Configure ForgeRock OpenAM for single sign-on login to the Orion Web Console

Question

I am hoping that somebody might have experience or insight regarding Orion SAML 2.0. I have been tasked to provide SSO login for Orion. I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2, , however, we are using ForgeRock OpenAM. After setup, I get the following when tested: Exception Type: ComponentSpace.SAML2.Exceptions.SAMLProtocolException Message: The SAML message doesn't contain an InResponseTo attribute. Stack Trace: at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes) at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState) at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request) at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request) at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e) SAML Response cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com Nathan nwilsonxx nathan.v.wilson@{my company}.com nathan.v.wilson@{my company}.com Wilson It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document. I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds... Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack. Any assistance would be appreciated.

natetech · Accepted Answer

It turns out that ForgeRock was not providing me with the correct information for SSO Target URL Instead of a URL with "idpSSOInit" that redirected back to Orion I needed a URL "SSOPOST" to the IDP. Did not work - SSO Target URL: https://login.XXX.com/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=/xxx/idp22&spEntityID=https://gattmonitor.XXX.com Works - SSO Target URL : https://login.XXX.com:443/openam/SSOPOST/metaAlias/XXX/idp22 Once I made the change, I saw my first SAML Authentication was successful!

Configure ForgeRock OpenAM for single sign-on login to the Orion Web Console

Top Replies