Currently I'm trying to get Salesforce to hook up with an ADFS cluster. I have it working, but I notice when users go to their bookmarked Salesforce pages without first logging in to ADFS (that are saved past the login point of their journey through the site) they receive a general ADFS error
An error occurred. Contact your administrator for more information.
I think this error is expected since they aren't authenticated with ADFS yet.
However, when they receive this error, is there a way to have them automatically be redirected to the login page on ADFS to log into Salesforce? I want to enhance their experience so they don't see errors so much.
ADFS is on Server 2012 R2.
I fixed this by ensuring the Salesforce custom domain was published to all users and that bookmark settings were properly set.
https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_testing_and_rollout.htm&language=en_US
https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_login_id_prov.htm&language=en_US
Related
I have 2 SPs that use the same idP.
The idP uses simplesamlphp, and I have the 2 SPs configured in saml20-sp-remote.php
The 2 SPs use laravel, and I am able to login using each of the SPs individually, and am able to use the same login in the 2 SPs, as expected.
I do believe that I am missing something here to achieve passive authentication.
What I am trying to do is: I click on the login link on SP1, I get redirected to the login page on my idP and after that to the callback URL in SP1. I can confirm that I am authenticated in SP1, and I would like to go to SP2, click the login link and get redirected back with a login, which doesn't happen. If I set passive mode to true I simply get redirected back with no user logged in, and if I set passive mode to false I get the login form, so I need to insert the same credentials for logging into SP2.
What am I missing?
Just to allow a more detailed troubleshooting or others finding this in the future, I am using the Aacotroneo\Saml2 package for Laravel.
I have overridden the default login method in the SAMLController to this (this was actually the second version, the first parameter was set to get back to the default login URL and I forwarded it to the ACS route hoping to reuse the existing logic):
public function login(Saml2Auth $saml2Auth)
$saml2Auth->login('/sso/acs', [], false, true, false, true);
}
Regardless of the redirection URL, I am not able to login with isPassive set to true (4th parameter).
I have looked into the idP logs and also tracked down the error in the callback in Laravel to this message:
The status code of the Response was not Success, was Responder >
Passive authentication not supported.
However, I have read that this error can be triggered either by a nonexisting login in idP for that SP as well as for other reasons.
With that in mind, I am a little bit lost.
It seems like the idP is not recognizing the SPs as being related, and does not tell SP2 that there is a user logged in from SP1.
Any hints on missing configurations or additional troubleshooting I can do?
Thank you
If you also get the login screen again on your IdP even when passive turned off, the problem is not in the use of isPassive, but appearently your IdP does not support single sign on or it does not work. Maybe there's a session management issue (something with cookies, session storage backend or periodic cleanup) that prevents the SimpleSAML IdP from finding the session of returning ussers?
I'm currently making tests with the CAS server 3.5.2 and I'm facing
problems with the logout.
My knowledge in these topics is limited and I don't manage to go further on
that point.
I installed a CAS server and I've got 2 instances of the same java
application that point to that CAS server (appologize if I don't use the
adecuates terms).
So, when I access to the protected resources of my client aplication, I'm
redirected to the CAS login page, I check in my DB if credentials are ok
and then I access the resource. Then, if I access to the same protected
resource from the second instance of the client application I'm not
redirected to login page. That's perfect.
The problem is situated in the logout. To do so, I first execute a
session.invalidate() and access to the CAS logout page. It's ok because,
from the application from which I logged out, I must login again to access
the protected resources. On the other side, the second application remains
connected and I can access the protected resources without login again.
Well, I know that the session.invalidate() is local to the first
application but I thought that CAS server would have "broadcasted" the
desconnexion to the other application but no.
Is there somebody who can give me experience feedback for the single sing
out topic ?
First make sure that SSO is enabled in the CAS properties file, if not make sure the SSO Listener is enabled in the clients.
If they are enabled then my guess would be the issue is in either the LogoutManagerImpl.java or SamlCompliantLogoutMessageCreator.java files.
The SSO in CAS is performed through the back-channel by transmitting a SAML XML message.
I had an issue with the SSO function last year only to find out that the XML message being broadcasted had an error that prevented it from being parsed.
Finally I solved...
In web.xml, the order of filters is important. Filters for Single-sign out must be placed at the begining.
