We are using ADFS with Azure
- Fixed the entityId property which was missing a trailing forward slash
- Removed the ADFS certificate from the LocalMachine/My certificate store and moved it into the LocalMachine\Root. This was done as the certificate was both issues by and to Azure and it was not trusted as a Root CA.
Adjusting the <sustainsys.saml2> node from the documentation to look like
<sustainsys.saml2 entityId="https://orchestratorurl" returnUrl="https://orchestratorurl">
<identityProviders>
<add entityId="https://sts.windows.net/...ID.../" signOnUrl="https://login.microsoftonline.com/...ID.../saml2" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
<signingCertificate storeName="Root" storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="8FBA...0645"/>
</add>
</identityProviders>
</sustainsys.saml2>
This allows us to authenticate a local or domain user via SAML but raised another question for our setup if anyone has additional details
- Is it possible to setup a Roll mapping to a domain security group or attribute via SAML? As right now it doesn’t appear so which would have a management overhead if we have to add explicit users.
Potentially setting up Windows Auth to add the domain security groups might be a solution, but I am unable to test this at the moment as we have an issue with Group queries against the domain (separate case is open for this).
- If this would be the way to handle the Roll Mapping, can the ability to authenticate by Windows Auth be disabled while still adding Users/Groups from the domain?
Troubleshooting bits for how I came to the above resolution.
Inside Web.config
- Add debug=false to the system.web>compilation node
Set-WebConfigurationProperty -PSPath 'IIS:\Sites\UiPath Orchestrator\' -Filter '/system.web/compilation' -Name 'debug' -Value true - Add
systems.diagnosticsnode within<configuration><system.diagnostics> <switches> <add name="Microsoft.Owin" value="Verbose" /> </switches> <trace autoflush="true"></trace> <sharedListeners> <add name="file" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:\Windows\Temp\WebAppOwin.log" /> </sharedListeners> <sources> <source name="Microsoft.Owin"> <listeners> <add name="file" /> </listeners> </source> </sources> </system.diagnostics>
Review C:\Windows\Temp\WebAppOwin.log for exceptions and make changes accordingly. Two sample errors that I saw
System.Collections.Generic.KeyNotFoundException: No Idp with entity id "https://sts.windows.net/...ID..." found. --->
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.
When done, don’t forget to clean up
- Remove debug
Clear-WebConfiguration -PSPath 'IIS:\Sites\UiPath Orchestrator\' -Filter '/system.web/compilation/@debug' - Remove
system.diagnosticsClear-WebConfiguration -PSPath 'IIS:\Sites\UiPath Orchestrator\' -Filter '/system.diagnostics'
Another helpful tip to get the Certificate thumbprint, I find PowerShell to be faster and also you don’t need to remove the extra spaces nor worry about non-printable characters as you do when copying from the UI.
Get-ChildItem -Path Cert:\LocalMachine\Root | select Subject, Thumbprint | Where-Object Subject -Like "*azure*"
Will produce
Subject Thumbprint
------- ----------
CN=...Azure... 8...5
Adjusting the -Path as need along with the Where-Object
And last tip… the Chrome Extension “SAML Chrome Panel” is also very helpful to quickly see the SAML request / responses.