Embed Size (px)
Citation preview
Course 401 - SADFS SAMLLab Manual
Version 5.5.1.160831Revision Date: October 21, 2016
1401 – D | ADFS SAML
P a g e | 1
Table of ContentsGetting started............................................................................................................................................3
ADFS Server.................................................................................................................................................3
Installing ADFS.........................................................................................................................................3
Adding DNS entry for the new Federation address...............................................................................10
Configuring ADFS for ERPM...................................................................................................................11
Setting up Claim Rules for the Relying Party Trust.................................................................................16
Configuring ERPM ADFS SAML...................................................................................................................18
Setting up Web Service URI for Rest......................................................................................................18
ADFS SAML Authentication Server configuration - ERPM......................................................................19
Setting SAML server type.......................................................................................................................20
Authentication Server Name.................................................................................................................20
Audience Application.............................................................................................................................20
Setting up SAML Login redirection page................................................................................................22
Setting up the SAML Issuer....................................................................................................................24
Setting up the X509 certificate..............................................................................................................26
Setting up the Delegated Roles for use with SAML....................................................................................31
ERPM Admin Console............................................................................................................................31
ERPM Web Application..........................................................................................................................33
Trouble Shooting Tips Q&A.......................................................................................................................37
ERROR Messages...................................................................................................................................37
SAML Assertion issuer doesn’t match an ERPM authentication server.............................................37
SAML assertion signing certificate doesn’t match the signing certificate in the ERPM authentication server.................................................................................................................................................37
HTTP Error 503. The Service is unavailable........................................................................................38
HTTP Error 404. The requested resource is not found.......................................................................38
Error occurs on the SAML sign on page.............................................................................................39
SAML assertion audience doesn’t match the audience configured in the ERPM authentication server...........................................................................................................................................................39
ERPM Web Application automatically logs you into the ADFS SAML without a login challenge........40
Cannot change login as a different user............................................................................................40
An unexpected error occurred during the processing of the requested operation…........................40
This page can’t be displayed – TLS 1.0…............................................................................................40
Cannot ping the federated server......................................................................................................40
September 25, 2016
2401 – D | ADFS SAML
P a g e | 2
Helpful Links..........................................................................................................................................41
September 25, 2016
3401 – D | ADFS SAML
P a g e | 3
Getting startedThis documentation is written to address some of the issues, if not all, with regards to setting up ERPM to use the SAML protocol through Active Directory Federation Services (ADFS). This document can be used as a guide from beginning to end, from inception of an ADFS server to the launching of ERPM Web Application. However, this guide was intended as a reference for Administrators who only needed parts of the documentation and possible troubleshooting solutions. The Table of Contents can be used to point to the proper section where you might be getting caught up on. With that in mind, if everything is setup correctly on the ADFS server, the ERPM portion to setup an Authentication server will fall into place.
ADFS ServerThe ADFS server is the back bone for just about all SAML services, in a Windows environment, as well as some of the other authentication architypes such as, OAuth, CRM, Ping Federation to name a few. It can be configured and used for many different application and information end points and maintain a level of security through Federated services. The user’s own organization is responsible to setting up “claims” to partnered Web Applications. This guide will help setup these “claims” for use with Enterprise Random Password Manager (ERPM).
The configuring of an ADFS server can be very deep diving, but for the purpose of ERPM, we are going to just hit the surface of what we need in order to be able to get ERPM integrating with ADFS and use its services correctly.
We will first start off by setting up an ADFS. This can be done on an Active Directory (AD) machine, or on a separate server, but for this document, I am going to set it up using an existing AD server. When creating an ADFS, a certificate needs to be created for the ADFS to use. This Certificate will become the Federated certificate and the FQDN you assign it will be used in ERPM.
Installing ADFSLaunch the Server Manager on any server you choose. After the Server Manager has loaded, click on Add Roles and Features. Click Next until you get to Server Roles. From the list of roles, find and select Active Directory Federation Services.
September 25, 2016
4401 – D | ADFS SAML
P a g e | 4
Click Next until you get to the Confirm Installation selections screen and choose Reboot the destination server automatically if required. Click Install when you are ready.
After the installation, click on either the Red flag at the top right, or click on ADFS on the left, and click on the More link to configure ADFS.
NOTE: There will be some prerequisite requirements needing to be installed, specifically .NET Frameworks 4.5. For the sake of keeping this documentation short and related to ERPM. I supplied a link in the Helpful Links section for installing an ADFS.
