Configure ForgeRock OpenAM for single sign-on login to the Orion Web Console

I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

I have been tasked to provide SSO login for Orion.

I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

After setup, I get the following when tested:

Exception

Type:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException

Message:

The SAML message doesn't contain an InResponseTo attribute.

Stack Trace:

at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

SAML Response

    <saml:AttributeStatement>

      <saml:Attribute Name="OrionGroups">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.firstName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="userName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.email">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="cloudemailaddress">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.lastName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

      </saml:Attribute>

    </saml:AttributeStatement>

It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

Any assistance would be appreciated.

  • natetech@yahoo.com  wrote:

    I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

    I have been tasked to provide SSO login for Orion.

    I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

    After setup, I get the following when tested:

    Exception

    Type:

    ComponentSpace.SAML2.Exceptions.SAMLProtocolException

    Message:

    The SAML message doesn't contain an InResponseTo attribute.

    Stack Trace:

    at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

    at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

    at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

    at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

    at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

    at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

    SAML Response

        <saml:AttributeStatement>

          <saml:Attribute Name="OrionGroups">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.firstName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="userName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.email">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="cloudemailaddress">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.lastName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

          </saml:Attribute>

        </saml:AttributeStatement>

    It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

    I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

    Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

    Any assistance would be appreciated.

    Hi Nathan,

    There could be something specific to ForgeRock OpenAM, that is unanticipated. I've opened a tracking ticket internally under CORE-13747 to investigate, referencing this THWACK thread.

  • serena  wrote:

    natetech@yahoo.com   wrote:

    I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

    I have been tasked to provide SSO login for Orion.

    I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

    After setup, I get the following when tested:

    Exception

    Type:

    ComponentSpace.SAML2.Exceptions.SAMLProtocolException

    Message:

    The SAML message doesn't contain an InResponseTo attribute.

    Stack Trace:

    at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

    at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

    at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

    at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

    at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

    at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

    SAML Response

        <saml:AttributeStatement>

          <saml:Attribute Name="OrionGroups">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.firstName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="userName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.email">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="cloudemailaddress">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.lastName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

          </saml:Attribute>

        </saml:AttributeStatement>

    It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

    I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

    Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

    Any assistance would be appreciated.

    Hi Nathan,

    There could be something specific to ForgeRock OpenAM, that is unanticipated. I've opened a tracking ticket internally under CORE-13747 to investigate, referencing this THWACK thread.

    I'm unable to find your support ticket btw, do you mind sharing your support case number?

  • natetech@yahoo.com  wrote:

    Case # - 00417479

    Hi Nate, thanks for sending that over I've checked the details with a few other product managers on the platform, and the issue here is that ForgeRock does not send back some fields that are considered required. as a result, this would be considered a feature request to handle ForgeRock and the product team requests that you put the request here: Server &amp; Application Monitor Feature Requests for tracking.

  • Serena,

    Part of my original issue was a request as to what fields SolarWinds considers as "required".
    This is the information my team was asking for in an attempt to match things up in ForgeRock.

    I am not sure if a feature quest is needed for this or not.

  • natetech@yahoo.com  wrote:

    Serena,

    Part of my original issue was a request as to what fields SolarWinds considers as "required".
    This is the information my team was asking for in an attempt to match things up in ForgeRock.

    I am not sure if a feature quest is needed for this or not.

    In this case - it does look like ForgeRock is missing the 'InResponseTo' attribute.

  • Thank you, Serena

    I am bouncing this back to our support team.
    I want to keep this thread open until I find a resolution.

  • After the upgrade to WPM, SAM: 2019.4.1 | Orion Platform HF2: 2019.4, I decided to test SAML, and much to my surprise, it worked.

    SAML logging still shows the error when no user account exists, but I have 7 users who are now able to log in with SSO.

  •  

    We are in the process of deploying a second SolarWinds environment.

    Once again with ForgeRock OpenAM, I am getting the error.

    The SAML message doesn't contain an InResponseTo attribute.
     
    I am also going to be installing an Additional Web Server in this environment, so if any progress has been made regarding documentation for setting up SAML with ForgeRock OpenAM, please share.
     
  • This appears to be the same issue you reported earlier and were able to resolve once you added the InResponseTo attribute response to OpenAM.