Skip to main content

Questions tagged [saml]

SAML (Security Assertion Markup Language) is an open standard and XML-based markup language for exchanging authentication and authorization information between parties, known as service providers and identity providers.

Filter by
Sorted by
Tagged with
11 votes
1 answer
2k views

Microsoft Exchange Federation Trust Broken After Verifying in Office 365

Okay so...this all started during our Office 365 setup. According to Microsoft, you have to delete your on-premises federation trust from Exchange, verify the domain, then add it back...otherwise you ...
Nathan C's user avatar
  • 15.1k
7 votes
0 answers
1k views

Signout with ADFS3 with SAML

I have implemented SSO using ADFS3. I have a logout button for sign out and it’s working fine with my ws-federation passive endpoints. On logout I redirect user to logout.aspx page and there I have ...
user641812's user avatar
4 votes
2 answers
14k views

AADSTS50107: Requested federation realm object does not exist, when integrating Okta as an IdP for AAD

I'm trying to set up AAD with Okta, and find that when users visit the App Embed link and it posts their SAML response to https://login.microsoftonline.com/login.srf, they get an unhelpful error: ...
Falcon Momot's user avatar
  • 25.4k
4 votes
1 answer
1k views

Sure of Valid Parameter set, Powershell Says: "Parameter set cannot be resolved..."

I'm attempting to run a Powershell cmdlet that only accepts one of three specific parameters. I'm positive that I know what those parameters are, and that I am entering those parameters correctly. I ...
AESD_Mike's user avatar
4 votes
0 answers
5k views

How should the relying trust be set up in ADFS for SAML-based SSO?

We've done SAML-based SP-initiated SSO with a number of customers, and it's all been ok (eventually). We've got a customer now who's using ADFS. We can get idP-initiated to work fine, but with SP-...
Elbin's user avatar
  • 141
3 votes
2 answers
2k views

Combine apache auth providers of different types with basic auth only if proactively provided by client

I'd like to be able to have a path on an apache server (2.4.18+ on ub16) that primarily authenticates using SAML (using the mod_auth_mellon plugin) for interactive use, but also supports having the ...
Nathan Neulinger's user avatar
3 votes
1 answer
4k views

Can we configure ADFS for IDP initiated SSO

I'm looking for ways of integrating ADFS as a IDP for a SAML2 service provider. I have already configured the SAML2 provider with the verification certificates etc. And we used "Add Relying Party ...
Jayantha Lal Sirisena's user avatar
3 votes
1 answer
780 views

Where do I purchase token signing certificate for ADFS?

We are integrating with ADFS (SAML) with a customer. The customer requires us to obtain token signing certificate, trusted by well known CA. The certificate will be used to sign SAML requests that are ...
weilin8's user avatar
  • 133
3 votes
1 answer
2k views

Configuring Google Chrome to Connect to AD Configured with Kerberos and Using ADFS

I'm trying to configure Google Chrome (and Firefox) to authenticate using Active Directory tunneled through ADFS SAML/Kerberos Endpoints and an Apache application using Shibboleth. Here are some ...
Franz Noel's user avatar
3 votes
1 answer
2k views

ADFS: Convert SAML Assertion to OAuth Token?

We have Microsoft Active Directory Federation Services (ADFS) as our authentication/federation provider. We use it for performing identity federation via SAML to several external vendors, SaaS ...
Shadowman's user avatar
3 votes
2 answers
2k views

Using Google Apps / G Suite as IdP for Office365

I'm trying to set up SAML SSO where G Suite is the identity provider for Office 365 (service provider). Google's instructions are limited: https://support.google.com/a/answer/6363817?hl=en But I ...
tplants's user avatar
  • 31
2 votes
1 answer
966 views

Shibboleth - Secure whole IIS application

I've setup shibboleth SP on my server and now I want to protect my IIS folders. I followed a few tutorials and used this syntax in my shibboleth2.xml file: <RequestMapper type="Native"> &...
posixpascal's user avatar
2 votes
2 answers
3k views

How can I resolve "SAML Providers must reference at least one SAML assertion issuer" message?

