SAML Authentication

I read the post “ADFS / SAML Authentication - Access Denied”. It is very helpful for me to troubleshoot what’s the correct setting in web.config. Unfortunately, I still cannot login by using SAML authentication.

I follow the steps according to the post. In the debug, now I got

“Sustainsys.Saml2.Owin.Saml2AuthenticationMiddleware Information: 0 : Successfully processed SAML response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id and authenticated myemail@mycompany.com

I believe the authentication succeeded. But in the web browser, it still keep redirect to the login page.

What’s the next process in the Orchestrator authentication process? How can I enable debug log for troubleshooting?

Hi @dachan,

Glad to hear my post has been somewhat helpful to others. Do I understand correctly that you have enabled both the debug and diagnostic level logging as described in the 2nd part of the post? Based on the output above, it does appear the SAML claim is coming back successfully and the issue is on the Orchestrator side.

Have you created the local user profile in Orchestrator?
Does the claim you are receiving from SAML match the Orchestrator user profile’s email address?

Email attribute is referenced by default as described in the Overview here

If you intend to user another attribute to map to, that can be customized

If you haven’t already tried it this Chrome extension makes it super easy to decode SAML Request/Response so you can easily see what it looks like.

If I modify my Orchestrator profile to have an invalid email, when I go to authenticate the UI displays a red error with the message “User does not exist. (#203)”, fixing the invalid email allows me to login via SAML again.

I think the user profile is correct. I used the email address in both “USERNAME” and “EMAIL” in Orchestrator. There is no error message return, just return to the login page. Even I delete my account in Orchestrator, still no error message return. :grinning:

Is there any way to enable logging in Orchestrator. I checked the Windows event log it show “Current user did not login to the application!

Abp.Authorization.AbpAuthorizationException: Current user did not login to the application!
   at UiPath.Orchestrator.Web.Common.Authorization.UiAuthorizationHelper.<AuthorizeAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Abp.Authorization.AuthorizationHelper.<CheckPermissions>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at UiPath.Orchestrator.Web.Common.Authorization.UiAuthorizationHelper.<AuthorizeAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Nito.AsyncEx.Synchronous.TaskExtensions.WaitAndUnwrapException(Task task)
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Nito.AsyncEx.Synchronous.TaskExtensions.WaitAndUnwrapException(Task task)
   at Nito.AsyncEx.AsyncContext.Run(Func`1 action)
   at Abp.Authorization.AuthorizationHelperExtensions.Authorize(IAuthorizationHelper authorizationHelper, MethodInfo methodInfo, Type type)
   at Abp.Web.Mvc.Authorization.AbpMvcAuthorizeFilter.OnAuthorization(AuthorizationContext filterContext)Abp.Authorization.AbpAuthorizationException: Current user did not login to the application!
   at async Task UiPath.Orchestrator.Web.Common.Authorization.UiAuthorizationHelper.AuthorizeAsync(IEnumerable<IAbpAuthorizeAttribute> authorizeAttributes)
   at async Task Abp.Authorization.AuthorizationHelper.CheckPermissions(MethodInfo methodInfo, Type type)
   at async Task UiPath.Orchestrator.Web.Common.Authorization.UiAuthorizationHelper.AuthorizeAsync(MethodInfo methodInfo, Type type)
   at void Nito.AsyncEx.Synchronous.TaskExtensions.WaitAndUnwrapException(Task task)
   at void Nito.AsyncEx.Synchronous.TaskExtensions.WaitAndUnwrapException(Task task)
   at void Nito.AsyncEx.AsyncContext.Run(Func<Task> action)
   at void Abp.Authorization.AuthorizationHelperExtensions.Authorize(IAuthorizationHelper authorizationHelper, MethodInfo methodInfo, Type type)
   at void Abp.Web.Mvc.Authorization.AbpMvcAuthorizeFilter.OnAuthorization(AuthorizationContext filterContext)

This seems to be normal behavior, When I visit the root page, it directs me to the login page as expected. This message Abp.Authorization.AbpAuthorizationException: Current user did not login to the application! is displayed.

If I visit the login page directly <host>/account/login, the warning is not produced.

You should receive an error message breifly as a toast popup if the user does not exist. Leads me to believe maybe your browser cache isn’t refreshing files? Have you tried clearing it or starting an incognito/private session?

probably a red herring… I was playing around with two profiles and changing the email address on them, Orchestrator does appear to link a claim to a certain profile, not sure if this is short term or not. If I change the email of Profile 1 to a bad email and deactivate the profile… then the 2nd profile I give the correct email I receive the following error upon authenticating with SAML.

image

Deleting Profile 1 and leaving Profile 2 with the correct email, I am then logged into profile 2.