Solved: HTML5 UI SAML POST endpoint

relent0r · ‎10-16-2018

We use SAML for vCloud authentication and are wanting to start doing UAT testing against the HTML5 UI.

Currently using vcd 9.1

But I'm struggling to figure out what the endpoint configuration is for the IDP.(we are using F5 as the IDP)

In the flex UI the saml endpoint is shown as this.

https ://servername/cloud/org/testorg/saml/SSO/alias/vcd

The idp post to this address and the client is then redirected to the flex UI.

But I can't find how this should be configured to achieve the same thing in the HTML5 ui.

paluszekd · ‎10-17-2018

In summary, here's where we are at (got this from Engineering) - the SAML assertion consumer endpoint is hosted by the web module that contains the Flex UI, not the H5 UI. While we are working on deprecating the Flex UI, there is a backlog on migrating these functions to another module. However, as expected, no ETA.

Long answer from Engineering:

The SAML assertion consumer endpoint is hosted by the web module that contains the flex UI. You can look at the organization's SAML metadata to confirm this.

If you attempt to access an SAML-enabled organization in the H5 UI without a VCD session, it will redirect the browser to the IDP with a SAMLRequest containing a relayState parameter with the URL of the original request. The IDP will present a login page. After login, the IDP posts a SAMLResponse containing SAML assertions as well as the relayState parameter to the assertion-consumer endpoint for the organization: e.g., POST https://<VCD >/cloud/org/testsaml/saml/SSO/alias/vcd. Inside the assertion consumer service, a VCD session is created. Finally, the browser is redirected back to the original request URL encoded in the relayState parameter.

-Daniel

View solution in original post

paluszekd · ‎10-16-2018

I haven't tested this, but I wonder if it would follow the same URL pathing for the H5 UI - could you try this?

https ://servername/tenant/orgname/saml/SSO/alias/vcd

relent0r · ‎10-16-2018

Yea I thought the same thing and it 'kinda' works, so I thought there was something I was missing.

What I get when using it is that it authenticates then you get a blank age at the correct URL. A SAML tracer shows that the authentication side of things looks fine.

The browser(firefox) debugger shows the following error.

ERROR Error: "[object Object]"

resolvePromise https://servername/tenant/orgname/vendor.bundle.js:1047:1078

resolvePromise https://servername/tenant/orgname/vendor.bundle.js:1047:717

scheduleResolveOrReject https://servername/tenant/orgname/vendor.bundle.js:1047:1650

invokeTask https://servername/tenant/orgname/vendor.bundle.js:1040:8365

onInvokeTask https://servername/tenant/orgname/vendor.bundle.js:457:940

invokeTask https://servername/tenant/orgname/vendor.bundle.js:1040:8278

runTask https://servername/tenant/orgname/vendor.bundle.js:1040:3408

drainMicroTaskQueue https://servername/tenant/orgname/vendor.bundle.js:1040:385

invokeTask https://servername/tenant/orgname/vendor.bundle.js:1040:9611

invoke https://servername/tenant/orgname/vendor.bundle.js:1040:9443

timer https://servername/tenant/orgname/vendor.bundle.js:1012:8267

If I manually press F5 the page will refresh and I'll be logged in at the correct starting page as you would expect.

I'm not sure if this is something specific to 9.1 as we haven't done the 9.5 upgrade in any of our test environments yet and the beta hosted environment that VMWare supplies isn't configured for SAML.

jonathanw I forgot to ask you if you'd come across this in your federation testing with 9.1 or 9.5.

paluszekd · ‎10-16-2018

vCD 9.5 is out now, so if you have a test environment to utilize, I would try this out. I'm going to also ask internally to see if we have any insight into this.

paluszekd · ‎10-17-2018

In summary, here's where we are at (got this from Engineering) - the SAML assertion consumer endpoint is hosted by the web module that contains the Flex UI, not the H5 UI. While we are working on deprecating the Flex UI, there is a backlog on migrating these functions to another module. However, as expected, no ETA.

Long answer from Engineering:

The SAML assertion consumer endpoint is hosted by the web module that contains the flex UI. You can look at the organization's SAML metadata to confirm this.

If you attempt to access an SAML-enabled organization in the H5 UI without a VCD session, it will redirect the browser to the IDP with a SAMLRequest containing a relayState parameter with the URL of the original request. The IDP will present a login page. After login, the IDP posts a SAMLResponse containing SAML assertions as well as the relayState parameter to the assertion-consumer endpoint for the organization: e.g., POST https://<VCD >/cloud/org/testsaml/saml/SSO/alias/vcd. Inside the assertion consumer service, a VCD session is created. Finally, the browser is redirected back to the original request URL encoded in the relayState parameter.

-Daniel

relent0r · ‎10-17-2018

Thanks Daniel,

So if I'm paraphrasing this correctly engineering is saying that the HTML5 UI is not quite ready for cutover if the customer is using SAML authentication just yet. We should stay with the flex UI.

I imagine this particular change is not the sort of thing that would be included in release notes given its obscurity. So I would want to go through our TAM for any notification of this change.

paluszekd · ‎10-18-2018

That's a fair statement. Definitely stay in touch with your TAM so they can align with our BU on next steps. Thanks!

relent0r · ‎10-30-2018

For future travelers, Tom did a blog on using the relaystate parameter to maintain the flex saml assertion endpoint while still being able to redirect client browsers to the html5 ui which helped us get this working in the interim.

https://fojta.wordpress.com/2018/10/30/vcloud-director-9-5-and-vmware-identity-manager-integration/

paluszekd · ‎10-30-2018

Yep, Fojta rocks!

All

HTML5 UI SAML POST endpoint