Questions tagged [saml]
SAML (Security Assertion Markup Language) is an open standard and XML-based markup language for exchanging authentication and authorization information between parties, known as service providers and identity providers.
105
questions
11
votes
1
answer
2k
views
Microsoft Exchange Federation Trust Broken After Verifying in Office 365
Okay so...this all started during our Office 365 setup. According to Microsoft, you have to delete your on-premises federation trust from Exchange, verify the domain, then add it back...otherwise you ...
7
votes
0
answers
1k
views
Signout with ADFS3 with SAML
I have implemented SSO using ADFS3. I have a logout button for sign out and it’s working fine with my ws-federation passive endpoints. On logout I redirect user to logout.aspx page and there I have ...
4
votes
2
answers
14k
views
AADSTS50107: Requested federation realm object does not exist, when integrating Okta as an IdP for AAD
I'm trying to set up AAD with Okta, and find that when users visit the App Embed link and it posts their SAML response to https://login.microsoftonline.com/login.srf, they get an unhelpful error:
...
4
votes
1
answer
1k
views
Sure of Valid Parameter set, Powershell Says: "Parameter set cannot be resolved..."
I'm attempting to run a Powershell cmdlet that only accepts one of three specific parameters. I'm positive that I know what those parameters are, and that I am entering those parameters correctly. I ...
4
votes
0
answers
5k
views
How should the relying trust be set up in ADFS for SAML-based SSO?
We've done SAML-based SP-initiated SSO with a number of customers, and it's all been ok (eventually).
We've got a customer now who's using ADFS. We can get idP-initiated to work fine, but with SP-...
3
votes
2
answers
2k
views
Combine apache auth providers of different types with basic auth only if proactively provided by client
I'd like to be able to have a path on an apache server (2.4.18+ on ub16) that primarily authenticates using SAML (using the mod_auth_mellon plugin) for interactive use, but also supports having the ...
3
votes
1
answer
4k
views
Can we configure ADFS for IDP initiated SSO
I'm looking for ways of integrating ADFS as a IDP for a SAML2 service provider. I have already configured the SAML2 provider with the verification certificates etc. And we used "Add Relying Party ...
3
votes
1
answer
780
views
Where do I purchase token signing certificate for ADFS?
We are integrating with ADFS (SAML) with a customer. The customer requires us to obtain token signing certificate, trusted by well known CA. The certificate will be used to sign SAML requests that are ...
3
votes
1
answer
2k
views
Configuring Google Chrome to Connect to AD Configured with Kerberos and Using ADFS
I'm trying to configure Google Chrome (and Firefox) to authenticate using Active Directory tunneled through ADFS SAML/Kerberos Endpoints and an Apache application using Shibboleth. Here are some ...
3
votes
1
answer
2k
views
ADFS: Convert SAML Assertion to OAuth Token?
We have Microsoft Active Directory Federation Services (ADFS) as our authentication/federation provider. We use it for performing identity federation via SAML to several external vendors, SaaS ...
3
votes
2
answers
2k
views
Using Google Apps / G Suite as IdP for Office365
I'm trying to set up SAML SSO where G Suite is the identity provider for Office 365 (service provider).
Google's instructions are limited: https://support.google.com/a/answer/6363817?hl=en
But I ...
2
votes
1
answer
966
views
Shibboleth - Secure whole IIS application
I've setup shibboleth SP on my server and now I want to protect my IIS folders. I followed a few tutorials and used this syntax in my shibboleth2.xml file:
<RequestMapper type="Native">
&...
2
votes
2
answers
3k
views
How can I resolve "SAML Providers must reference at least one SAML assertion issuer" message?
I want to setup a SSO solution using Keycloak 10.0.2 as the Identity Provider. The first application I want to setup is AWS.
I followed this tutorial to enable Keycloak to sign me in using SAML. I ...
2
votes
1
answer
7k
views
SHIBBOLETH SP - Shibboleth handler invoked at an unconfigured location - Shibboleth.sso/Session/
I am trying to get shibboleth configured. When I go to https://mysite/secure/index.php, it works properly, I can authenticate, etc. but when I go to https://mysite/Shibboleth.sso/Status (or any other ...
2
votes
1
answer
1k
views
single sign-on to multiple SAML SPs with one IdP
Part of our site, say https://www.example.com/files, is protected by mod_auth_mellon, which provides an SP that authenticates with our IdP. This works fine.
The rest of the site is Drupal with the ...
2
votes
1
answer
924
views
Where does Chrome fetch my identity from after having deleted cookies?
I'm trying to figure out where does Google CHrome fetch my identity from when authenticating to an Identity Provider (SAML with certificate authentication)
What I have tried :
Delete all cookies, ...