September 25, 2016
5401 – D | ADFS SAML
P a g e | 5
Click on Configure Federation Services on this Server.
On the Connect to Active Directory Domain Services screen, this should populate with the Integrated login account. If this account isn’t a domain administrator with permission to perform the federated service configuration, as the text implies, you will not go very far.
Click Next to get to Specify Service Properties. On the Specify Service Properties, click on Import…
September 25, 2016
6401 – D | ADFS SAML
P a g e | 6
Choose the certificate you created for the ADFS (fs.contosso.com) and click Open. This is assuming that you know how to and have already created a federated certificate.
Give it a Password if one is required.
September 25, 2016
7401 – D | ADFS SAML
P a g e | 7
If you had properly created the certificate, ADFS will automatically populate the fields correctly.
Enter a Federated Display name. This will be displayed at the ADFS sign in, therefore, it can be anything arbitrary.
Click Next to get to the Specify Service Account. This account will be used to run the Active Directory Federation Services (ADFS) service. Something to note here. As a default the KDS Root Key is disabled. This will make usage of Groups unavailable for use with the ADFS service. If you want to add a group, you will need to open up an administrative PowerShell session and enter the following command.
PS C:\> Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) (there is also a hint about it if you click on Show more.”)
Click on Select… and choose the service account you would like to run this service.
September 25, 2016
8401 – D | ADFS SAML
P a g e | 8
Click OK, then enter the password for the account.
Click Next to go to the Specify Configuration Database page. I use the default to use the internal Windows Database. You do have an option to use a SQL database. For consideration of possibly using a database assigned to ERPM, you will need to create a separate SQL instance for this to work.
September 25, 2016
9401 – D | ADFS SAML
P a g e | 9
Click Next to the Review Options page. On this page, you can view the script that is being executed to configure ADFS.
Click Next to get to the Pre-Requisite Checks page. Everything should check out okay if you have the pre-requisites installed already. If not, then you will need to follow the link I supplied above (and in the helpful links section) to install the pre-requisites. Additionally, if you are missing pre-requisites, then whatever you are missing will be displayed here.
Click Configure to finish this portion of the ADFS setup.
September 25, 2016
10401 – D | ADFS SAML
P a g e | 10
Click Close after the installation is complete.
Adding DNS entry for the new Federation addressIn order for any of this to work, you will need to add a DNS forward lookup entry for the federation address.
Open up your DNS server manager. Drill down to Forward Lookup Zones | Domain (contosso.com). Right click this and choose New Host (A or AAAA)…
Enter the Prefix of the Federated address as was assigned to the Certificate: Per this document, SSO.lsc.ent was assigned to the ticket, so we will only enter SSO. Then add the IP address of the Federated Server.
September 25, 2016
11401 – D | ADFS SAML
P a g e | 11
You will notice that this dialog will automatically fill in the FQDN. Click Add Host to add the host. You should now be able to ping it.
Configuring ADFS for ERPMThis section will cover the basics of what you will need to have setup in ADFS that ERPM will use. This section will not have a lot of back and forth references like the ERPM configuration section.
After the completion of the ADFS configuration, an MMC will be created for you, and can be found in the application list (Server 2012 R2). If you do not see one, you can create a new MMC and assign it the ADFS management snap-in. After opening up the ADFS Management, expand the Trust Relationships | Relying Party Trust. On the right hand Actions pane, click on Add Relying Party Trust…
On the Add Relying Part Trust Wizard welcome screen, click Start to get to the Select Data Source page. We will be adding things manually so you will need to select, Enter data about the relying party manually.
September 25, 2016
12401 – D | ADFS SAML
P a g e | 12
Click Next to get to the Specify Display Name page. This will not be used in ERPM, so you can name it anything. You can also add a note if you want to.
September 25, 2016
13401 – D | ADFS SAML
P a g e | 13
Click Next to get to the Choose Profile page. This is where we will select the SAML protocol to be used with ERPM. We are going to use the most up to date (as of server 2012 R2) SAML 2.0.
Click Next to get to the Configure Certificate page. We are actually going to skip this page because ERPM currently does not support encryption assertions.
Click Next to get to the Configure URL. This is going to be the ERPM Web Application instance address with the Process command. This is the end point address ADFS will redirect back to this URL after authentication. In the screenshot below, you will probably have noticed the pipe at the end of the URL. It is the cursor that I could not figure out how to remove and is not part of the URL.
