokXRBH8eqQHHI3kGbeNnzTip/yJZositVgle4w+zU7raYB+isEq/ryC5+iYvAgMBAAEw
DQYJKoZIhvcNAQELBQADggEBAG4oGnJWfqDuMuOwJ6rOzWqSv/JusY/wkGbwFEapO4G1SZhrH0Jb
3eistNNOemq+tCD2qG+W3vdlMeovgJTfMQUBQOvMplJR9KUp5rIN64HS6kcHZGsP0SB6Wj1a8vCV
3esoZHVoXrKrIskNGrXPr2H3y6hvSvPyqmWLrk8TQyeJFg3msrk03YbWErjvYxcC1FMKGiU+BnK3
tZ1zf46pCGjIbrJRk7Uy8AJpWWWj8f1AkVHflMNRd2bqYVtOkw5FxyqJz9aN33TmtJuS0pjd235D
fMdWI2A5zPM0gk1MZQN6bHoarNiPYQj+vOBU86ckN18QSDEslM+tJFg2+abPK3I=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">saml.jackson@example.com</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<ns2:SubjectConfirmationData NotOnOrAfter="2018-02-07T22:55:13Z" Recipient="https://sptest.iamshowcase.com/acs"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2018-02-07T22:44:13Z" NotOnOrAfter="2018-02-07T22:55:13Z">
<ns2:AudienceRestriction>
<ns2:Audience>IAMShowcase</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2018-02-07T22:49:13Z" SessionIndex="zYeXDnpBkt4vkIgVzSlhb3htb9Y=AWid3Q==" SessionNotOnOrAfter="2018-02-07T22:55:13Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
<ns2:AttributeStatement>
<ns2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>Jackson</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>Saml</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>saml.jackson@example.com</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="subscriber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>AC_TestIDP_Subscription</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
</ns2:Assertion>
</Response>

 

0 Likes
IngoSchubert
Respected Contributor Respected Contributor
Respected Contributor
‎2018-02-08 07:59 AM

Hi Alex,

 

the error was caused by a bug on our side (namespace handling). Please give it another try.

 

Ingo

AlexArthur
Beginner
Beginner
‎2018-02-08 04:22 PM

Thanks Ingo!  That took care of it!

 

Now, I'm working on the SP-initiated, but haven't been able to make progress.  When I upload metadata, I don't see where the unique URL is generated.  As a matter of fact, while the web page permits me to select and upload the metadata file, I don't get any response indicating what was done with my upload.

 

Take care,

Alex

0 Likes
DaveTaku
Moderator Moderator
Moderator
‎2018-02-12 09:06 AM

Ingo - great work yet again. This is awesome. 

0 Likes
AlexArthur
Beginner
Beginner
‎2018-02-12 03:41 PM

Thanks again to Ingo for addressing this problem!  Metadata upload works fine now.  While I didn't update the blog in a timely fashion, the issue was fixed promptly! 

0 Likes
ErikMolnar
New Contributor
New Contributor
‎2018-03-29 11:07 AM

Hi Ingo!

 

Superb test site.

 

I configured it with my RSA SecurID Access enviroment and it works if I don't configure anykind of step-up authentication.

 

If I configure a policy for this application then I always get error messages and redirection never happens to the site and I don't see any error message in the logs.

 

What could be this issue?

 

Thank you in advance.

0 Likes
IngoSchubert
Respected Contributor Respected Contributor
Respected Contributor
‎2018-03-29 11:19 AM

Hi Erik,

 

that sounds more like a configuration issue on the RSA SecurID Access side. Either send me a direct message thru this site or email me a screenshot of the error you are getting as well as of the policy you are using: ingo.schubert@rsa.com 

 

Regards,

 

Ingo

0 Likes
ErikMolnar
New Contributor
New Contributor
‎2018-03-29 01:53 PM

Hi Ingo,


Indeed it was a configuration issue and I could find and solve it.

 

Regards,

 

Erik

0 Likes
IngoSchubert
Respected Contributor Respected Contributor
Respected Contributor
‎2018-03-29 03:04 PM

Glad to hear that! 

Thanks for the update. 

