Examples for setting up SAML IDP profiles

ignition80
#1

Can we get some examples of how to set up different identity providers?
I’m very excited about the idea of enabling MFA for my projects but the lingo is over my head and the configuration process has me lost.
I thought I had gotten to a good place using Okta but I am just getting blank responses on my login tests.
I’m sure its something I have misconfigured, but I am not sure where to start looking.

0 Likes

#2

Hi @mitchell-ACS -

Guides for setting up basic integration between Ignition and some of the major IdP products / services is definitely on the to-do list.

If you are getting blank responses, try setting the following gateway loggers to debug to see if they reveal anything during login:

gateway.IdpAdapter
gateway.UserAttributeMapper
gateway.ExpressionSecurityLevelPolicy
gateway.WebAuthSessionImpl

0 Likes

#3

This is the response in gateway.WebAuthSessionImpl

com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterException: Unable to parse the WebAuthResponse from the HTTP request

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.parseAttributes(IdpAdapter.java:129)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponseInternal(WebAuthSessionImpl.java:176)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.lambda$onLoginResponse$1(WebAuthSessionImpl.java:191)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.mdc(WebAuthSessionImpl.java:93)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponse(WebAuthSessionImpl.java:191)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterConfigRoutes$TestLoginWebAuthResponseHandler.handle(IdpAdapterConfigRoutes.java:297)

at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes.callback(FederationRoutes.java:135)

at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:247)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:49)

at com.inductiveautomation.ignition.gateway.dataroutes.DataServlet.service(DataServlet.java:87)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:852)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)

at org.eclipse.jetty.server.Server.handle(Server.java:530)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:289)

at org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:149)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:708)

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:626)

at java.base/java.lang.Thread.run(Unknown Source)

Caused by: com.inductiveautomation.ignition.gateway.auth.web.strategy.WebAuthStrategyException: Unable to create the XML Attribute Source from the SAML Response

at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategy.parseWebAuthResponse(SAMLWebAuthStrategy.java:58)

at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategy.parseWebAuthResponse(SAMLWebAuthStrategy.java:22)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.parseAttributes(IdpAdapter.java:127)

... 46 common frames omitted

Caused by: com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.SAMLHttpResponseFactoryException: https://<gatewayURL>:8043 is not a valid audience

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.validateAssertionConditions(AbstractSAMLHttpResponseFactory.java:130)

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.validateAssertion(AbstractSAMLHttpResponseFactory.java:220)

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.validateResponse(AbstractSAMLHttpResponseFactory.java:323)

at com.inductiveautomation.ignition.gateway.auth.saml.binding.http.response.AbstractSAMLHttpResponseFactory.create(AbstractSAMLHttpResponseFactory.java:353)

at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategy.parseWebAuthResponse(SAMLWebAuthStrategy.java:56)
0 Likes

#4

When I check the log for my IDP (Okta in this case) it says the login was successful.

0 Likes

#5

Hi @mitchell-ACS -

You may have successfully authenticated with the IdP, but Ignition does not trust an assertion in the response from the IdP because the intended “audience” for the response is not correct. The audience should be the URI (scheme, host, and port only) of the gateway from which you initiated your authentication request (for example: http://localhost:8088). In your Okta configuration, this would be set as the SP Entity ID.

1 Like

#6

That fixed it! Thanks @jspecht.

1 Like