2
votes
2
answers
2k
views
Configuring Shibboleth SAML 2.0 with ADFS 3.0 with Fedration Errors
I'm trying to configure ADFS 3.0 and SAML 2.0. Currently, I get this error whenever I restart shibd and httpd.
2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 2702, message: ...
2
votes
1
answer
6k
views
ADFS error duing SAML Service Provider Login
I have a Spring SAML Project that has been under development for about a month. I've integrated with ADFS and everything has been working well. I'm getting an intermittent error that is becoming ...
2
votes
0
answers
303
views
Implement SSO between a custom app and Microsoft 365 with custom identity provider
I’m trying to implement SSO between a custom app and Microsoft 365 so that when the users hit any link to Teams o SharePoint Online in the Liferay app, ADFS doesn't ask for credentials. Context:
ADFS ...
2
votes
0
answers
305
views
Wildfly Elytron container managed authentication with federated SAML2 IDP
I'm trying to set up container-managed authentication with Wildfly 24 and would like to use an existing (federated) Shibboleth IDP.
I haven't found docs detailing that use case, so I opted for the ...
2
votes
0
answers
1k
views
Subversion Server with Azure AD SSO
There is a running CollabNet Subversion Edge Server in the current version 5.2.4.
It is currently connected with LDAP for authentication.
Now there is a challenge to grant permission to b2b guests of ...
2
votes
0
answers
4k
views
How to download SAML XML metadata from Microsoft Azure
I have an enterprise application that implements SAML SSO, and I have a new client who wishes to use it. This feature works with other clients. However, the application requires that the client ...
2
votes
0
answers
329
views
AADSTS700517 using AWS Cognito and Azure AD Enterprise App
I have configured an AWS Cognito UserPool to use an Azure AD Enterprise Application as a SAML federated identity provider as per the blog post here: https://medium.com/the-apps-team/how-to-add-azure-...
2
votes
1
answer
126
views
ADFS Alternative questions
We had (Before it went belly up) an ADFS server that was simply doing a translation from SAML 2.0 to WSFED (My end point software can not take in SAML only WSFED).
My question is, what are the ...
2
votes
0
answers
2k
views
ADFS - Correct way to massively provision relying party trusts for many similar SAML service provider
Let's say I have 200+ sites in the form of:
https://site1.example.com, https://site2.example.com
I have to deploy an identical SAML configuration for all of these sites. Ideally I would just have a ...
2
votes
0
answers
1k
views
How to create an SPN for an ADFS server with an alias
I have a colleague who has set up an ADFS server in a test environment and that have given the ADFS server an alias.
host name test-server.tdom.com
alias test-adfs.tdom.com
The server is running ...
1
vote
1
answer
14k
views
Why do I get "InvalidNameIdPolicyException: MSIS7070" when authenticating via ADFS?
I am trying to set up ADFS authentication (Server 2012) to a Bomgar appliance. Both ADFS and Bomgar are running in VMware Workstation virtual machines. ADFS is acting as the IdP (located at https://...
1
vote
1
answer
5k
views
Skipping unmapped SAML 2.0 attribute, even though name and nameFormat match
SP running Shibboleth 2.5.6. For one particular IdP, I have these attribute mappings:
<Attribute name="role"
nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
id="role" /...
1
vote
3
answers
9k
views
Splunk SAML SSO from an IdP with Apache mod_mellon fails
I am trying to configure SSO from an IdP to Apache with mod_mellon and mod proxy to splunk.
Environment: Ubuntu 14.04; Apache 2.4.7; mod-auth-mellon 0.7.0.
Apache configured with the mellon-...
1
vote
1
answer
741
views
Should the AD FS Federation metadata for a Relying Party Trust be publicly accessible?
If I am a relying party, I can expose federation metadata to ease configuration for AD FS so I can import it into the Create a Relying Party Trust wizard. I can also choose to enable automatic updates ...
1
vote
1
answer
509
views
AD FS Access Control Policy to permit specific groups and require MFA
We use an on-premise AD FS server (currently on Windows Server 2019), with several "relying party" applications. This is connected to local Active Directory, which in turn syncs to an Azure ...
1
vote
1
answer
811
views
Azure SAML claim configuration shows emailaddress in the default template, but also shows "This claim is restricted"
We are created a claim in the Azure interface for SAML and by default the email address is included in the template when we first create it. Everything was working fine, however a rookie was messing ...
1
vote
1
answer
7k
views
ADFS - How to send sAMAccountName without domain
I'm using ADFS and I need to send the sAMAccountName.
