7 Replies Latest reply on Dec 12, 2019 11:00 AM by natetech@yahoo.com

    Configure ForgeRock OpenAM for single sign-on login to the Orion Web Console

    natetech@yahoo.com

      I am hoping that somebody might have experience or insight regarding Orion SAML 2.0.

       

      I have been tasked to provide SSO login for Orion.

      I attempted to follow this guideline: Authenticate Orion Platform users with SAML v2,, however, we are using ForgeRock OpenAM.

      After setup, I get the following when tested:

      Exception

      Type:

       

      ComponentSpace.SAML2.Exceptions.SAMLProtocolException

       

      Message:

       

      The SAML message doesn't contain an InResponseTo attribute.

       

      Stack Trace:

       

       

      at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)

       

      at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)

      at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)

      at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequestBase request)

      at SolarWinds.Orion.AccountManagement.Saml.SamlManager.ReceiveSSO(HttpRequest request)

      at SolarWinds.Orion.AccountManagement.LegacyWebSite.Orion_SamlLogin.Page_Load(Object sender, EventArgs e)

       

      SAML Response

          <saml:AttributeStatement>

            <saml:Attribute Name="OrionGroups">

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US_All_Employees,ou=shared,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=US CIVC Group Three View,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF ALL,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF IN SDC02,ou=usb2eportal,ou=us,ou=nam,ou=groups,dc={my company}global,dc=com</saml:AttributeValue>

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US ABAS INTNST,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=STAFF US VISITORS,ou=hr,ou=usb2eportal,ou=us,ou=nam,ou=Groups,dc={my company}global,dc=com</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="user.firstName">

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Nathan</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="userName">

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nwilsonxx</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="user.email">

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="cloudemailaddress">

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nathan.v.wilson@{my company}.com</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="user.lastName">

              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wilson</saml:AttributeValue>

            </saml:Attribute>

          </saml:AttributeStatement>

      It would appear that we are using the attributes described in the section Configure Okta for single sign-on login to the Orion Web Console from the above mentioned document.

       

      I opened a ticket with support, and after a fruitless WebEx session, got this as a reply from SolarWinds...

       

      Unfortunately as noted on the disclaimer, while we support SAML 2.0 as it is an open standard, we do not support or offer configuration assistance for these other platforms. For further assistance, I would suggest engaging assistance in some other medium such as our online community, thwack.

       

      Any assistance would be appreciated.