September 25, 2016
14401 – D | ADFS SAML
P a g e | 14
Click Next to get to the Configure Identifiers page. This will become the Audience that ERPM will use under Audience application. Keep in mind, if your ADFS has multiple applications, this Audience need to be unique. Typically speaking, a URL can be used here but it does not necessarily need to be one.
Click Add to add the name to Relying part trust identifiers list.
September 25, 2016
15401 – D | ADFS SAML
P a g e | 15
Click Next to get to the “Configure Multifactor Authentication Now?” page. For the purpose of this document, and because of time constraints, I did not set up multifactor as it is an entirely in depth process. After I setup MFA to be used with this, I will add those steps. For the time being, we are going to skip this part.
Click Next to get to the Choose Issuance Authorization Rules page. We are going to permit all users to access the relying party.
September 25, 2016
16401 – D | ADFS SAML
P a g e | 16
Click Next to get to the Ready to Add Trust page. This is pretty much a summary of what you have done so far. The key points here are the Identifiers tab and the Endpoints tab. Below tells what they relate to in ERPM.
Identifiers – Audience application Endpoints – Redirects back to the URL for ERPM.
Click Next and then Close on the next screen to finish this process. After closing, ADFS will open up an Edit Claim Rules dialog where you are going to configure your claim rules.
Setting up Claim Rules for the Relying Party TrustAfter you created the Relying Party Trust, a Claim Rules dialog will pop up. You may notice the name of the rule to be what you called it during the setup of the Relying Party Trust. Do not confuse this with the Audience application.
On the Edit Claim Rules for <Rule Name> dialog, by default you will be on the Issuance Transform Rules. Click on Add Rule.
September 25, 2016
17401 – D | ADFS SAML
P a g e | 17
On the Select Rule Template page, click on Next. We are going to use the default, Send LDAP Attributes as Claims.
On the Configure Rule page, enter any arbitrary name, and modify the following settings.
Attribute Store – Active Directory LDAP Attribute (Select or type to add more) – User-Principal-Name Outgoing Claim Type (Select or type to add more) – Name ID
Currently ERPM only recognizes the above.
September 25, 2016
18401 – D | ADFS SAML
P a g e | 18
Click Finish to close the dialog. Click OK to close the Edit Claim Rules for <Rule Name> dialog.
You are now finished with everything you need for ERPM. If you had setup everything correctly, the ERPM portion of the setup will be relatively straight forward. In the next section, I wrote up the back and forth dialog to help you understand where everything goes and what it is referencing to from ERPM to ADFS and back again.
Configuring ERPM ADFS SAMLWith the advent of ERPM v5.5.1, ADFS SAML can now be accomplished with ERPM to use Federated Authentication, and opens up a whole new field of security for Web Services.
After some in depth troubleshooting and testing, I have come up with a multiple use case installation guideline and some explanation for each section. Please keep in mind that this is from the perspective of where to look if one part of your ADFS SAML is not working as expected.
Setting up Web Service URI for RestThe first thing you will need to do is to install the most current version of the Web Services (for your version of ERPM). After this is done, you will need to configure your Web Application Instance to point at the following address for the Web service URI for REST web service endpoint: https://your_web.server.address/ERPMWebService/AuthService.svc/Rest.
September 25, 2016
19401 – D | ADFS SAML
P a g e | 19
If you click Test Connection, you might get, “Did not find expected service endpoint (authservice_json.svc) …” This is to be expected. If you were to actually use the https://your_web.server.address/ERPMWebService/AuthService_json.svc), the test will be successful, however, you will not be able to see the exact errors you might be experiencing, which will be important when troubleshooting ADFS SAML. Later in the document, I will give example of what errors you might run into and where to look to fix the errors. Troubleshooting tips Q&A.
ADFS SAML Authentication Server configuration - ERPMWhen you are setting up ERPM SAML using ADFS for the first time, you will see examples of what to configure. I will attempt to clarify these points and have broken them down into sections. Each section will explain both sides of the “House” (ERPM and ADFS). This is to help identify exactly what you are needing. Some areas are self-explanatory and therefore I will not go into them in detail.
An ERPM authentication server can be configured to integrate with a number of different Federated services such as OAuth, Ping Federated, ADFS SAML, to name a few. For other SSO or MFA services such as OKTA and OneLogin, they will follow the same guidelines, but will use their own federated servers. For the most part, the setup for any of these SAML types pretty much follows these basic guidelines.
