Question - Azure AD Saml cannot retrieve identity / incorrect saml attr's

JoshH · December 22, 2022, 11:20pm

Hello !

I am having an issue where my Saml has been configured with the values required and I have configured eramba according to the following post Question - SAML Configuration for Azure AD

When I try to auth with the saml connector I get the following in the authentication log.

 `FAILURE_IDENTITY_NOT_FOUND` for [N/A] on Main portal with errors: [0->User is authenticated successfully on IDP side] [1->We found email attribute in SAML response: <My full email address>]

It seems like the auth gets across but the arribute that eramba sends does not line up, I have tested the following:

Have configured azure AD with

Single sign on URL

https://MY_FQDN/saml/saml-connectors/single-sign-on

Audience URI (SP Entity ID)

https://MY_FQDN/saml/saml-connectors/get-metadata

Default RelayState

https://MY_FQDN/login

Assertion Consumer Service (ACS)

https://MY_FQDN/login?acs=1

Logout URL

https://MY_FQDN/saml/saml-connectors/single-logout

Have tried with my login name and email along with any other aliases.
Have verified the saml app’s cert and metadata url by reconfiguring the azure enterprise app against another saml authed product I have.

I have a feeling I’m not far off the solution but overlooking something important, any input appreciated.

App ID

0855b017bcd91acfbf7315a4eae3455de149ee8d

App Version

3.15.1

DB Schema Version

20220721185933

JoshH · December 22, 2022, 11:57pm

Update:

Nevermind, I think I have the error.

In the scenario of my companies AAD some login names are not equal to the primary email address (which already causes problems in other areas).

The SamlAuthenticator class relies on the email attribute so the response I am getting from AD does not line up and is most likely the source of the error, it also explains the N/A part in the message.

    protected $_defaultConfig = [
        'loginUrl' => null,
        'urlChecker' => 'Authentication.Default',
        'AuthObj' => null,
        'sessionKey' => null,
        'attributes' => [
            'email' => 'email',
        ],
        'fields' => [
            IdentifierInterface::CREDENTIAL_USERNAME => 'email',
        ],
    ];

kisero · December 23, 2022, 12:53am

i just love when techies do their job well - life so much easier this way!