Need help configuring Enterprise application to authenticates with Entra ID using SAML2.
Hello,
I am trying to setup an Enterprise application to authenticates with Entra ID using SAML2.
This application supports creating a "Single SSO user", which is working properly and it also supports creating a "Group", which is not working for me.
Here is how the application works according to the guide:
After users of type Group – SSO with User Directory authenticate with the identity provider, the application queries the organization’s Active Directory domain server to verify the user’s group membership. For the execution of this query, the application requires that the identity provider supply either one or both of the following user information, as attributes in its SAML response to the application (the service provider):
sAMAccountName in the format:
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
userPrincipalName in the format:
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
My environment:
Windows 2019 Active Directory not routable with my local domain (example: myemail.local) running Cloud Sync with "Microsoft Entra Agent
Entra ID configured with mydomain.onmicrosoft.com
I have configured the Cloud Sync "AD to Microssoft Entra ID" and "Microssoft Entra ID to AD" and the status shows Healthy and angent enabled.
I can see my local groups were populated at Entra ID.
In my "Set up single sign on" attributes & claims I have the following:
Troubleshooting:
As mentioned above, it works properly if using "single SSO user".
To validate if it could be something related to my AD or group, I have configured to authenticate as group without Entra ID (authenticating at AD) and it works fine.
I can see that the user coming from Entra ID match the local user (as expected)
Issue:
When using "Group – SSO with User Directory", it authenticates successfully at Entra ID, but my application shows that my user do not have permission.
The application Logs shows:
2024-09-09 13:49:22,996 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [email@myemail.local] with attributes [{http://schemas.microsoft.com/claims/authnmethodsreferences=[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password], http://schemas.microsoft.com/identity/claims/displayname=[MyName M LastName], http://schemas.microsoft.com/identity/claims/identityprovider=[https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/], http://schemas.microsoft.com/identity/claims/objectidentifier=[8f03a0d1-1630-44b5-992a-c6e5f83468a0], http://schemas.microsoft.com/identity/claims/tenantid=[b5ec508d-5644-4490-995f-5245a80d246d], http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[S-1-5-21-519022008-3246580128-554511010-1103], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[LastName], notBefore=2024-09-09T18:44:22.689Z, notOnOrAfter=2024-09-09T19:49:22.689Z, sessionindex=_65b32aaa-d52b-4ba9-98d3-531ef4543a00}] via credentials [[org.apereo.cas.authentication.principal.ClientCredential@695522b0[id=email@myemail.local]]].>
2024-09-09 13:49:23,019 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [email@myemail.local] with attributes [{http://schemas.microsoft.com/claims/authnmethodsreferences=[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password], http://schemas.microsoft.com/identity/claims/displayname=[MyName M LastName], http://schemas.microsoft.com/identity/claims/identityprovider=[https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/], http://schemas.microsoft.com/identity/claims/objectidentifier=[8f03a0d1-1630-44b5-992a-c6e5f83468a0], http://schemas.microsoft.com/identity/claims/tenantid=[b5ec508d-5644-4490-995f-5245a80d246d], http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[S-1-5-21-519022008-3246580128-554511010-1103], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[LastName], notBefore=2024-09-09T18:44:22.689Z, notOnOrAfter=2024-09-09T19:49:22.689Z, sessionindex=_65b32aaa-d52b-4ba9-98d3-531ef4543a00}] via credentials [[org.apereo.cas.authentication.principal.ClientCredential@695522b0[id=email@myemail.local]]].>
2024-09-09 13:49:23,939 WARN [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>
2024-09-09 13:49:23,939 WARN [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>
2024-09-09 13:49:23,940 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-09-09 13:49:23,940 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>
2024-09-09 13:49:24,235 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted ticket [ST-8-g5yOMMZJZ1IZOgTFiysf-LPxyfs-device] for service [https://unknown005056be2e56.attlocal.net/vendorapp-client/login/fsum?target=%2F%23%2Fweb-em%2Fdashboards] and principal [email@myemail.local]>
SAML messages from chrome extension:
<samlp:Response
ID="_eb69f416-9c29-4c03-9559-66fc35890c15"
Version="2.0"
IssueInstant="2024-09-09T19:21:24.052Z"
Destination="https://unknown005056be2e56.attlocal.net/fsum/login?