1. SAML Server type – ADFS, OKTA, OneLogin, PingOne, Generic SAML.2. Authentication name – This will be displayed as an Authentication source when signing into the
ERPM Web Application.3. Audience application – This can be a little confusing, but in simplest terms, this is the “public”
name assigned to the SAML Relying Party Trust. This really has nothing to do with ERPM, but simply a name that ERPM will use to identify the configuration for the Relying Party Trust to be used.
4. SAML Login redirection page. This is the address that will point to an end point on the ADFS. The ADFS must have the URL of the ERPM Web Application processing page in order for a redirection back to ERPM to occur.
5. SAML Issuer – This is the federated address of the SAML Server. 6. X509 certificate. – This is the certificate assigned to the Federated server’s configuration for use
with ERPM.
September 25, 2016
20401 – D | ADFS SAML
P a g e | 20
Setting SAML server typeFor use with ADFS SAML, choose ADFS.
Authentication Server NameEnter any identifiable, friendly name. This will be displayed on the ERPM Web Application login page as one of the authenticators. Note: when you install a new authenticator, it becomes the default authenticator.
Audience ApplicationIf you do not have an MMC for ADFS setup follow these steps on the ADFS server.
1. Right click on the Windows Start button, 2. Select Run…3. Type MMC and click okay. 4. When the MMC console comes up, click File. 5. Click Add/Remove Snap-in…6. Find AD FS Management and click Add> 7. Click OK.8. You can then save this for future use.
September 25, 2016
21401 – D | ADFS SAML
P a g e | 21
For ADFS, this entry needs to match whatever you have setup in ADFS. To see this in ADFS (post install), Open up the MMC snap in for the ADFS and expand Trust Relationships and select Relying Party Trusts. If you do not have a Relying Party Trusts entry, please refer to the Adding a Relying Party Trust section of this document.
Right click on the Relying Party Trust you created for ERPM and select properties.
The ERPM Audience application is located here. This can be an arbitrary name but if you define it here, it must be so in the ERPM Authentication server for SAML: Audience application.
September 25, 2016
22401 – D | ADFS SAML
P a g e | 22
Setting up SAML Login redirection page SAML Login redirection consists of two parts. The first part is to point to your Federated server for SAML sign-in. The second part is to redirect back to ERPM Web application. The second part can be a URL encoded entry to be placed after the Federated address (In ADFS it is the defined End Point, /adfs/ls/). This will be your ADFS Federated path assigned to the certificate + the End Point + idp initiated sign-on command + the Encoded URL of your ERPM Web Application address. Please read the note at the end of this section.
For Example, (for my setup): ADFS federated path assigned to the certificate = https://sso.sollel.com
The ADFS End Point = /adfs/ls (if you are wondering, /ls=lower case LS).
Idp (Identity Provider) initiated sign-on command = idpinitiatedsignon.aspx ERPM Web Application address =
https://sollel-prods.sollel.com/PWCWev/ProcessLoginCommandSAML.asp (non-encoded in the Relying Party Trust ADFS shown in the screenshot below).
September 25, 2016
23401 – D | ADFS SAML
P a g e | 23
Encoded ERPM Web Application address = https%3A%2F%2Fsollel-prods.sollel.com%2FPWCWeb%2FProcessLoginCommandSAML.asp
The components combine makes up the entire address to be used at the ERPM SAML login redirection page = https://sso.sollel.com/adfs/ls/idpinitiatedsignon.aspx?LoginToRP=https%3A%2F%2Fsollel-prods.sollel.com%2FPWCWeb%2FProcessLoginCommandSAML.asp
September 25, 2016
24401 – D | ADFS SAML
P a g e | 24
Setting up the SAML IssuerThe following defines what the SAML Issuer (inside ERPM Authentication Server setup for SAML) should be set to. When a CA issues a Certificate to be used in an ADFS server (upon configuring an ADFS). Whatever the address the Certificate is assigned to it will become the Federated server address for ADFS. This same address is to be used in the SAML issuer location. In ADFS (if you are not installing ADFS yourself or an ADFS is already installed), it is going to be the Token-signing certificate that is located there (see the screenshot below). Note: You can have multiple certificates issued to the ADFS Token-signing,, but you can only use one for ERPM, and it should be the one set to Primary; this will be the one that is going to be used in ERPM.
