July 14, 2021 at 5:13 pm #28625
I am working with a customer that uses OpenAM as their IdP to configure our application with SSO using an SP-initiated flow to authenticate their users. In helping them with their configuration in OpenAM (which we do not have direct access to), we informed them of what was needed to be configured so that our application can allow users to sign on with their SSO.
Our application is able to redirect the user to OpenAM, allow the user to sign in, but then hits an HTTP 500 error.
Viewing the user’s console page from the browser, the customer is stating that the ACS URL is missing in the Request URL link.
We have been going back and forth informing the customer that this is something they will have to configure on the OpenAM side (which I believe is setting the ACS URL or Single Sign On to the appropriate address), but we get push back as they insist this is something we have to send back from our end.
Was hoping someone from here can shed some light and maybe provide an official answer to this query. Thanks!
PS – I was trying to provide a screenshot, but this forum would not allow me to upload an image for you to view.July 14, 2021 at 7:12 pm #28626
When configuring SAML2 IdP and SP, metadata exchange tells each party how to communicate. The SP metadata, in addition to Entity IDs, Certificates also provides “AssertionConsumerService” URLs which essentially tell IdP where to send Assertion response on a successful AuthN.
If your SAML2 AuthNRequest does not have the “AssertionConsumerServiceURL” specified, I would suggest checking the SP metadata provided to the IdP during the set-up/configuration process has the “AssertionConsumerService,” and its Protocol Binding specified.
Hope this helps!July 14, 2021 at 7:17 pm #28627
And if you are still having trouble, I suggest sharing your SP metadata and a sample AuthN request for further help on this site. Please obfuscate or remove any sensitive info before sharing. Or you can ask your Customer to open a ticket with ForgeRock where they can forward the SP and relevant info for further help.
JatinderJuly 14, 2021 at 7:17 pm #28628
What is this is an instance where the SP does not generate any metadata? How would that be handled? I recall there being a Relay State in other IdPs that would need to be setup in order for the IdP to know where to send the user to after a successful login. Is there anything like that? I checked the documentation and appears to be so, but unsure if this will do the trick in the event our application does not provide a metadata with what’s needed to redirect the user to the correct landing page after SSO is completed.July 14, 2021 at 7:45 pm #28629
SAML2 protocol will not work if there’s no SP metadata provided. Therefore, a Service Provider (SP) must provide their metadata either through a URL service or file-based document to IdP to make it aware of all SPs to which it serves and to configure its Circle-Of-Trust (COT).
You have an SP-initiated flow; therefore, the IdP will use the “RelayState” parameter to echo back any state information sent by the SP. However, it will not replace the functionality of the ACS if that’s what you are thinking.July 14, 2021 at 8:32 pm #28630
If I understand correctly, we cannot have OpenAM be configured to take the URL service address (for instance, https://app.com/saml/sp) and use it as the SSO or ACS URL? The ACS URL MUST be provided to OpenAM via the SPs metadata?
I just want to clarify since other IdPs do give the option of setting the ACS URL within its settings (Okta provides a field where the admin can configure the ACS URL and does not require metadata from the SP for it to work in both types of flows).July 15, 2021 at 4:04 pm #28632
From the above comments, it appears you already have an IdP-SP integration in place; as you mentioned user is successfully able to authenticate but fails when IdP attempts to send Assertion to SP’s ACS URL. And if that indeed is true, that means you must have provided SP metadata to your customer for this integration to take place. And if that is not true – then how is the above even working?
IMHO it’s less of a concern in this context how to set an ACS URL. More concerning is when you say SP doesn’t generate metadata. IdP or SP metadata is an essential construct in
SAML2protocol which helps parties involved interoperate, establish trust (via sharing of cryptographic keys), and establish a common understanding of how to communicate.
In your opening question, you stated –
“Viewing the user’s console page from the browser, the customer is stating that the ACS URL is missing in the Request URL link.”
To help you with the above, can you share your
AuthNRequestand SP metadata?
You must be logged in to reply to this topic.