We are using ADFS with Azure
- Fixed the entityId property which was missing a trailing forward slash
- Removed the ADFS certificate from the LocalMachine/My certificate store and moved it into the LocalMachine\Root. This was done as the certificate was both issues by and to Azure and it was not trusted as a Root CA.
<sustainsys.saml2> node from the documentation to look like
<sustainsys.saml2 entityId="https://orchestratorurl" returnUrl="https://orchestratorurl">
<add entityId="https://sts.windows.net/...ID.../" signOnUrl="https://login.microsoftonline.com/...ID.../saml2" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate storeName="Root" storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="8FBA...0645"/>
This allows us to authenticate a local or domain user via SAML but raised another question for our setup if anyone has additional details
- Is it possible to setup a Roll mapping to a domain security group or attribute via SAML? As right now it doesn’t appear so which would have a management overhead if we have to add explicit users.
Potentially setting up Windows Auth to add the domain security groups might be a solution, but I am unable to test this at the moment as we have an issue with Group queries against the domain (separate case is open for this).
- If this would be the way to handle the Roll Mapping, can the ability to authenticate by Windows Auth be disabled while still adding Users/Groups from the domain?
Troubleshooting bits for how I came to the above resolution.
- Add debug=false to the system.web>compilation node
Set-WebConfigurationProperty -PSPath 'IIS:\Sites\UiPath Orchestrator\' -Filter '/system.web/compilation' -Name 'debug' -Value true
systems.diagnostics node within
<add name="Microsoft.Owin" value="Verbose" />
<add name="file" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:\Windows\Temp\WebAppOwin.log" />
<add name="file" />
Review C:\Windows\Temp\WebAppOwin.log for exceptions and make changes accordingly. Two sample errors that I saw
System.Collections.Generic.KeyNotFoundException: No Idp with entity id "https://sts.windows.net/...ID..." found. --->
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.
When done, don’t forget to clean up
Another helpful tip to get the Certificate thumbprint, I find PowerShell to be faster and also you don’t need to remove the extra spaces nor worry about non-printable characters as you do when copying from the UI.
Get-ChildItem -Path Cert:\LocalMachine\Root | select Subject, Thumbprint | Where-Object Subject -Like "*azure*"
-Path as need along with the
And last tip… the Chrome Extension “SAML Chrome Panel” is also very helpful to quickly see the SAML request / responses.