Certificate used in ADFS. Take note of the address SSO.sollel.com. This is what we are going to use as the FQDN for our SAML Issuer.
Post install, you can get this address or change this address for use with ERPM by editing the Federation Services Properties. Right click on the ADFS and choose Edit Federation Service Properties…
NOTE: After considerable testing, I have discovered that the entire entry after the idpinitiatedsignon.aspx Is not needed. It doesn’t hurt to have it in there, but suffice it to say it works just fine without it. The modified URI above works just fine as follows: https://sso.sollel.com/adfs/ls/idpinitiatedsignon.aspx. The reason for this is when ERPM connects to the ADFS through the SAML assertion to the configured Audience, ADFS will recognize the URL entered in the Endpoints section of the Relying Party Trust that you created, and will process the redirect back to the URL that is listed there.
September 25, 2016
25401 – D | ADFS SAML
P a g e | 25
In ERPM, as shown above, SSO.sollel.com, is going to be used. The full address is going to be http://SSO.sollel.com/adfs/services/trust. Notice the address is not set to https (shows HTTP). I later changed this to reflect https. Basically, whatever you have shown here is what you are going to use in the SAML issuer’s location in ERPM.
September 25, 2016
26401 – D | ADFS SAML
P a g e | 26
Setting up the X509 certificateThis key is from the certificate that was initially assigned to the ADFS server upon the initial configuring of the server. This certificate can change (as in replacing an expired certificate), regardless of changes, or not, the below processes should be done in order to correctly use the certificate in ERPM for ADFS SAML integration. Although you can use self-signed certificates, it is not recommended due to the extra effort to get the certificate trusted between the servers, as well as the lack of security a self-signed certificate poses.
Grabbing the certificate Key from the ADFS Federated server.
Right click on the certificate and click, View Certificate…
Note: In the ERPM v5.5.1 (build 160831), certificate support is limited to nvarchar (2047). What this means is, it is limited to only 2047 characters. In ERPM versions after v5.5.1 (build 160831) this value has increased to accommodate larger certificates.
September 25, 2016
27401 – D | ADFS SAML
P a g e | 27
Click on the Details tab and choose Copy to File…
Click Next on the Welcome to the Certificate Export Wizard. On the Export File Format, choose Base-64 encoded X.509 (.CER).
September 25, 2016
28401 – D | ADFS SAML
P a g e | 28
Give it a file name and a location to save to. I suggest simply saving it to the desktop as you should probably delete it after you use the key.
September 25, 2016
29401 – D | ADFS SAML
P a g e | 29
Click next and Finish, and OK.
Find the certificate on the desktop and open it up in a plain text editor like Notepad. Select ALL (CTRL-A) of the text.
September 25, 2016
30401 – D | ADFS SAML
P a g e | 30
Copy this to clipboard (CTRL-C) and paste it into the X509 certificate field in ERPM Authentication Server configuration for SAML.
Once all components have been installed, your setup should look similar to the below screenshot.
September 25, 2016
31401 – D | ADFS SAML
P a g e | 31
Setting up the Delegated Roles for use with SAMLAfter completing all of the steps to get to this point, understand that this setup uses the UPN of the users to sign into the federated site created for ERPM in ADFS. Because of this, enrolling users to the SAML Delegation list will be the UPN of users. Additionally, ERPM currently does not have an automatic search function when connecting to the SAML ADFS, therefore, you will need to enter each UPN manually.
ERPM Admin ConsoleIn ERPM go to Delegation | Web Application Global Delegation Permissions, click Add… to add a new identity to the Delegation Identities list. This identity will be a Delegated Roles identity, which means you can add multiple users to the role.
Give it an identifiable name specific to possible roles you want to setup. For example, I created a role for Admins and named it ERPM SAML - Admins.
Once created, select the newly created Role, and click the Assign Role… button.
September 25, 2016
32401 – D | ADFS SAML
P a g e | 32
On the Role Assignment dialog, click the pull down menu for the Credential Source and choose your SAML Authentication server.
Enter the UPN of the user to be added, and click <<Add.
Add as many users you need for this role, then click OK when finished.
September 25, 2016
33401 – D | ADFS SAML
P a g e | 33
Assign the appropriate permissions you want users in this Delegated Role to have. In the example, I chose Grant All Access for testing purposes.
