Need help configuring Enterprise application to authenticates with Entra ID using SAML2.

Claudio Sao Paulo 20 Reputation points
2024-09-09T21:12:50.98+00:00

Hello,

I am trying to setup an Enterprise application to authenticates with Entra ID using SAML2.

This application supports creating a "Single SSO user", which is working properly and it also supports creating a "Group", which is not working for me.

Here is how the application works according to the guide:

After users of type Group – SSO with User Directory authenticate with the identity provider, the application queries the organization’s Active Directory domain server to verify the user’s group membership. For the execution of this query, the application requires that the identity provider supply either one or both of the following user information, as attributes in its SAML response to the application (the service provider):

sAMAccountName in the format:

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

userPrincipalName in the format:

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

My environment:

Windows 2019 Active Directory not routable with my local domain (example: myemail.local) running Cloud Sync with "Microsoft Entra Agent

Entra ID configured with mydomain.onmicrosoft.com

I have configured the Cloud Sync "AD to Microssoft Entra ID" and "Microssoft Entra ID to AD" and the status shows Healthy and angent enabled.

I can see my local groups were populated at Entra ID.

In my "Set up single sign on" attributes & claims I have the following:

User's image

Troubleshooting:

As mentioned above, it works properly if using "single SSO user".

To validate if it could be something related to my AD or group, I have configured to authenticate as group without Entra ID (authenticating at AD) and it works fine.

I can see that the user coming from Entra ID match the local user (as expected)

Issue:

When using "Group – SSO with User Directory", it authenticates successfully at Entra ID, but my application shows that my user do not have permission.

The application Logs shows:

2024-09-09 13:49:22,996 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [email@myemail.local] with attributes [{http://schemas.microsoft.com/claims/authnmethodsreferences=[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password], http://schemas.microsoft.com/identity/claims/displayname=[MyName M LastName], http://schemas.microsoft.com/identity/claims/identityprovider=[https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/], http://schemas.microsoft.com/identity/claims/objectidentifier=[8f03a0d1-1630-44b5-992a-c6e5f83468a0], http://schemas.microsoft.com/identity/claims/tenantid=[b5ec508d-5644-4490-995f-5245a80d246d], http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[S-1-5-21-519022008-3246580128-554511010-1103], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[LastName], notBefore=2024-09-09T18:44:22.689Z, notOnOrAfter=2024-09-09T19:49:22.689Z, sessionindex=_65b32aaa-d52b-4ba9-98d3-531ef4543a00}] via credentials [[org.apereo.cas.authentication.principal.ClientCredential@695522b0[id=email@myemail.local]]].>

2024-09-09 13:49:23,019 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [email@myemail.local] with attributes [{http://schemas.microsoft.com/claims/authnmethodsreferences=[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password], http://schemas.microsoft.com/identity/claims/displayname=[MyName M LastName], http://schemas.microsoft.com/identity/claims/identityprovider=[https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/], http://schemas.microsoft.com/identity/claims/objectidentifier=[8f03a0d1-1630-44b5-992a-c6e5f83468a0], http://schemas.microsoft.com/identity/claims/tenantid=[b5ec508d-5644-4490-995f-5245a80d246d], http://schemas.microsoft.com/ws/2008/06/identity/claims/groups=[S-1-5-21-519022008-3246580128-554511010-1103], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[MyName], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[LastName], notBefore=2024-09-09T18:44:22.689Z, notOnOrAfter=2024-09-09T19:49:22.689Z, sessionindex=_65b32aaa-d52b-4ba9-98d3-531ef4543a00}] via credentials [[org.apereo.cas.authentication.principal.ClientCredential@695522b0[id=email@myemail.local]]].>

2024-09-09 13:49:23,939 WARN [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>

2024-09-09 13:49:23,939 WARN [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials detected. Navigating to error...>

2024-09-09 13:49:23,940 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>

2024-09-09 13:49:23,940 INFO [org.apereo.cas.web.flow.TokenAuthenticationAction] - <Action execution disallowed; pre-execution result is 'error'>

2024-09-09 13:49:24,235 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted ticket [ST-8-g5yOMMZJZ1IZOgTFiysf-LPxyfs-device] for service [https://unknown005056be2e56.attlocal.net/vendorapp-client/login/fsum?target=%2F%23%2Fweb-em%2Fdashboards] and principal [email@myemail.local]>

SAML messages from chrome extension:

<samlp:Response

ID="_eb69f416-9c29-4c03-9559-66fc35890c15" 

Version="2.0" 

IssueInstant="2024-09-09T19:21:24.052Z" 

Destination="https://unknown005056be2e56.attlocal.net/fsum/login?

client_name=SAML2Client" 

InResponseTo="_vmgltt2lvdakgcyz4r0jhcyhm5u4ybmijlq25kw" 

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

<Issuer 

    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/

</Issuer>

<samlp:Status>

    <samlp:StatusCode 

        Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

</samlp:Status>

<Assertion 

    ID="_8015bb1a-38c0-4050-938c-18c59d3ed500" 

    IssueInstant="2024-09-09T19:21:24.048Z" 

    Version="2.0" 