 

Ingo 

0 Likes
VinodNair
Contributor Contributor
Contributor
‎2018-08-28 08:45 PM

Hello Ingo,

Trying to play with the SP initiated SSO working. I have got the IDP initiated SSO working already for this user. I am using the AuthNRequestWizard in this case (because using auto generated link after loading the meta data does not ask me for a user name)

I get the following  SAML response

 

 

 

sso:1 The SSL certificate used to load resources from https://sp43.auth-demo.securid.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for 

more information.
VM44:3 SAML Request Method: GET
VM44:3 SAML Request Method: GET
VM44:3 SAML Request Method: GET
VM48:3 SAML Request URL: https://sp43.auth-demo.securid.com/saml-fe/sso?SAMLRequest=fZNPb%2BIwEMXv%2Byki3%2FOHQCFYEJUFrRap3SJg99DbYE8WV4md9TiUj79OCFIObY%2FxPM%2F7vfFkQVCVNV817qz3%2BK9BcsG1KjXxrrBkjdXcACniGiok7gQ%2FrJ6feBolvLbGGWFKNrjy9Q0gQuuU0Sz4YazAznfJCigJWbDdLBngbCzlbJKlQ...
VM48:3 SAML Request URL: https://sp43.auth-demo.securid.com/saml-fe/sso?SAMLRequest=fZNPb%2BIwEMXv%2Byki3%2FOHQCFYEJUFrRap3SJg99DbYE8WV4md9TiUj79OCFIObY%2FxPM%2F7vfFkQVCVNV817qz3%2BK9BcsG1KjXxrrBkjdXcACniGiok7gQ%2FrJ6feBolvLbGGWFKNrjy9Q0gQuuU0Sz4YazAznfJCigJWbDdLBngbCzlbJKlQ...
VM48:3 SAML Request URL: https://sp43.auth-demo.securid.com/saml-fe/sso?SAMLRequest=fZNPb%2BIwEMXv%2Byki3%2FOHQCFYEJUFrRap3SJg99DbYE8WV4md9TiUj79OCFIObY%2FxPM%2F7vfFkQVCVNV817qz3%2BK9BcsG1KjXxrrBkjdXcACniGiok7gQ%2FrJ6feBolvLbGGWFKNrjy9Q0gQuuU0Sz4YazAznfJCigJWbDdLBngbCzlbJKlQ...
VM51:3 SAML Request Data: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ForceAuthn="false" ID="ae73dd7482cc28fc6bf0da47839db1a9578acbd66" IssueInstant="2018-08-29T00:25:18Z" Destination="https://sp43.auth-demo.securid.com/saml-fe/sso" AssertionConsumerServiceURL="https://sptest.iamshowcase.com/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer>IAMShowcase</saml:Issuer><saml:Subject >
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">juniorv@vinairwave.com</saml:NameID>
</saml:Subject><samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:Critical</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext></samlp:AuthnRequest>
VM51:3 SAML Request Data: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ForceAuthn="false" ID="ae73dd7482cc28fc6bf0da47839db1a9578acbd66" IssueInstant="2018-08-29T00:25:18Z" Destination="https://sp43.auth-demo.securid.com/saml-fe/sso" AssertionConsumerServiceURL="https://sptest.iamshowcase.com/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer>IAMShowcase</saml:Issuer><saml:Subject >
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">juniorv@vinairwave.com</saml:NameID>
</saml:Subject><samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:Critical</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext></samlp:AuthnRequest>
VM51:3 SAML Request Data: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ForceAuthn="false" ID="ae73dd7482cc28fc6bf0da47839db1a9578acbd66" IssueInstant="2018-08-29T00:25:18Z" Destination="https://sp43.auth-demo.securid.com/saml-fe/sso" AssertionConsumerServiceURL="https://sptest.iamshowcase.com/acs" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer>IAMShowcase</saml:Issuer><saml:Subject >
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">juniorv@vinairwave.com</saml:NameID>
</saml:Subject><samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:Critical</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext></samlp:AuthnRequest>
utils.js?cachebust=2.3.1.0.3:101 Collecting credentials
utils.js?cachebust=2.3.1.0.3:101 Displaying RISK Facts Collection View...
utils.js?cachebust=2.3.1.0.3:101 Risk identification cookie already exists.
utils.js?cachebust=2.3.1.0.3:101 Location cookie already exists. No need to show pop-up.
utils.js?cachebust=2.3.1.0.3:101 In _processFacts
rsa-1.0.0.0.0.min.js?cachebust=2.3.1.0.3:1 [Intervention] Slow network is detected. See https://www.chromestatus.com/feature/5636954674692096 for more details. Fallback font will be used while loading: https://sp43.auth-demo.securid.com/iawebauth/templates/less/fonts/icomoon-ultimate.woff
FingerPrint.deviceprint_fonts @ rsa-1.0.0.0.0.min.js?cachebust=2.3.1.0.3:1
add_deviceprint @ rsa-1.0.0.0.0.min.js?cachebust=2.3.1.0.3:1
encode_deviceprint @ rsa-1.0.0.0.0.min.js?cachebust=2.3.1.0.3:1
_processFacts @ riskFactsView.js?cachebust=2.3.1.0.3:63
triggerEvents @ backbone-1.2.1.js?cachebust=2.3.1.0.3:351
triggerApi @ backbone-1.2.1.js?cachebust=2.3.1.0.3:339
eventsApi @ backbone-1.2.1.js?cachebust=2.3.1.0.3:137
Events.trigger @ backbone-1.2.1.js?cachebust=2.3.1.0.3:329
_setRiskIdentifyingCookie @ riskFactsView.js?cachebust=2.3.1.0.3:215
PrimaryAuthProcessor.collectRISKFacts @ primaryAuthProcessor.js?cachebust=2.3.1.0.3:124
PrimaryAuthProcessor.process @ primaryAuthProcessor.js?cachebust=2.3.1.0.3:50
doPrimaryAuth @ mainRouter.js?cachebust=2.3.1.0.3:85
startIAWebAuth @ mainRouter.js?cachebust=2.3.1.0.3:80
execute @ backbone-1.2.1.js?cachebust=2.3.1.0.3:1464
(anonymous) @ backbone-1.2.1.js?cachebust=2.3.1.0.3:1452
(anonymous) @ backbone-1.2.1.js?cachebust=2.3.1.0.3:1735
_.some._.any @ underscore-1.8.3.js?cachebust=2.3.1.0.3:258
loadUrl @ backbone-1.2.1.js?cachebust=2.3.1.0.3:1733
start @ backbone-1.2.1.js?cachebust=2.3.1.0.3:1675
(anonymous) @ main.js?cachebust=2.3.1.0.3:198
domReady @ domReady.js?cachebust=2.3.1.0.3:106
(anonymous) @ main.js?cachebust=2.3.1.0.3:152