ERPM Web Application After you have setup a SAML type authentication, it becomes the default. This could pose a problem when you are attempting to logon using multiple accounts. If the SAML Authentication is set to default, it will enter a Single Sign On (SSO) mode, which means you will not need to enter credentials, and ADFS will handle all of the authentication on the backend.
At the login prompt of the ERPM Web Application, type your credentials you assigned in the above section; ERPM Admin Console. Select the SAML Authentication server you have already setup and click Login.
Keep in mind, as soon as you click on the SAML Authentication, you will no longer be able to enter a set of credentials. Therefore, you must enter your credentials before you choose the SAML Authentication server.
September 25, 2016
34401 – D | ADFS SAML
P a g e | 34
ERPM will redirect you to the ADFS SAML login page.
Here you can click on Sign in. If the ADFS recognizes it as the same user that signed on previously it will sign you in and redirect you back to the ERPM Web site. If the ADFS does not recognize you, or the session timeout has logged you out, then you will be prompted with another Login challenge. Supply the same login information you had supplied back at the ERPM Web Application login page.
September 25, 2016
35401 – D | ADFS SAML
P a g e | 35
After clicking Sign in, ADFS will process your login information and any other configuration processes such as MFA, and redirects you back to the ERPM Website.
Back at the ERPM Website, you will see the user logged in and the authentication method they are logged in as. In this case, Fred is logged in with ADFS seen in the below screenshot.
September 25, 2016
36401 – D | ADFS SAML
P a g e | 36
Congratulations, you have successfully added a SAML authentication server using ADFS to ERPM. This has been tested in a couple of environments and will work as expected. The following sections will help you trouble shoot and review some help links.
September 25, 2016
37401 – D | ADFS SAML
P a g e | 37
Trouble Shooting Tips Q&AThere was a good number of trouble shooting I went through and errors I came across when I initially set this feature up. This is a compiled list of possible errors you might face during your deployment of the feature. This is not meant to be a complete list, and if you do come across something that isn’t here, please let me know, and I will research it update with a solution. If you have discovered something and have a solution, please let me know and I will update the list.
ERROR MessagesPlease refer to the beginning of this documentation to setup proper Web Service reporting of the error. Without that you will not see some of these errors that ERPM will report.
SAML Assertion issuer doesn’t match an ERPM authentication server
Cause: If you do not have this correctly matching in both the ADFS server and ERPM Authentication Server configuration., then you will get the above error. Solution: Review the Setting up the SAML Issuer section of this document.
SAML assertion signing certificate doesn’t match the signing certificate in the ERPM authentication server
September 25, 2016
38401 – D | ADFS SAML
P a g e | 38
Cause: The certificate in the ERPM Authentication Server configuration for SAML does not match your federated certificate you assigned for use in ADFS.Solution: Refer to the Setting up the X509 certificate section of this document. Cause: The certificate has been truncated in the Certificate field. Solution: This is probably due to your certificate being larger than what this version of ERPM can accept. Upgrade to the latest version of ERPM beyond v5.5.1.
HTTP Error 503. The Service is unavailable
Cause #1: Invalid base address entered in the SAML login redirection page field. Solution #1: Make sure your base addresses match both in the ERPM and ADFS. For example, if ADFS was assigned https://sso.contosso.com/ then ERPM should have it reflect the same address, https://sso.contosso.com/. Refer to the Setting up SAML Login redirection page section of this document. Cause #2: The ADFS services is not running.Solution #2: Make sure your service account has up to date credentials, and start your ADFS services. Cause #3: Not pointing to the correct resources specifically /ls.Solution#3: Make sure your address is also pointing to the correct resources, /adfs/ls. Refer to the Setting up SAML Login redirection page section of this document.
HTTP Error 404. The requested resource is not found
Cause: The address to the resource on the ADFS is invalid.Solution: Make sure the address in ERPM is pointing to /adfs/ls
September 25, 2016
39401 – D | ADFS SAML
P a g e | 39
Error occurs on the SAML sign on page.
Cause: Missing the idpinitiatedsignon.aspx entry in your SAML login redirection page address. https://sso.sollel.com/adfs/ls/ idpinitiatedsignon.aspx? LoginToRP=https%3A%2F%2Fsollel- prods.sollel.com%2FPWCWeb%2FProcessLoginCommandSAML.aspSolution: Make sure idpinitiatedsignon.asp is the link, and the Federated site has been properly configured in ADFS. See the section Setting up SAML Login redirection… for more information. Keep in mind you actually do not need the Encoded URL after the “?”.
