Capture SAML Request
Download your SAML capture tool of choice, we use a Google Chrome plugin called SAML Message Decoder, and turn it on.
Try to authenticate to IriusRisk using SSO, and review the SAML capture to see if the REQUIRED attributes are set properly, and that the value is what was expected. Here is a sample SAML capture from a WORKING ADFS integration:
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>John</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>Doe</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>John.Doe@iriusrisk.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>JDoe</AttributeValue>
</Attribute>
</AttributeStatement>
Compare SAML Capture with SAMLv2-config.groovy File
Once you have your SAML capture (and if everything looks correct from the IDP), compare it with the configuration of the SAMLv2-config.groovy file. In our working example this is how it is configured:
// Mapping User fields to SAML fields, e.g: [firstName: givenName], firstName is the user field in IriusRisk (do not change), givenName is SAML field
userAttributeMappings = [
'username' : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
'firstName': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
'lastName' : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
'email' : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
]
Custom Attributes from IdP
Some IdPs (like Okta) let you set the name of the attribute, for example you might be forced to use http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress for the attribute in ADFS, but in Okta you might just have it configured as email. In that case the above examples would look like this in the SAML capture:
<Attribute Name="email">
<AttributeValue>John.Doe@iriusrisk.com</AttributeValue>
</Attribute>
And the groovy file would look like this:
'email' : 'email'
Checking Docker Logs
To check the docker logs for the auth request and auth response simply issue this command:
docker logs iriusrisk-tomcat | grep org.springframework.security.saml.log.SAMLDefaultLogger
If you see:
AuthNRequest;SUCCESS
Then IriusRisk was able to contact the IdP (if it failed then you should review your certificates and URLs). After that you should get:
AuthNResponse;SUCCESS
below this you can also check the attributes being passed to IriusRisk (copy and paste into an XML pretty print to make it easier to read).
(TIP: You can also use these logs to compare SSL/TLS certs to make sure the right cert is being passed)
Final Notes
All of these attributes are REQUIRED:
'username' : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
'firstName': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
'lastName' : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
'email' : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
If any one of these 4 are missing, that is most likely the reason you are having looping issues or authentication errors.
Comments
0 comments
Please sign in to leave a comment.