Hi Support team,
I can run the sample project of Saml Add on (GitHub - cuba-platform/saml-addon-demo: This demo application demonstrates the usage of SAML CUBA add-on.) with ssocircle.com.
My question is how I can run the sample with Azure AD as a SAML IdP?
Thanks,
Hung Vu
I tried to configure Azure AD to work with the sample. I can test to access the sample app from Azure AD configuration page (By clicking button “Test” on the screen).
After configure SAML connection with Azure AD IDP (by importing meta data file) I then go to login screen. I choose user from drop down list and had following error message:
javax.servlet.ServletException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Peer entity ID wasn’t specified, but is requested
_ org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:160)_
_ org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:106)_
_ org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)_
_ org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)_
Could you have any help to solve this issue?
Thanks,
Hung Vu
Hi @hungvu,
Could you please provide SP and IDP metadata files? It seems like you have different entity ID in SP metadata and IDP. Could you please check it?
Thanks,
Mikhail
Hi Mikhail,
Attached files are for SP and IDP metadata files. Could you have a checkSP.xml (4.2 KB)
IDP_MS.xml (13.8 KB)
?
Thanks,
Hung Vu
Hi @hungvu,
The metadata looks correct, probably you faced with a problem during SP and IDP metadata initialization in SAML addon. For example, IDP metadata wasn’t initialized in the application in case of validation failed. Official documentation noticed that if you are working with Active Directory you should set a metadataTrustCheck flag to ‘false’ value (https://docs.spring.io/autorepo/docs/spring-security-saml/2.0.x/reference/html/chapter-idp-guide.html). To do it in SAML addon, you should uncheck the checkbox ‘Check Trust Identity Provider Metadata’ under IDP metadata window.
Also you can try to download required certificate from MS AD and add it to .jks file and try to re-create connection. It should solve issue with IDP metadata validation.
If it would not help please provide logs with raised exceptions.
Thanks,
Mikhail
Hi Mikhail,
After uncheck the checkbo 'Check Trust Identity Provider Metadata’ the issue is solved.
Thanks so much for your support.
Regards,
Hung Vu
Hi @strokov , I have another question following this topic. We’re using saml add-on with azure AD.
Everything is working well with single tenant AD. However, we’ve just come up with another requirement for multi tenant which is not mentioned in CUBA add-on documents:
The multi-tenant can be referred here:
As mentioned in part 2 of the above doc, there should be a way to redirect CUBA user to https://login.microsoftonline.com/common
instead of
https://login.microsoftonline.com/d1612a8b-4dbd-45f3-bffb-e4dadd04c338
Does CUBA add-on provide any control on that?
Hope to here from you soon.
Hi @nghiapht1990,
Unfortunately it is not supported out of the box, but you could try create your custom interceptor to catch up requests to MS and redirect them to common link. I am not sure that further login information will be parsed correctly on CUBA side.
Also you could create SAML connection for each user if it acceptable in you case.
Regards,
Mikhail
Thanks for your answer.
I’ll check it out. The interceptor seems to make sense.
