VMware Horizon Community
glini
Contributor
Contributor

UAG 3.8 SAML to ADFS

Hello,

I'm working on a lab to test some integration with ADFS ad UAG 3.8.

I've deployed an UAG 3.8 appliance that talk with an ADFS endpoint and the communication went fine at least in the first part of the flow but then I got an http error 500 on https//domain/portal/samlsso.

Authentication is set to SAML and Passtrough, if I correctly understand the info posted here https://techzone.vmware.com/enabling-saml-20-authentication-horizon-unified-access-gateway-and-okta-...  the behaviour should be user get authenticated trough SAML for the UAG access and the prompted for the login and password.

I've looked trough the log and for what I can see:

  • There is an error in validating assetion on UAG esmanger.log

1/24 17:29:33,951[nioEventLoopGroup-10-12]ERROR interceptor.ViewPortalProxyRequestInterceptor[doSamlSso: 215][6c9a748c-7ace-400a-b95b-6787b19b39b9]: Error on validating assertion

java.lang.ClassCastException: org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorImpl cannot be cast to org.opensaml.saml.saml2.metadata.IDPSSODescriptor

  • I was not able to find any other log on the UAG intercepting the SAML response on the client I get a success (<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>)
  • Prior to this error there is an indication that UAG is proxying request from /portal/samlsso to /portal/samlsso to host horizon_connector_address:443
  • On the log there is an indication that the registered proxyRuleGroups are :  MatchingRule(pattern=/portal(.*)|(/|/view-client(.*)|/portal(.*)|/appblast(.*)/|/downloads(.*)))]  the rule in bold should be hardcoded in some file because is not present in UAG administration GUI. So my idea to bypass the proxyng for portal/samlsso is not feasible.

Anyone has experimented with UAG and SAML ?

Any idea or suggestion would be appreciated Smiley Happy

13 Replies
glini
Contributor
Contributor

I've already looked at that guide in the planning phase but unfortunately is not helpful.

At the moment I'm working with vmware tech support on the issue and we are still investigating, if we found the root cause I'll try to put together some guide.

Reply
0 Kudos
phatbai
Contributor
Contributor

Hi glini​,

Did you solve this? We have the exact same problem with identical error messages in the logfile.

Reply
0 Kudos
glini
Contributor
Contributor

Not yet, I'm sill looking with support team.

Reply
0 Kudos
mgrandowiczt3
Contributor
Contributor

We just had the same issue using UAG 3.8 and PingIdentity for 3rd party IDP. The fix ended up being to disable "encrypt assertion" on the Ping side.

markbenson
VMware Employee
VMware Employee

glini​ - Thanks for posting this question and sorry you've experienced this issue.

The metadata extracted from ADFS contains a Service Provider SPSSODescriptor section and this is not needed and causes an issue for UAG. You should carefully edit this xml after extracting it to remove that section (<SPSSODescriptor ... </SPSSODescriptor>) and try again.

Also, make sure you are not using encrypted SAML assertions from ADFS and configure the Relying Party Trust in ADFS to use SHA-1 in the advanced settings.

We'll update UAG in a future version so that this step of manually removing the SPSSODescriptor from ADFS metadata won't be necessary. It is not an issue for many other IdPs such as Okta, Ping and Azure AD.

mchadwick19
Hot Shot
Hot Shot

Would this edit need to be done if simply sharing the metadata between UAG and CS for smart card/certificate authentication on a UAG?

VDI Engineer VCP-DCV, VCP7-DTM, VCAP7-DTM Design
Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

No. This thread is very specifically about setting up UAG 3.8 for SAML 3rd party IdP authentication with Microsoft ADFS. It covers the modification needed to the extracted ADFS metadata prior to import into UAG.

Reply
0 Kudos
glini
Contributor
Contributor

markbenson​ thanks for the response.

I was in touch with the support team - really appreciate the help - and we have found a solution that it's like the one you suggested plus we have also created a mapping in adfs for SamAccountName to UserID, so in recap:

  1. on ADFS side
    • import the UAG metadata for federation
    • disable the claim encryption (via powershell Set-AdfsRelyingPartyTrust -TargetName "your target" -EncryptClaims $False)
    • Create a claim rule name with LDAP atrtribute "SAM-Account-Name" and Outgoing Claim Type "Name ID"
  2. on UAG import the Federation Metadata xml with the <SPSSODescriptor ... </SPSSODescriptor> removed.

At the moment is a workaround and it should be noted that ADFS is not on the list of third party IdP supported, so I really appreciate the help from the support Smiley Happy

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

glini Thanks for confirming. I'll get this SAML SPSSODescriptor ADFS/UAG issue added to the UAG 3.8 release notes in the "Known Limitations" section along with the workaround. We'll also fix it in a future release so that the edit of the metadata won't be required.

Thanks again for reporting it and for working with us on this!

markbenson
VMware Employee
VMware Employee

For anyone else seeing this HTTP error 500 and the esmanager.log SAML validation cast error for SPSSODescriptorImpl when using SAML with UAG and ADFS there is now a description in the known issues section of the release notes for UAG. It describes the issue and documents the workaround to avoid it. Release Notes for VMware Unified Access Gateway 3.8

It has also been fixed in a future UAG version.

huayunzhichuang
Contributor
Contributor

hi all!

Someone has tested SSO using ADFS ?i have configured adfs 3.0 with uag 3.9.1 and horizon 7.12, configure adfs as a idp,and configure horizon connection true sso。 refer this document https://techzone.vmware.com/enabling-saml-20-authentication-horizon-unified-access-gateway-and-okta-...

and uag authenication method configured "SAML"

when i login to uag ,it can redirect  adfs login page, but there is a error on connection server page,like this picture

translate to english is "This Horizon Server wants to obtain your login credentials from other applications or servers, not directly from the client login screen. If you usually access Horizon from other applications, start the application."  Has anyone encountered this problem?

Reply
0 Kudos
VM8001
Contributor
Contributor

Reply
0 Kudos