I want to setup a SSO solution using Keycloak 10.0.2 as the Identity Provider. The first application I want to setup is AWS. I followed this tutorial to enable Keycloak to sign me in using SAML. I ...
user540468's user avatar
2 votes
1 answer
7k views

SHIBBOLETH SP - Shibboleth handler invoked at an unconfigured location - Shibboleth.sso/Session/

I am trying to get shibboleth configured. When I go to https://mysite/secure/index.php, it works properly, I can authenticate, etc. but when I go to https://mysite/Shibboleth.sso/Status (or any other ...
Kevin Finkenbinder's user avatar
2 votes
1 answer
1k views

single sign-on to multiple SAML SPs with one IdP

Part of our site, say https://www.example.com/files, is protected by mod_auth_mellon, which provides an SP that authenticates with our IdP. This works fine. The rest of the site is Drupal with the ...
Andrew Schulman's user avatar
2 votes
1 answer
924 views

Where does Chrome fetch my identity from after having deleted cookies?

I'm trying to figure out where does Google CHrome fetch my identity from when authenticating to an Identity Provider (SAML with certificate authentication) What I have tried : Delete all cookies, ...
MeMow's user avatar
  • 292
2 votes
2 answers
2k views

Configuring Shibboleth SAML 2.0 with ADFS 3.0 with Fedration Errors

I'm trying to configure ADFS 3.0 and SAML 2.0. Currently, I get this error whenever I restart shibd and httpd. 2016-11-07 12:49:08 ERROR XMLTooling.ParserPool : error on line 1, column 2702, message: ...
Franz Noel's user avatar
2 votes
1 answer
6k views

ADFS error duing SAML Service Provider Login

I have a Spring SAML Project that has been under development for about a month. I've integrated with ADFS and everything has been working well. I'm getting an intermittent error that is becoming ...
blur0224's user avatar
  • 128
2 votes
0 answers
303 views

Implement SSO between a custom app and Microsoft 365 with custom identity provider

I’m trying to implement SSO between a custom app and Microsoft 365 so that when the users hit any link to Teams o SharePoint Online in the Liferay app, ADFS doesn't ask for credentials. Context: ADFS ...
Eduard Paul Lakida's user avatar
2 votes
0 answers
305 views

Wildfly Elytron container managed authentication with federated SAML2 IDP

I'm trying to set up container-managed authentication with Wildfly 24 and would like to use an existing (federated) Shibboleth IDP. I haven't found docs detailing that use case, so I opted for the ...
fuero's user avatar
  • 9,799
2 votes
0 answers
1k views

Subversion Server with Azure AD SSO

There is a running CollabNet Subversion Edge Server in the current version 5.2.4. It is currently connected with LDAP for authentication. Now there is a challenge to grant permission to b2b guests of ...
Wyphorn's user avatar
  • 45
2 votes
0 answers
4k views

How to download SAML XML metadata from Microsoft Azure

I have an enterprise application that implements SAML SSO, and I have a new client who wishes to use it. This feature works with other clients. However, the application requires that the client ...
user3188777's user avatar
2 votes
0 answers
329 views

AADSTS700517 using AWS Cognito and Azure AD Enterprise App

I have configured an AWS Cognito UserPool to use an Azure AD Enterprise Application as a SAML federated identity provider as per the blog post here: https://medium.com/the-apps-team/how-to-add-azure-...
Martin Harris's user avatar
2 votes
1 answer
126 views

ADFS Alternative questions

We had (Before it went belly up) an ADFS server that was simply doing a translation from SAML 2.0 to WSFED (My end point software can not take in SAML only WSFED). My question is, what are the ...
Nathan's user avatar
  • 73
2 votes
0 answers
2k views

ADFS - Correct way to massively provision relying party trusts for many similar SAML service provider

