I'm working on a lab to test some integration with ADFS ad UAG 3.8.
I've deployed an UAG 3.8 appliance that talk with an ADFS endpoint and the communication went fine at least in the first part of the flow but then I got an http error 500 on https//domain/portal/samlsso.
Authentication is set to SAML and Passtrough, if I correctly understand the info posted here https://techzone.vmware.com/enabling-saml-20-authentication-horizon-unified-access-gateway-and-okta-... the behaviour should be user get authenticated trough SAML for the UAG access and the prompted for the login and password.
I've looked trough the log and for what I can see:
1/24 17:29:33,951[nioEventLoopGroup-10-12]ERROR interceptor.ViewPortalProxyRequestInterceptor[doSamlSso: 215][6c9a748c-7ace-400a-b95b-6787b19b39b9]: Error on validating assertion
java.lang.ClassCastException: org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorImpl cannot be cast to org.opensaml.saml.saml2.metadata.IDPSSODescriptor
Anyone has experimented with UAG and SAML ?
Any idea or suggestion would be appreciated
I've already looked at that guide in the planning phase but unfortunately is not helpful.
At the moment I'm working with vmware tech support on the issue and we are still investigating, if we found the root cause I'll try to put together some guide.
glini - Thanks for posting this question and sorry you've experienced this issue.
The metadata extracted from ADFS contains a Service Provider SPSSODescriptor section and this is not needed and causes an issue for UAG. You should carefully edit this xml after extracting it to remove that section (<SPSSODescriptor ... </SPSSODescriptor>) and try again.
Also, make sure you are not using encrypted SAML assertions from ADFS and configure the Relying Party Trust in ADFS to use SHA-1 in the advanced settings.
We'll update UAG in a future version so that this step of manually removing the SPSSODescriptor from ADFS metadata won't be necessary. It is not an issue for many other IdPs such as Okta, Ping and Azure AD.
Would this edit need to be done if simply sharing the metadata between UAG and CS for smart card/certificate authentication on a UAG?
No. This thread is very specifically about setting up UAG 3.8 for SAML 3rd party IdP authentication with Microsoft ADFS. It covers the modification needed to the extracted ADFS metadata prior to import into UAG.
markbenson thanks for the response.
I was in touch with the support team - really appreciate the help - and we have found a solution that it's like the one you suggested plus we have also created a mapping in adfs for SamAccountName to UserID, so in recap:
At the moment is a workaround and it should be noted that ADFS is not on the list of third party IdP supported, so I really appreciate the help from the support
glini Thanks for confirming. I'll get this SAML SPSSODescriptor ADFS/UAG issue added to the UAG 3.8 release notes in the "Known Limitations" section along with the workaround. We'll also fix it in a future release so that the edit of the metadata won't be required.
Thanks again for reporting it and for working with us on this!
For anyone else seeing this HTTP error 500 and the esmanager.log SAML validation cast error for SPSSODescriptorImpl when using SAML with UAG and ADFS there is now a description in the known issues section of the release notes for UAG. It describes the issue and documents the workaround to avoid it. Release Notes for VMware Unified Access Gateway 3.8
It has also been fixed in a future UAG version.
Someone has tested SSO using ADFS ？i have configured adfs 3.0 with uag 3.9.1 and horizon 7.12, configure adfs as a idp,and configure horizon connection true sso。 refer this document https://techzone.vmware.com/enabling-saml-20-authentication-horizon-unified-access-gateway-and-okta-...
and uag authenication method configured "SAML"
when i login to uag ,it can redirect adfs login page, but there is a error on connection server page,like this picture
translate to english is "This Horizon Server wants to obtain your login credentials from other applications or servers, not directly from the client login screen. If you usually access Horizon from other applications, start the application." Has anyone encountered this problem？