Highlighted
fartyalvikram
New Member.
590 views

Service Provider, SAML Assertion is not working from Reverse

Hello All,

I was configured the Service Provider inside Identity Servers and when I test it with the below URL
https://sso.testing.ca/nidp/saml2/idpsend?PID=TestApp
It is working fine and the User was redirecting to Target Application "TestApp" dashboard page, I can see the below SAML Assertion URL inside the SAML Tracer
https://testapp.testing.ca/SSOAuthorization/Consume
But when I configured a Reverse Proxy for this TestApp and try to hit the Reverse Proxy URL https://demoapp.testing.ca/ this was redirecting User to the TestApp Login page and the SAML Assertion URL is not the same which I saw, when I test the it without Reverse Proxy. The SAML Assertion URL is given below when I hit the Reverse Proxy URL
https://esp.testing.ca/nesp/idff/spassertion_consumer?SAMLart=AAOTrjVVDX8vkk1c76kdMZJ9FhzicOe%2BJ%2FyTA7kB0BQ0x%2BeAksPJkmgn&RelayState=MA%3D%3D
0 Likes
1 Reply
Knowledge Partner
Knowledge Partner

Re: Service Provider, SAML Assertion is not working from Reverse

On 9/8/2017 6:04 PM, fartyalvikram wrote:
>
> Hello All,
>
> I was configured the Service Provider inside Identity Servers and when I
> test it with the below URL
> https://sso.testing.ca/nidp/saml2/idpsend?PID=TestApp
> It is working fine and the User was redirecting to Target Application
> "TestApp" dashboard page, I can see the below SAML Assertion URL inside
> the SAML Tracer
> https://testapp.testing.ca/SSOAuthorization/Consume
> But when I configured a Reverse Proxy for this TestApp and try to hit
> the Reverse Proxy URL https://demoapp.testing.ca/ this was redirecting
> User to the TestApp Login page and the SAML Assertion URL is not the
> same which I saw, when I test the it without Reverse Proxy. The SAML
> Assertion URL is given below when I hit the Reverse Proxy URL
> https://esp.testing.ca/nesp/idff/spassertion_consumer?SAMLart=AAOTrjVVDX8vkk1c76kdMZJ9FhzicOe%2BJ%2FyTA7kB0BQ0x%2BeAksPJkmgn&RelayState=MA%3D%3D


NAM uses Liberty for authentication between the AG (ESP) and the IDP. It sounds like you created a protected resource with authentication. So the flow
would be that the user hits the protected resource. It would then redirect to the ESP and IDP which would prompt for authentication. After auth it
would go back to the ESP and then the protected resource. Now because you have SAML configured you'd see another redirect which is your real SAML
redirect (that is if you do SP initiated login).

Whilst its technically perfectly fine what you do, why do you enable authentication on the protected resource?


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.