See that section https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1#CASClientforJava3.1-OrderofRequiredFilters
We have ServiceNow among other applications configured in ADFS for SSO, ServiceNow is the only app using SP Initiated signon however.
Sometimes when you log out, it behaves as it should and goes to https://adfs.example.com.au/adfs/ls/?wa=wsignout1.0 and tells you that you are signed out but sometimes instead of going to the signed out page you just get redirected back to ServiceNow, (you can see another SAML request happening and it lets you in) and your session is still logged in. Obviously this represents a security issue! The User logs out then leaves the machine without looking and the session is still open!
Anyone come across this before? It seems SP Initiated Sign On is buggy and I need to fix these log out issues for security reasons.
The wa=wsignout1.0 is intended to use for wsfed applications. servicenow as a SAML2 app should be sending a properly constructed samlp:logoutrequest to the /adfs/ls endpoint to do a signout properly.
I have seen a similar post but that was more related to ASP. I will explain my situation below.
I am developing a SP(Relying Party) and integrating with ADFS (IDP). Since I am in the integration phase, I want ADFS to forget that I have previously authenticated so that each time I hit the ADFS endpoint (/adfs/ls) with AuthnRequest, I want it to ask for my credentials.
I believe ADFS by default, remembers clients by their remote IP/host name so clearing cookies on client machine does not help. There was a post that gave a link to logout from IDP (https:///adfs/ls/?wa=wsignout1.0&wreply=https:///adfs/ls/?wa=wsignoutcleanup1.0). The ADFS says I have been logged out but when I hit ADFS endpoint, ADFS redirects back to SP with successful AuthResponse.
Can you please tell me how to force reauthenticate/logout on ADFS or point me to the right articles?
The FederatedPassiveSignInStatus control (which should be part of VS if you've installed all the WIF stuff) will help you. Add it to your app. and clicking it will log you out of everything.
Also AD FS: How to Invoke a WS-Federation Sign-Out
Add wfresh=0 as a URL parameter.
This parameter indicates "freshness requirements".
According to the spec:
If specified, this indicates the desired maximum age of authentication specified in minutes.
I'm working on a proof of concept app. The basic functionality works, where I can log into one website, link to another site that shares the same STS, and the partner site picks up the credentials properly.
However, the partner site only requests the token if the page that we link to requires authentication (which kind of makes sense I guess).
Ideally, I'd like to link to a partner page that does not require you to be authenticated, BUT if the user IS already authenticated, I'd like to at least be able to recognize them on the partner site.
Currently, if my partner landing page does not require authentication, it doesn't appear that the user is logged in when they arrive. As soon as the user requests a page on the partner site that does require authentication, it then grabs the token without requiring the user to log in.
I've tried playing around with the SecurityTokenReceived and RedirectingToIdentityProvider events, but so far I'm stumped.
Any thoughts are appreciated.
So, the problem you are running up against is in dealing with the SessionAuthenticationModule hijacking the request. This module is responsible for detecting if the user has a valid session (based on a cookie that is written upon a successful redirect from the STS) and if not, to redirect the user to the STS to fetch a valid token. The WSFederationAuthenticationModule supplies the eventing necessary to hook into various stages of the redirection/authentication process.
Based on your description, it sounds like you want the following to happen:
User clicks on a link that redirects to the partner site
At the partner site, the request is intercepted and the system determines if the user is signed-in to the STS or anonymous
If the user has a valid session with the STS, then pull the claims for that user
The problem is, your RP cannot know that the user has a valid session without sending the user to the STS first (the RP's do not talk to each other or the STS. The user's brower is used as the means of communication between the RP's and the STS in the form of WS-Fed directives and SAML tokens passed in the url during redirects). If the user is sent to the STS, then they must authenticate, which could be a problem for anonymous users.
So, I do not think there is a "trick" that you can pull via configuration or interception of the request to determine if the user has a valid session with the STS. You might be able to pass a hint, however, from the referrer that is intercepted by the partner site. This hint could take the form of a parameter on the url that indicates to the partner site that the current user has a valid session and to go ahead and redirect to the STS (absence of this hint would indicate an anonymous user). You could also build a system to "hand-off" knowledge of the signed-in user using a resource that both sites have access to (i.e. database).
As you are sure to learn soon, more often than not, WIF offers pieces to the puzzle, but every situation is different and you have to supply the other pieces on your own.
Hope this helps!