Vcloud director 9.7.0 SAML authentication issue

ManivelR · ‎08-15-2019

Hi All,

I have one query regarding SAML issue.

My setup:- vcloud director integration with duo security(like OKTA setup)

We completed the setup with VCD/DUO(with ADFS)–>When i try to login my vCloud director,First authentication is AD credentials(its successful) and second authentication is DUO push(to my mobile-->Its also successful)).Everything is working fine.After approving the DUO push from my mobile,it is landing to VCD page where we are getting error “SAML authentication failed for this organization”

Else“Use integrated authentication”.If i use this Integrated auth(VCD local account),everything will work as this VCD local admin login page.

How to mitigate the SAML authentication issue ? Any ideas?

DUO Security provider admin console SAML response fields:-

Thanks,

Manivel R

ManivelR · ‎08-15-2019

In vcloud-container-debug.log,we are seeing the below message.Any ideas ?

2019-08-15 13:19:25,360 | DEBUG | pool-jetty-59 | SAMLProtocolMessageXMLSignatureSecurityPolicyRule | Validation of protocol message signature failed for context issuer 'https://globalduolab.usinternal.com/dag/saml2/idp/metadata.php', message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response | requestId=d7ef548d-ac03-401f-a1dd-c79fd426f145,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1565889565128,remoteAddress=10... (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/2010...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp */*;q 0.8

org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed

2019-08-15 13:19:25,361 | DEBUG | pool-jetty-59 | CustomSamlProcessingFilter | Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid | requestId=d7ef548d-ac03-401f-a1dd-c79fd426f145,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1565889565128,remoteAddress=10... (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/2010...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp */*;q 0.8

Thanks,

Manivel R

ManivelR · ‎09-07-2019

The issue has been fixed.

Summary:- Identity provider:- AD only. ADFS is not required. We just need to create users with email I’d.

Service provider;- vcloud director.

DAG;- This is linux Duo access gateway enables two factor authentication. Here authentication source has been set as AD.By default, it will provide xml file, we just need to download this xml file and need import in vcloud director saml federation. Also you need to import JSON file here(This will be taken from duo admin console)

Duo admin console;-we need to create a new service provider in which service provider name, ACS, SSO login, logout should be defined. Here the saml attribute mentioned as email. After providing this information, you need to save the service provider configuration also you can get JSON file.

In AD user properties, we need to set the email I’d and also in vcloud director user section, we need to import user(Saml) as “rr@example.com”. I was given the user name only earlier in saml user section (vcd). Now the email I’d has been given “rr@example.com” and issue has been fixed.

Thank you,

Manivel RR