Examples for setting up SAML IDP profiles

Can we get some examples of how to set up different identity providers?
I’m very excited about the idea of enabling MFA for my projects but the lingo is over my head and the configuration process has me lost.
I thought I had gotten to a good place using Okta but I am just getting blank responses on my login tests.
I’m sure its something I have misconfigured, but I am not sure where to start looking.

Hi @mitchell-ACS -

Guides for setting up basic integration between Ignition and some of the major IdP products / services is definitely on the to-do list.

If you are getting blank responses, try setting the following gateway loggers to debug to see if they reveal anything during login:

gateway.IdpAdapter
gateway.UserAttributeMapper
gateway.ExpressionSecurityLevelPolicy
gateway.WebAuthSessionImpl

1 Like

This is the response in gateway.WebAuthSessionImpl

com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterException: Unable to parse the WebAuthResponse from the HTTP request

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.parseAttributes(IdpAdapter.java:129)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponseInternal(WebAuthSessionImpl.java:176)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.lambda$onLoginResponse$1(WebAuthSessionImpl.java:191)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.mdc(WebAuthSessionImpl.java:93)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponse(WebAuthSessionImpl.java:191)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterConfigRoutes$TestLoginWebAuthResponseHandler.handle(IdpAdapterConfigRoutes.java:297)

at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes.callback(FederationRoutes.java:135)

at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:247)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:49)

at com.inductiveautomation.ignition.gateway.dataroutes.DataServlet.service(DataServlet.java:87)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:852)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.Server.handle(Server.java:530)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:289)

at org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:149)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:708)

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:626)

at java.base/java.lang.Thread.run(Unknown Source)

Caused by: com.inductiveautomation.ignition.gateway.auth.web.strategy.WebAuthStrategyException: Unable to create the XML Attribute Source from the SAML Response

at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategy.parseWebAuthResponse(SAMLWebAuthStrategy.java:58)

at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategy.parseWebAuthResponse(SAMLWebAuthStrategy.java:22)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.parseAttributes(IdpAdapter.java:127)

... 46 common frames omitted

Caused by: com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.SAMLHttpResponseFactoryException: https://<gatewayURL>:8043 is not a valid audience

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.validateAssertionConditions(AbstractSAMLHttpResponseFactory.java:130)

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.validateAssertion(AbstractSAMLHttpResponseFactory.java:220)

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.validateResponse(AbstractSAMLHttpResponseFactory.java:323)

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.create(AbstractSAMLHttpResponseFactory.java:353)

at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategy.parseWebAuthResponse(SAMLWebAuthStrategy.java:56)

When I check the log for my IDP (Okta in this case) it says the login was successful.

Hi @mitchell-ACS -

You may have successfully authenticated with the IdP, but Ignition does not trust an assertion in the response from the IdP because the intended “audience” for the response is not correct. The audience should be the URI (scheme, host, and port only) of the gateway from which you initiated your authentication request (for example: http://localhost:8088). In your Okta configuration, this would be set as the SP Entity ID.

1 Like

That fixed it! Thanks @jspecht.

1 Like

I have the same problem, but I am receiving a different debug message. Any ideas what is causing this?

WebAuthSessionImpl 28Oct2019 09:46:59 Unable to handle login response
com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterException: Unable to parse the WebAuthResponse from the HTTP request

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.parseAttributes(IdpAdapter.java:121)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponseInternal(WebAuthSessionImpl.java:185)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.lambda$onLoginResponse$2(WebAuthSessionImpl.java:199)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.mdc(WebAuthSessionImpl.java:98)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponse(WebAuthSessionImpl.java:199)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterConfigRoutes$TestLoginWebAuthResponseHandler.handle(IdpAdapterConfigRoutes.java:295)

at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes.callback(FederationRoutes.java:111)

at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:247)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:49)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupCollectionServlet.serviceInternal(RouteGroupCollectionServlet.java:54)

at com.inductiveautomation.ignition.gateway.dataroutes.AbstractRouteGroupServlet.service(AbstractRouteGroupServlet.java:32)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:852)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.Server.handle(Server.java:530)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:289)

at org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:149)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:708)

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:626)

at java.base/java.lang.Thread.run(Unknown Source)

Caused by: com.inductiveautomation.ignition.gateway.auth.web.strategy.WebAuthStrategyException: Unable to create the XML Attribute Source from the SAML Response

at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategy.parseWebAuthResponse(SAMLWebAuthStrategy.java:58)

at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategy.parseWebAuthResponse(SAMLWebAuthStrategy.java:22)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.parseAttributes(IdpAdapter.java:119)

... 48 common frames omitted

Caused by: com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.SAMLHttpResponseFactoryException: Unable to deserialize the SAML Response XML Document

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.create(AbstractSAMLHttpResponseFactory.java:350)

at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategy.parseWebAuthResponse(SAMLWebAuthStrategy.java:56)

... 50 common frames omitted

Caused by: com.inductiveautomation.ignition.gateway.auth.saml.serialization.SAMLDeserializerException: Unable to parse the Document

at com.inductiveautomation.ignition.gateway.auth.saml.serialization.AbstractSAMLDeserializer.deserialize(AbstractSAMLDeserializer.java:43)

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.create(AbstractSAMLHttpResponseFactory.java:348)

... 51 common frames omitted

Caused by: com.inductiveautomation.ignition.gateway.auth.saml.parsing.SAMLDocumentParserException: Expected one Signature candidate for signed node 0 and xPath /samlp:Response but got 0

at com.inductiveautomation.ignition.gateway.auth.saml.parsing.SignatureValidatingSAMLDocumentParserDecorator.getOnlyChild(SignatureValidatingSAMLDocumentParserDecorator.java:111)

at com.inductiveautomation.ignition.gateway.auth.saml.parsing.SignatureValidatingSAMLDocumentParserDecorator.validate(SignatureValidatingSAMLDocumentParserDecorator.java:124)

at com.inductiveautomation.ignition.gateway.auth.saml.parsing.SignatureValidatingSAMLDocumentParserDecorator.parse(SignatureValidatingSAMLDocumentParserDecorator.java:197)

at com.inductiveautomation.ignition.gateway.auth.saml.serialization.AbstractSAMLDeserializer.deserialize(AbstractSAMLDeserializer.java:41)

Hi @Jonathan -

In this case, you have the Validate Response Signatures configuration option enabled on the Ignition side but your IdP is not signing the response.

If you expect the IdP to sign the entire SAML response, then you need to figure out how to set up response signing on the IdP side.