When using SAML authentication, sometimes after changing the SAML Identity provider from one to another, the SAML authentication may stop work, one reason that may cause the error is due to the different SAML identity provider may have configured different SAML attribute assertion.
FireFox has a nice SAML Tracer that can be used to figure out this issue. First installing the SAML tracer on FireFox browser, and then testing with the SAML identity provider that works, notice what subject ID and attribute assertions are sent in the SAML response. Then replacing the SAML identity provider to the new one and repeat the same testing, and check whether any attributes are missing or whether the format or attribute names are different.
For example, in a recent testing with custom SAP cloud identity provider, the user authentication always fails. After comparing the saml response, it indicates one attribute "display_name" is set by default SAP cloud identity, but is not configured by custom SAP cloud identity as shown below, after
adding the display_name attribute in the custom identity provider attribute then the function works as expected.
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">I826633</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="Sa71696cb-67b6-42c8-b667-e91abbf02f2b-HPjGyP7iI5mFsWJ2rfj_YOFtZs_6FfDhQhvVAtK5MYQ"
NotOnOrAfter="2018-01-18T21:54:13.288Z"
Recipient="https://mobile-i826633sapdev.int.sap.hana.ondemand.com/odata/applications/latest/com.sap.fiori.client.debug/Connections('cfd5cea6-d078-4ace-9125-c452ebb061d6')"
/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2018-01-18T21:39:13.288Z"
NotOnOrAfter="2018-01-18T21:54:13.288Z"
>
<AudienceRestriction>
<Audience>https://sap.hana.ondemand.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2018-01-18T21:44:13.288Z"
SessionIndex="S-SP-8698d43a-d131-4bc6-b623-26401f791236"
SessionNotOnOrAfter="2018-01-19T09:44:13.288Z"
>
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="mail">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>jonathan.li@sap.com</AttributeValue>
</Attribute>
<Attribute Name="display_name">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Jonathan Li I826633</AttributeValue>
</Attribute>
<Attribute Name="first_name">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Jonathan</AttributeValue>
</Attribute>
<Attribute Name="last_name">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Li</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</Response>
AML response.
FireFox has a nice SAML Tracer that can be used to figure out this issue. First installing the SAML tracer on FireFox browser, and then testing with the SAML identity provider that works, notice what subject ID and attribute assertions are sent in the SAML response. Then replacing the SAML identity provider to the new one and repeat the same testing, and check whether any attributes are missing or whether the format or attribute names are different.
For example, in a recent testing with custom SAP cloud identity provider, the user authentication always fails. After comparing the saml response, it indicates one attribute "display_name" is set by default SAP cloud identity, but is not configured by custom SAP cloud identity as shown below, after
adding the display_name attribute in the custom identity provider attribute then the function works as expected.
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">I826633</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="Sa71696cb-67b6-42c8-b667-e91abbf02f2b-HPjGyP7iI5mFsWJ2rfj_YOFtZs_6FfDhQhvVAtK5MYQ"
NotOnOrAfter="2018-01-18T21:54:13.288Z"
Recipient="https://mobile-i826633sapdev.int.sap.hana.ondemand.com/odata/applications/latest/com.sap.fiori.client.debug/Connections('cfd5cea6-d078-4ace-9125-c452ebb061d6')"
/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2018-01-18T21:39:13.288Z"
NotOnOrAfter="2018-01-18T21:54:13.288Z"
>
<AudienceRestriction>
<Audience>https://sap.hana.ondemand.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2018-01-18T21:44:13.288Z"
SessionIndex="S-SP-8698d43a-d131-4bc6-b623-26401f791236"
SessionNotOnOrAfter="2018-01-19T09:44:13.288Z"
>
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="mail">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>jonathan.li@sap.com</AttributeValue>
</Attribute>
<Attribute Name="display_name">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Jonathan Li I826633</AttributeValue>
</Attribute>
<Attribute Name="first_name">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Jonathan</AttributeValue>
</Attribute>
<Attribute Name="last_name">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Li</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</Response>
No comments:
Post a Comment