cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 11

Configure ForgeRock OpenAM for single sign-on login to the Orion Web Console

Jump to solution

I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

I have been tasked to provide SSO login for Orion.

I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

After setup, I get the following when tested:

Exception

Type:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException

Message:

The SAML message doesn't contain an InResponseTo attribute.

Stack Trace:

at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

SAML Response

    <saml:AttributeStatement>

      <saml:Attribute Name="OrionGroups">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.firstName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="userName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.email">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="cloudemailaddress">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.lastName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

      </saml:Attribute>

    </saml:AttributeStatement>

It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

Any assistance would be appreciated.

0 Kudos
1 Solution

It turns out that ForgeRock was not providing me with the correct information for SSO Target URL

Instead of a URL with "idpSSOInit" that redirected back to Orion I needed  a URL "SSOPOST" to the IDP.

Did not work - SSO Target URL:
https://login.XXX.com/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=/xxx/idp22&spEntityID=https://gattmo...

Works - SSO Target URL:
https://login.XXX.com:443/openam/SSOPOST/metaAlias/XXX/idp22

Once I made the change, I saw my first SAML Authentication was successful!

View solution in original post

0 Kudos
13 Replies
Product Manager
Product Manager

natetech@yahoo.com  wrote:

I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

I have been tasked to provide SSO login for Orion.

I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

After setup, I get the following when tested:

Exception

Type:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException

Message:

The SAML message doesn't contain an InResponseTo attribute.

Stack Trace:

at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

SAML Response

    <saml:AttributeStatement>

      <saml:Attribute Name="OrionGroups">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.firstName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="userName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.email">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="cloudemailaddress">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.lastName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

      </saml:Attribute>

    </saml:AttributeStatement>

It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

Any assistance would be appreciated.

Hi Nathan,

There could be something specific to ForgeRock OpenAM, that is unanticipated. I've opened a tracking ticket internally under CORE-13747 to investigate, referencing this THWACK thread.

0 Kudos

serena  wrote:

natetech@yahoo.com   wrote:

I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

I have been tasked to provide SSO login for Orion.

I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

After setup, I get the following when tested:

Exception

Type:

ComponentSpace.SAML2.Exceptions.SAMLProtocolException

Message:

The SAML message doesn't contain an InResponseTo attribute.

Stack Trace:

at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

SAML Response

    <saml:AttributeStatement>

      <saml:Attribute Name="OrionGroups">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.firstName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="userName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.email">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="cloudemailaddress">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

      </saml:Attribute>

      <saml:Attribute Name="user.lastName">

        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

      </saml:Attribute>

    </saml:AttributeStatement>

It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

Any assistance would be appreciated.

Hi Nathan,

There could be something specific to ForgeRock OpenAM, that is unanticipated. I've opened a tracking ticket internally under CORE-13747 to investigate, referencing this THWACK thread.

I'm unable to find your support ticket btw, do you mind sharing your support case number?

0 Kudos

Case # - 00417479

0 Kudos

natetech@yahoo.com  wrote:

Case # - 00417479

Hi Nate, thanks for sending that over I've checked the details with a few other product managers on the platform, and the issue here is that ForgeRock does not send back some fields that are considered required. as a result, this would be considered a feature request to handle ForgeRock and the product team requests that you put the request here: Server &amp; Application Monitor Feature Requests for tracking.

0 Kudos

Serena,

Part of my original issue was a request as to what fields SolarWinds considers as "required".
This is the information my team was asking for in an attempt to match things up in ForgeRock.

I am not sure if a feature quest is needed for this or not.

0 Kudos

natetech@yahoo.com  wrote:

Serena,

Part of my original issue was a request as to what fields SolarWinds considers as "required".
This is the information my team was asking for in an attempt to match things up in ForgeRock.

I am not sure if a feature quest is needed for this or not.

In this case - it does look like ForgeRock is missing the 'InResponseTo' attribute.

0 Kudos

Thank you, Serena

I am bouncing this back to our support team.
I want to keep this thread open until I find a resolution.

0 Kudos

After the upgrade to WPM, SAM: 2019.4.1 | Orion Platform HF2: 2019.4, I decided to test SAML, and much to my surprise, it worked.

SAML logging still shows the error when no user account exists, but I have 7 users who are now able to log in with SSO.

0 Kudos

@serena 

We are in the process of deploying a second SolarWinds environment.

Once again with ForgeRock OpenAM, I am getting the error.

The SAML message doesn't contain an InResponseTo attribute.
 
I am also going to be installing an Additional Web Server in this environment, so if any progress has been made regarding documentation for setting up SAML with ForgeRock OpenAM, please share.
 
0 Kudos

Hello,

From what I can see the inResposneTo attribute is considered a standard field in all SAML response scenarios. Have you discussed the format of the absence of the field with ForgeRock?

This tool can be very useful when troubleshooting responses.

https://www.samltool.com/generic_sso_res.php

 

It turns out that ForgeRock was not providing me with the correct information for SSO Target URL

Instead of a URL with "idpSSOInit" that redirected back to Orion I needed  a URL "SSOPOST" to the IDP.

Did not work - SSO Target URL:
https://login.XXX.com/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=/xxx/idp22&spEntityID=https://gattmo...

Works - SSO Target URL:
https://login.XXX.com:443/openam/SSOPOST/metaAlias/XXX/idp22

Once I made the change, I saw my first SAML Authentication was successful!

View solution in original post

0 Kudos

This appears to be the same issue you reported earlier and were able to resolve once you added the InResponseTo attribute response to OpenAM.

0 Kudos

Actually, SSO login just started working after I performed the update to 2019.4.1 over the New Years break.

I was still getting the "Inresponseto" errors, and could never test in my original environment. When I saw the same error in my new environment, I knew I must be missing something.

Turns out that my provider never gave me the SSO Target URL, and I was using IdP Initiated SSO url incorrectly.

0 Kudos