Currently using a "Transform an incoming claim" rule:
Incoming claim type: Windows account name
Outgoing claim type: Name ID
Outgoing ...
1
vote
1
answer
10k
views
AD FS Not Authenticating SAML Requests
This morning, it was brought to our attention that Active Directory Federation Services has stopped performing SAML authentications for all SAML-based relying party trusts (about 8 of them). Office ...
1
vote
2
answers
1k
views
LDAP connector for SAML
I'm looking for a SAML-LDAP bridge. I am trying to get company macs to authenticate against Centrify Cloud (no AD, we don't plan on implementing it). I can federate access to Centrify Identity Service ...
1
vote
1
answer
2k
views
SAML authentication fails with error MSIS7075
Windows Server 2012 R2
ADFS relying party: RPIdentifier
SAML Endpoints: https://myhost.domain/adfs/ls and https://10.2.0.225/saml bound to POST
Encryption: The self-signed certificate used for ...
1
vote
1
answer
1k
views
How to get Subject from client certificate issued as a claim in ADFS?
I'm using Certificate Based Authentication in ADFS 3.0 and need to get the Subject field from the client certificate issued as a claim, but it's not available as an incoming claim to ADFS.
When I ...
1
vote
0
answers
45
views
After creating relying party trust in ADFS, how to validate configuration is correct using SAML tracer
I created a relying party trust in ADFS.
To test, I log into IDP, initiate link, select the relying party, enter credentials, then the application page will display.
How do I perform this validation ...
1
vote
1
answer
56
views
How can I authenticate workstation on Azure ID when tenant uses SAML to Google?
I have some clients using Google SALM (https://support.google.com/a/answer/6363817?hl=en) on Microsoft O365, when a user need access to Office 365 tools and use your corporate e-mail account, ...
1
vote
0
answers
44
views
Why don't identity providers have separate IDs and Names in Openstack?
I think most of the things have a separate ID and a separate Name in Openstack (Users, Projects, virtual machines, etc). Why don't identity providers have separate IDs and Names? Are there other ...
1
vote
0
answers
725
views
Why isn't Kerberos used for SSO to cloud apps?
When comparing Kerberos to SAML, a common argument on StackOverflow sites and the rest of Internet is that SAML is for Internet / cloud applications while Kerberos is for enterprise LAN. There are ...
1
vote
0
answers
78
views
Integrating GitHub Org with SAML shibboleth & post actions
I am at the beginner level of GitHub cloud administration and looking for answers to the below-listed questions after I enable SAML integration (Shibboleth) for my Github cloud Organisation.
Before ...
1
vote
0
answers
48
views
Windows ADFS User Certificate URL
I have setup a window lab server based on windows server 2012 r2. I have an AD, ADFS and CS.
I have setup User certificate enrollment. Everything work fine but I have a litle issue.
I have setup ADFS ...
1
vote
2
answers
1k
views
AzureAD IDP Initiated SAML always return nameid-format:persistent instead of nameid-format:emailAddress
I'm developing SSO using SAML and my IdP is Azure.
I'm having problem with IDP Initiated flow. In SAML Response I always get this NameID:
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:...
1
vote
1
answer
1k
views
Set an attribute as MellonUser on mod_mellon
I'm failing to setup MelonUser on my Apache configuration. The NAME_ID my IdP provides in really a session ID that changes every time, and it's the only data available in the Subject of the response.
...
1
vote
2
answers
2k
views
Signature verification for InCommon SAML metadata using xmlsec1 fails
InCommon Federation provides IdP and SP metadata. Their refresh policy recommends frequent checking of the metadata aggregate to use the most recent version. They strongly recommend InCommon SPs ...
1
vote
1
answer
164
views
customise saml attributes Azure AD
I have configured SAML SSO against a new app in my Azure Console. I have proven it authenticates using simplesamlPHP. I am trying to add/adjust the attributes that are passed back with the SAML token. ...
1
vote
1
answer
545
views
Does Shibboleth IdP 3 automatically echo relay state by default?
Maybe this is a dumb question, but I can't find any anything about this in the documentation or elsewhere. According to the SAML spec, I know that the IdP is supposed to echo back the relay state ...
1
vote
0
answers
37
views
SAML Azure mappings
I'm trying to setup SocialCast to use SSO against Azure AD. I have everything working except I'm unable to map the fields for first name, last name, and email address. I know authentication is ...
1
vote
0
answers
26
views
Reconfiguring MFA for SAML account
We use Office 365 SAML for authentication with NewRelic. I recently factory reset my phone and now don't have my Microsoft Authenticator account.
I am trying to figure out how to set this up again ...