 

.

.

.

 

 

utils.js?cachebust=2.3.1.0.3:101 Latitude and longitude successfully collected
utils.js?cachebust=2.3.1.0.3:101 Invoke callback from riskFactsView.successCallBack
utils.js?cachebust=2.3.1.0.3:101 RISK facts added to sessionAttributes
utils.js?cachebust=2.3.1.0.3:101 Get IA Initialize request data SUCCESS
utils.js?cachebust=2.3.1.0.3:101 Initializing IA
utils.js?cachebust=2.3.1.0.3:101 Send initialize. SUCCESS: {"context":{"authnAttemptId":"cd6d9b6c-576a-4783-ad64-e7b0124875e5","messageId":"2ebcf63f-f08c-4095-ad56-c9fa72dc6a17","inResponseTo":"4ee0c833-c1ab-4e96-9213-9be53e848eb2"},"credentialValidationResults":[],"attemptResponseCode":"FAIL","attemptReasonCode":"INIT_CANNOT_FIND_POLICY","challengeMethods":null}
utils.js?cachebust=2.3.1.0.3:101 Parsing IA Session response
utils.js?cachebust=2.3.1.0.3:101 Unable to identify primary authentication method. ERROR.
utils.js?cachebust=2.3.1.0.3:101 Unexpected error displayed.
utils.js?cachebust=2.3.1.0.3:101 User did not respond to the browser location collection consent form in a timely manner or browser did not invoke any of the callbacks provided for location collection

 

This behavior is the same weather or not I have the relying party setup to do both authentication or just the secondary.

The last error regarding the location is not true as it only asked for location permission only once. It only asked for my location at the first time, the behavior is the same for the attempts after I have permanently allowed the site have my location.

 

The environment I set up is Singlepoint43

The replying party is IngosSP

I have tried a few policies even with no restrictions at all.

The user is juniorv@vinairwave.com

 

Any ideas?

0 Likes
maheshnanubala
Beginner
Beginner
‎2019-09-04 09:33 AM

I'm not able to create the app...can you please provide the link for creation the app

0 Likes
© 2023 RSA Security LLC or its affiliates. All rights reserved.