    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

    <Issuer>https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/</Issuer>

    <Signature 

        xmlns="http://www.w3.org/2000/09/xmldsig#">

        <SignedInfo>

            <CanonicalizationMethod 

                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

            <SignatureMethod 

                Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>

            <Reference 

                URI="#_8015bb1a-38c0-4050-938c-18c59d3ed500">

                <Transforms>

                    <Transform 

                        Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

                    <Transform 

                        Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

                </Transforms>

                <DigestMethod 

                    Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

                <DigestValue>Ir0dAcFcqi+V9M3Xy5dVv868mqewfwg2wPaWPq+

                    Bo5w=

                </DigestValue>

            </Reference>

        </SignedInfo>

        <SignatureValue>vpBYF4MDqrbwgHnpypUrq6u6mHY+SHsNuNvEaE8wsEsWgiFWSvSpditExP5ufgYmNYFo9wd8KQ3kGfWqtczS+NVMnE0LXDS8VIzauOWbUsaAv9y4b/HnP31tMVzYonPBxtbwQyZNOILvAxQDBMbIFLTtJO4HDcJ+MIkeNTz3eCSmu+/uoP2IJPP30snxnrYDDmNsQvf2U5epaQBOY00HOqnUv514Kf2jvQHuRQnMYHDJ4Qph5q95Lr5c9XGTTlTMXNukAV55xKtcktmUIEcAWEOEzjSsa3Y8BID5Wr+kGvRJ/LTPEF3gMFk3DBzrK2kxCIAfewqB0PQKlqMt6P/

            afw==

        </SignatureValue>

        <KeyInfo>

            <X509Data>

                <X509Certificate>MIIC8DCCAdigAwIBAgIQf4Hq5EPcQLpI920Wf5J5FDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNDA5MDgxNzA0NTNaFw0yNzA5MDgxNzA0NTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5O5mGey6xkC3E4ym3VOo2A4oCUBRVf58D4QfSgfyUpxjuvPHuJ6kH2RBCIumkBUgAMKTgj+LTS1pdDbEuaP3CBL3y6t+YbgtWFlaaAUp4od3ps1Vb1/gi4/Fnwf+NzuJdsiZhsrpU5jRavHLKm2rD1ayhvL8DwVpE0X2bfeSFGt3lEFIKskli5HhblxQz+RrRbpX6ap4pXi6Aou8UOWnqhFqDeV1xAQnnH58w5VDJOBiQZirTzPVY95jSyUFslK3fGM5Sq3rrXZZ+K5cwpEBWjveJoQT+Y+BELpzcpyUUUH6s9DGOkERERITcZyOBw6rX1ZQ8isBhr8JKb3uoqpwYQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBHYfKU2SyyZsNaExzxAfjZcNM+tTjiwPyNUPq/tXRhKL0FsBKWz9X4u5rWtloZtqa0cDluJpHDjII4plv/QBgn5NA9VpfXNPa561uvigye3kaV6CFONo9UmlxCLn1A+tRSK0jftcVO6cBZP8yHffcH8V+cmbNghfy3ytW3XdDIV9vDtXSVXnSVxPTpyUZ0nqxPexlQu3spdWd0YnIJFk/oqOXtA/8klIbHCrPXXnXCmm4dsA0Tce95IahzWB4jqMC/q5TDKJDFY2h3xvy0TijeP3yLxLkmaTIO3CuH5kaFvjUiJvghjmI9VBS8LeNMYoogxnd+p5jgnR3ioLX3yKDK</X509Certificate>

            </X509Data>

        </KeyInfo>

    </Signature>

    <Subject>

        <NameID 

            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">email@myemail.local

        </NameID>

        <SubjectConfirmation 

            Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

            <SubjectConfirmationData 

                InResponseTo="_vmgltt2lvdakgcyz4r0jhcyhm5u4ybmijlq25kw" 

                NotOnOrAfter="2024-09-09T20:21:23.856Z" 

                Recipient="https://unknown005056be2e56.attlocal.net/fsum/login?

                client_name=SAML2Client"/>

        </SubjectConfirmation>

    </Subject>

    <Conditions 

        NotBefore="2024-09-09T19:16:23.856Z" 

        NotOnOrAfter="2024-09-09T20:21:23.856Z">

        <AudienceRestriction>

            <Audience>https://unknown005056be2e56.attlocal.net</Audience>

        </AudienceRestriction>

    </Conditions>

    <AttributeStatement>

        <Attribute 

            Name="http://schemas.microsoft.com/identity/claims/tenantid">

            <AttributeValue>b5ec508d-5644-4490-995f-5245a80d246d</AttributeValue>

        </Attribute>

        <Attribute 

            Name="http://schemas.microsoft.com/identity/claims/objectidentifier">

            <AttributeValue>8f03a0d1-1630-44b5-992a-c6e5f83468a0</AttributeValue>

        </Attribute>

        <Attribute 

            Name="http://schemas.microsoft.com/identity/claims/displayname">

            <AttributeValue>MyName M LastName</AttributeValue>

        </Attribute>

        <Attribute 

            Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">

            <AttributeValue>S-1-5-21-519022008-3246580128-554511010-1103</AttributeValue>

        </Attribute>

        <Attribute 

            Name="http://schemas.microsoft.com/identity/claims/identityprovider">

            <AttributeValue>https://sts.windows.net/b5ec508d-5644-4490-995f-5245a80d246d/</AttributeValue>

        </Attribute>

        <Attribute 

            Name="http://schemas.microsoft.com/claims/authnmethodsreferences">

            <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>

        </Attribute>

        <Attribute 

            Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">

            <AttributeValue>MyName</AttributeValue>

        </Attribute>

        <Attribute 

            Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">

            <AttributeValue>LastName</AttributeValue>

        </Attribute>

        <Attribute 

            Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">

            <AttributeValue>MyName</AttributeValue>

        </Attribute>

    </AttributeStatement>

    <AuthnStatement 

        AuthnInstant="2024-09-09T19:21:20.455Z" 

        SessionIndex="_8015bb1a-38c0-4050-938c-18c59d3ed500">

        <AuthnContext>

            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>

        </AuthnContext>

    </AuthnStatement>

</Assertion>

</samlp:Response>

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,795 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.