12 Replies Latest reply on Jun 8, 2020 10:00 PM by huayunzhichuang

    UAG 3.8 SAML to ADFS

    glini Lurker


      I'm working on a lab to test some integration with ADFS ad UAG 3.8.

      I've deployed an UAG 3.8 appliance that talk with an ADFS endpoint and the communication went fine at least in the first part of the flow but then I got an http error 500 on https//domain/portal/samlsso.

      Authentication is set to SAML and Passtrough, if I correctly understand the info posted here https://techzone.vmware.com/enabling-saml-20-authentication-horizon-unified-access-gateway-and-okta-vmware-horizon-opera…  the behaviour should be user get authenticated trough SAML for the UAG access and the prompted for the login and password.


      I've looked trough the log and for what I can see:

      • There is an error in validating assetion on UAG esmanger.log

      1/24 17:29:33,951[nioEventLoopGroup-10-12]ERROR interceptor.ViewPortalProxyRequestInterceptor[doSamlSso: 215][6c9a748c-7ace-400a-b95b-6787b19b39b9]: Error on validating assertion

      java.lang.ClassCastException: org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorImpl cannot be cast to org.opensaml.saml.saml2.metadata.IDPSSODescriptor


      • I was not able to find any other log on the UAG intercepting the SAML response on the client I get a success (<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>)
      • Prior to this error there is an indication that UAG is proxying request from /portal/samlsso to /portal/samlsso to host horizon_connector_address:443
      • On the log there is an indication that the registered proxyRuleGroups are :  MatchingRule(pattern=/portal(.*)|(/|/view-client(.*)|/portal(.*)|/appblast(.*)/|/downloads(.*)))]  the rule in bold should be hardcoded in some file because is not present in UAG administration GUI. So my idea to bypass the proxyng for portal/samlsso is not feasible.


      Anyone has experimented with UAG and SAML ?

      Any idea or suggestion would be appreciated