SAML assertion audience doesn’t match the audience configured in the ERPM authentication server
Cause: The audience listed in ERPM doesn’t match what is configured in ADFS.Solution: Make sure the Audience application matches what you have in ADFS. Refer to the Audience application section of this documentation.
September 25, 2016
40401 – D | ADFS SAML
P a g e | 40
ERPM Web Application automatically logs you into the ADFS SAML without a login challenge. The common reason for this is that you have Windows Authentication (Windows Integrated Authentication) turned on. You should turn this off if you are an administrator that accesses the site with multiple User sign-on.
Cannot change login as a different user. Cause: You have Windows Authentication turned onSolution: Turn off Windows Authentication and set the SAML authentication type to not be the default authenticator for your ERPM Web Application. This will allow you to enter a User.
An unexpected error occurred during the processing of the requested operation…
Cause: The COM+ Component for ERPM Web Services is not running. Solution: Ensure the identity of the COM+ wrapper is correct and restart the COM+.
This page can’t be displayed – TLS 1.0…
Cause: The certificate assigned to be used with ADFS wasn’t properly signed. When viewing the Token-signing certificate in ADFS, you should see the issuer of the certificate say ADFS Signing – FQDN of the server. For example – Issued to: ADFS Signing – sso.lsc.ent.Solution: Re-apply the certificate, or create a new one.
Cannot ping the federated serverIf everything is setup correctly on the ADFS side, you will need to create a DNS entry for the new federated server based on the FQDN assigned to the certificate you are using.
September 25, 2016
41401 – D | ADFS SAML
P a g e | 41
Cause: No MFA, or certificate assigned to user.Solution: Configure certificate for users in ADFS
Cause: The COM+ account used was not the account originally assigned to the COM+ when setting the ERPM Web site up. This can occur when you change the database, or create a new database, and install the ERPM Web Application under a different account on the same machine as the old Web Application. When converting back to the original database, with the old Web Application settings, then you will run into this error. Solution: Redeploy the web application with whatever account you want to use.
Helpful Links
SAML Tracerhttps://www.samltool.com/saml_tools.php
SAML Tracer for FireFoxhttps://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
If attempting to use Fiddler to trouble shoot with.https://blogs.technet.microsoft.com/askpfeplat/2015/06/14/adfs-deep-dive-troubleshooting/
Enrolling a Certificate for use with ADFShttps://blogs.technet.microsoft.com/askpfeplat/2013/12/08/how-to-build-your-adfs-lab-on-server-2012-part-1/
OneLoginhttps://www.onelogin.com/lp/product-demo?headline=OneLogin%E2%84%A2+SSO+Identity+Management&_bk=onelogin&_bt=103350970339&_bm=e&_bn=g&gclid=Cj
September 25, 2016
42401 – D | ADFS SAML
P a g e | 42
0KEQjwsai_BRC30KH347fjksoBEiQAoiaqsYysNNJKuDMn3-iLPg0l_7lrwgP1R_YUgEA6DSAbYdUaAubV8P8HAQ
Ping Federated - ADFS 2.0 step by step guidehttps://technet.microsoft.com/en-us/library/adfs2-federation-with-ping-identity-ping-federate(v=ws.10).aspx
Publishing Claims for into Metadata.https://technet.microsoft.com/en-us/library/adfs2-help-how-to-publish-claims-into-metadata(v=ws.10).aspx
Installing ADFShttp://pipe2text.com/?page_id=319
Customizing an ADFS pagehttp://eimagine.com/adfs-3-0-logon-page-customization/
Kevin Mawhinney
, Technical Trainer
Extension: 3059 | [email protected]
Notes:Click Next to get to the Configure URL page. This will be the federated base URL for the SAML login redirection page. Enter the federated address of the ADFS that was given to your certificate that you used. For example, my certificate was name sso.lsc.ent: Federated address (sso.lsc.ent) + end point (/adfs/ls/). It should look something like this – https://sso.lsc.ent/adfs/ls/.
September 25, 2016
![[Enterprise] Random Password Manager...ERPM/RPM provide more functionality beyond password management, password vaulting, and session management. ERPM/RPM also provide for: Account](https://img.dokumen.tips/doc/110x75/5f934dd269b12e141f2294de/enterprise-random-password-erpmrpm-provide-more-functionality-beyond-password.jpg)