Let's say I have 200+ sites in the form of: https://site1.example.com, https://site2.example.com I have to deploy an identical SAML configuration for all of these sites. Ideally I would just have a ...
Dylan's user avatar
  • 156
2 votes
0 answers
1k views

How to create an SPN for an ADFS server with an alias

I have a colleague who has set up an ADFS server in a test environment and that have given the ADFS server an alias. host name test-server.tdom.com alias test-adfs.tdom.com The server is running ...
GaryF's user avatar
  • 21
1 vote
1 answer
14k views

Why do I get "InvalidNameIdPolicyException: MSIS7070" when authenticating via ADFS?

I am trying to set up ADFS authentication (Server 2012) to a Bomgar appliance. Both ADFS and Bomgar are running in VMware Workstation virtual machines. ADFS is acting as the IdP (located at https://...
David Dietrich's user avatar
1 vote
1 answer
5k views

Skipping unmapped SAML 2.0 attribute, even though name and nameFormat match

SP running Shibboleth 2.5.6. For one particular IdP, I have these attribute mappings: <Attribute name="role" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="role" /...
bishop's user avatar
  • 1,103
1 vote
3 answers
9k views

Splunk SAML SSO from an IdP with Apache mod_mellon fails

I am trying to configure SSO from an IdP to Apache with mod_mellon and mod proxy to splunk. Environment: Ubuntu 14.04; Apache 2.4.7; mod-auth-mellon 0.7.0. Apache configured with the mellon-...
Brett's user avatar
  • 221
1 vote
1 answer
741 views

Should the AD FS Federation metadata for a Relying Party Trust be publicly accessible?

If I am a relying party, I can expose federation metadata to ease configuration for AD FS so I can import it into the Create a Relying Party Trust wizard. I can also choose to enable automatic updates ...
Melvin's user avatar
  • 111
1 vote
1 answer
509 views

AD FS Access Control Policy to permit specific groups and require MFA

We use an on-premise AD FS server (currently on Windows Server 2019), with several "relying party" applications. This is connected to local Active Directory, which in turn syncs to an Azure ...
Joel Coel's user avatar
  • 13k
1 vote
1 answer
811 views

Azure SAML claim configuration shows emailaddress in the default template, but also shows "This claim is restricted"

We are created a claim in the Azure interface for SAML and by default the email address is included in the template when we first create it. Everything was working fine, however a rookie was messing ...
Rocksalt's user avatar
1 vote
1 answer
7k views

ADFS - How to send sAMAccountName without domain

I'm using ADFS and I need to send the sAMAccountName. Currently using a "Transform an incoming claim" rule: Incoming claim type: Windows account name Outgoing claim type: Name ID Outgoing ...
error401's user avatar
1 vote
1 answer
10k views

AD FS Not Authenticating SAML Requests

This morning, it was brought to our attention that Active Directory Federation Services has stopped performing SAML authentications for all SAML-based relying party trusts (about 8 of them). Office ...
SteadH's user avatar
  • 676
1 vote
2 answers
1k views

LDAP connector for SAML

I'm looking for a SAML-LDAP bridge. I am trying to get company macs to authenticate against Centrify Cloud (no AD, we don't plan on implementing it). I can federate access to Centrify Identity Service ...
Adam Machnikowski's user avatar
1 vote
1 answer
2k views

SAML authentication fails with error MSIS7075

Windows Server 2012 R2 ADFS relying party: RPIdentifier SAML Endpoints: https://myhost.domain/adfs/ls and https://10.2.0.225/saml bound to POST Encryption: The self-signed certificate used for ...
Bemipefe's user avatar
  • 115
1 vote
1 answer
1k views

How to get Subject from client certificate issued as a claim in ADFS?

