ADFS / SAML Authentication - Access Denied

I’m testing SAML authentication with Orchestrator 2019.10.15 in a private setup. It appears the claims are being created appropriately but when being redirected back to the Orchestrator instance, access is denied. A support ticket has been opened, but I am wondering if anyone in the community has expereince with this or troubleshooting ADFS / SAML (I have no access to the ADFS and rely on another internal team for configuring that side)

<add key="ExternalAuth.Saml2.Enabled" value="true" /> has been added within <appSettings> as has the following within <configSections>

<sustainsys.saml2 entityId="https://urltoorch" returnUrl="https://urltoorch">
    <identityProviders>
        <add entityId="https://sts.windows.net/...id..." signOnUrl="https://login.microsoftonline.com/...id.../saml2" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
            <signingCertificate storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="B...3"/>
        </add>
    </identityProviders>
</sustainsys.saml2>

The claims are coming back with several attributes givenanme, surname, emailaddress, sAMAccountName, etc.the redirect is ending up at /Account/ExternalLoginCallback?ReturnUrl=%2F&mayRegisterTenant=False&error=access_denied

I’ve tried both creating a local user account in Orchestrator with various username formats as well as with an account added via Windows Auth that is created in the format of samaccountname@domain.



We are using ADFS with Azure

  • Fixed the entityId property which was missing a trailing forward slash
  • Removed the ADFS certificate from the LocalMachine/My certificate store and moved it into the LocalMachine\Root. This was done as the certificate was both issues by and to Azure and it was not trusted as a Root CA.

Adjusting the <sustainsys.saml2> node from the documentation to look like

<sustainsys.saml2 entityId="https://orchestratorurl" returnUrl="https://orchestratorurl">
  <identityProviders>
    <add entityId="https://sts.windows.net/...ID.../" signOnUrl="https://login.microsoftonline.com/...ID.../saml2" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
      <signingCertificate storeName="Root" storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="8FBA...0645"/>
    </add>
  </identityProviders>
</sustainsys.saml2>

This allows us to authenticate a local or domain user via SAML but raised another question for our setup if anyone has additional details

  1. Is it possible to setup a Roll mapping to a domain security group or attribute via SAML? As right now it doesn’t appear so which would have a management overhead if we have to add explicit users.

Potentially setting up Windows Auth to add the domain security groups might be a solution, but I am unable to test this at the moment as we have an issue with Group queries against the domain (separate case is open for this).

  1. If this would be the way to handle the Roll Mapping, can the ability to authenticate by Windows Auth be disabled while still adding Users/Groups from the domain?

Troubleshooting bits for how I came to the above resolution.

Inside Web.config

  • Add debug=false to the system.web>compilation node
    Set-WebConfigurationProperty -PSPath 'IIS:\Sites\UiPath Orchestrator\' -Filter '/system.web/compilation' -Name 'debug' -Value true
    
  • Add systems.diagnostics node within <configuration>
     <system.diagnostics>
          <switches>
            <add name="Microsoft.Owin" value="Verbose" />
          </switches>
          <trace autoflush="true"></trace>
          <sharedListeners>
            <add name="file" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:\Windows\Temp\WebAppOwin.log" />
          </sharedListeners>
          <sources>
            <source name="Microsoft.Owin">
              <listeners>
                <add name="file" />
              </listeners>
            </source>
          </sources>
      </system.diagnostics>
    

Review C:\Windows\Temp\WebAppOwin.log for exceptions and make changes accordingly. Two sample errors that I saw

System.Collections.Generic.KeyNotFoundException: No Idp with entity id "https://sts.windows.net/...ID..." found. ---> 
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.

Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.

When done, don’t forget to clean up

  • Remove debug
    Clear-WebConfiguration -PSPath 'IIS:\Sites\UiPath Orchestrator\' -Filter '/system.web/compilation/@debug'
    
  • Remove system.diagnostics
    Clear-WebConfiguration -PSPath 'IIS:\Sites\UiPath Orchestrator\' -Filter '/system.diagnostics'
    

Another helpful tip to get the Certificate thumbprint, I find PowerShell to be faster and also you don’t need to remove the extra spaces nor worry about non-printable characters as you do when copying from the UI.

Get-ChildItem -Path Cert:\LocalMachine\Root | select Subject, Thumbprint | Where-Object Subject -Like "*azure*"

Will produce

Subject                                      Thumbprint
-------                                      ----------
CN=...Azure...                               8...5

Adjusting the -Path as need along with the Where-Object

And last tip… the Chrome Extension “SAML Chrome Panel” is also very helpful to quickly see the SAML request / responses.

Just so it’s not lost in the long post…

Go on an vote!