This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Configure ForgeRock OpenAM for single sign-on login to the Orion Web Console

I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

I have been tasked to provide SSO login for Orion.

I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

After setup, I get the following when tested:

Exception

Type:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException

Message:

The SAML message doesn't contain an InResponseTo attribute.

Stack Trace:

at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

SAML Response

    <saml:AttributeStatement>

      <saml:Attribute Name="OrionGroups">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.firstName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="userName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.email">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="cloudemailaddress">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.lastName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

      </saml:Attribute>

    </saml:AttributeStatement>

It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

Any assistance would be appreciated.

Parents
  • natetech@yahoo.com  wrote:

    I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

    I have been tasked to provide SSO login for Orion.

    I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

    After setup, I get the following when tested:

    Exception

    Type:

    ComponentSpace.SAML2.Exceptions.SAMLProtocolException

    Message:

    The SAML message doesn't contain an InResponseTo attribute.

    Stack Trace:

    at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

    at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

    at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

    at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

    at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

    at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

    SAML Response

        <saml:AttributeStatement>

          <saml:Attribute Name="OrionGroups">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.firstName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="userName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.email">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="cloudemailaddress">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.lastName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

          </saml:Attribute>

        </saml:AttributeStatement>

    It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

    I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

    Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

    Any assistance would be appreciated.

    Hi Nathan,

    There could be something specific to ForgeRock OpenAM, that is unanticipated. I've opened a tracking ticket internally under CORE-13747 to investigate, referencing this THWACK thread.

  • serena  wrote:

    natetech@yahoo.com   wrote:

    I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

    I have been tasked to provide SSO login for Orion.

    I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

    After setup, I get the following when tested:

    Exception

    Type:

    ComponentSpace.SAML2.Exceptions.SAMLProtocolException

    Message:

    The SAML message doesn't contain an InResponseTo attribute.

    Stack Trace:

    at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

    at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

    at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

    at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

    at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

    at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

    SAML Response

        <saml:AttributeStatement>

          <saml:Attribute Name="OrionGroups">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.firstName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="userName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.email">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="cloudemailaddress">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

          </saml:Attribute>

          <saml:Attribute Name="user.lastName">

            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

          </saml:Attribute>

        </saml:AttributeStatement>

    It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

    I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

    Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

    Any assistance would be appreciated.

    Hi Nathan,

    There could be something specific to ForgeRock OpenAM, that is unanticipated. I've opened a tracking ticket internally under CORE-13747 to investigate, referencing this THWACK thread.

    I'm unable to find your support ticket btw, do you mind sharing your support case number?

  • natetech@yahoo.com  wrote:

    Case # - 00417479

    Hi Nate, thanks for sending that over I've checked the details with a few other product managers on the platform, and the issue here is that ForgeRock does not send back some fields that are considered required. as a result, this would be considered a feature request to handle ForgeRock and the product team requests that you put the request here: Server &amp; Application Monitor Feature Requests for tracking.

  • Serena,

    Part of my original issue was a request as to what fields SolarWinds considers as "required".
    This is the information my team was asking for in an attempt to match things up in ForgeRock.

    I am not sure if a feature quest is needed for this or not.

  • natetech@yahoo.com  wrote:

    Serena,

    Part of my original issue was a request as to what fields SolarWinds considers as "required".
    This is the information my team was asking for in an attempt to match things up in ForgeRock.

    I am not sure if a feature quest is needed for this or not.

    In this case - it does look like ForgeRock is missing the 'InResponseTo' attribute.

Reply
  • natetech@yahoo.com  wrote:

    Serena,

    Part of my original issue was a request as to what fields SolarWinds considers as "required".
    This is the information my team was asking for in an attempt to match things up in ForgeRock.

    I am not sure if a feature quest is needed for this or not.

    In this case - it does look like ForgeRock is missing the 'InResponseTo' attribute.

Children