I'm using Certificate Based Authentication in ADFS 3.0 and need to get the Subject field from the client certificate issued as a claim, but it's not available as an incoming claim to ADFS. When I ...
Amethi's user avatar
  • 123
1 vote
0 answers
45 views

After creating relying party trust in ADFS, how to validate configuration is correct using SAML tracer

I created a relying party trust in ADFS. To test, I log into IDP, initiate link, select the relying party, enter credentials, then the application page will display. How do I perform this validation ...
rashmi byali's user avatar
1 vote
1 answer
56 views

How can I authenticate workstation on Azure ID when tenant uses SAML to Google?

I have some clients using Google SALM (https://support.google.com/a/answer/6363817?hl=en) on Microsoft O365, when a user need access to Office 365 tools and use your corporate e-mail account, ...
Ivan Carlos's user avatar
1 vote
0 answers
44 views

Why don't identity providers have separate IDs and Names in Openstack?

I think most of the things have a separate ID and a separate Name in Openstack (Users, Projects, virtual machines, etc). Why don't identity providers have separate IDs and Names? Are there other ...
Zoli's user avatar
  • 11
1 vote
0 answers
725 views

Why isn't Kerberos used for SSO to cloud apps?

When comparing Kerberos to SAML, a common argument on StackOverflow sites and the rest of Internet is that SAML is for Internet / cloud applications while Kerberos is for enterprise LAN. There are ...
Ryan's user avatar
  • 197
1 vote
0 answers
78 views

Integrating GitHub Org with SAML shibboleth & post actions

I am at the beginner level of GitHub cloud administration and looking for answers to the below-listed questions after I enable SAML integration (Shibboleth) for my Github cloud Organisation. Before ...
rgh's user avatar
  • 11
1 vote
0 answers
48 views

Windows ADFS User Certificate URL

I have setup a window lab server based on windows server 2012 r2. I have an AD, ADFS and CS. I have setup User certificate enrollment. Everything work fine but I have a litle issue. I have setup ADFS ...
Jonathan COLLIN's user avatar
1 vote
2 answers
1k views

AzureAD IDP Initiated SAML always return nameid-format:persistent instead of nameid-format:emailAddress

I'm developing SSO using SAML and my IdP is Azure. I'm having problem with IDP Initiated flow. In SAML Response I always get this NameID: <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:...
truongnm's user avatar
  • 111
1 vote
1 answer
1k views

Set an attribute as MellonUser on mod_mellon

I'm failing to setup MelonUser on my Apache configuration. The NAME_ID my IdP provides in really a session ID that changes every time, and it's the only data available in the Subject of the response. ...
lithiium's user avatar
  • 205
1 vote
2 answers
2k views

Signature verification for InCommon SAML metadata using xmlsec1 fails

InCommon Federation provides IdP and SP metadata. Their refresh policy recommends frequent checking of the metadata aggregate to use the most recent version. They strongly recommend InCommon SPs ...
pbuck's user avatar
  • 11
1 vote
1 answer
164 views

customise saml attributes Azure AD

I have configured SAML SSO against a new app in my Azure Console. I have proven it authenticates using simplesamlPHP. I am trying to add/adjust the attributes that are passed back with the SAML token. ...
Lindsay Macvean's user avatar
1 vote
1 answer
545 views

Does Shibboleth IdP 3 automatically echo relay state by default?

Maybe this is a dumb question, but I can't find any anything about this in the documentation or elsewhere. According to the SAML spec, I know that the IdP is supposed to echo back the relay state ...
SpasemanSpiph's user avatar
1 vote
0 answers
37 views

SAML Azure mappings

I'm trying to setup SocialCast to use SSO against Azure AD. I have everything working except I'm unable to map the fields for first name, last name, and email address. I know authentication is ...
Carl's user avatar
  • 373
1 vote
0 answers
26 views

Reconfiguring MFA for SAML account

We use Office 365 SAML for authentication with NewRelic. I recently factory reset my phone and now don't have my Microsoft Authenticator account. I am trying to figure out how to set this up again ...
Miles Hayler's user avatar