client_name=SAML2Client"
InResponseTo="_vmgltt2lvdakgcyz4r0jhcyhm5u4ybmijlq25kw"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/
</Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion
ID="_8015bb1a-38c0-4050-938c-18c59d3ed500"
IssueInstant="2024-09-09T19:21:24.048Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/</Issuer>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference
URI="#_8015bb1a-38c0-4050-938c-18c59d3ed500">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>Ir0dAcFcqi+V9M3Xy5dVv868mqewfwg2wPaWPq+
Bo5w=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>vpBYF4MDqrbwgHnpypUrq6u6mHY+SHsNuNvEaE8wsEsWgiFWSvSpditExP5ufgYmNYFo9wd8KQ3kGfWqtczS+NVMnE0LXDS8VIzauOWbUsaAv9y4b/HnP31tMVzYonPBxtbwQyZNOILvAxQDBMbIFLTtJO4HDcJ+MIkeNTz3eCSmu+/uoP2IJPP30snxnrYDDmNsQvf2U5epaQBOY00HOqnUv514Kf2jvQHuRQnMYHDJ4Qph5q95Lr5c9XGTTlTMXNukAV55xKtcktmUIEcAWEOEzjSsa3Y8BID5Wr+kGvRJ/LTPEF3gMFk3DBzrK2kxCIAfewqB0PQKlqMt6P/
afw==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC8DCCAdigAwIBAgIQf4Hq5EPcQLpI920Wf5J5FDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNDA5MDgxNzA0NTNaFw0yNzA5MDgxNzA0NTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5O5mGey6xkC3E4ym3VOo2A4oCUBRVf58D4QfSgfyUpxjuvPHuJ6kH2RBCIumkBUgAMKTgj+LTS1pdDbEuaP3CBL3y6t+YbgtWFlaaAUp4od3ps1Vb1/gi4/Fnwf+NzuJdsiZhsrpU5jRavHLKm2rD1ayhvL8DwVpE0X2bfeSFGt3lEFIKskli5HhblxQz+RrRbpX6ap4pXi6Aou8UOWnqhFqDeV1xAQnnH58w5VDJOBiQZirTzPVY95jSyUFslK3fGM5Sq3rrXZZ+K5cwpEBWjveJoQT+Y+BELpzcpyUUUH6s9DGOkERERITcZyOBw6rX1ZQ8isBhr8JKb3uoqpwYQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBHYfKU2SyyZsNaExzxAfjZcNM+tTjiwPyNUPq/tXRhKL0FsBKWz9X4u5rWtloZtqa0cDluJpHDjII4plv/QBgn5NA9VpfXNPa561uvigye3kaV6CFONo9UmlxCLn1A+tRSK0jftcVO6cBZP8yHffcH8V+cmbNghfy3ytW3XdDIV9vDtXSVXnSVxPTpyUZ0nqxPexlQu3spdWd0YnIJFk/oqOXtA/8klIbHCrPXXnXCmm4dsA0Tce95IahzWB4jqMC/q5TDKJDFY2h3xvy0TijeP3yLxLkmaTIO3CuH5kaFvjUiJvghjmI9VBS8LeNMYoogxnd+p5jgnR3ioLX3yKDK</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">email@myemail.local
</NameID>
<SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData
InResponseTo="_vmgltt2lvdakgcyz4r0jhcyhm5u4ybmijlq25kw"
NotOnOrAfter="2024-09-09T20:21:23.856Z"
Recipient="https://unknown005056be2e56.attlocal.net/fsum/login?
client_name=SAML2Client"/>
</SubjectConfirmation>
</Subject>
<Conditions
NotBefore="2024-09-09T19:16:23.856Z"
NotOnOrAfter="2024-09-09T20:21:23.856Z">
<AudienceRestriction>
<Audience>https://unknown005056be2e56.attlocal.net</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute
Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>b5ec508d-5644-4490-995f-5245a80d246d</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>8f03a0d1-1630-44b5-992a-c6e5f83468a0</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>MyName M LastName</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>S-1-5-21-519022008-3246580128-554511010-1103</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>MyName</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>LastName</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>MyName</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement
AuthnInstant="2024-09-09T19:21:20.455Z"
SessionIndex="_8015bb1a-38c0-4050-938c-18c59d3ed500">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>