Forum Discussion
GBurch
Altostratus
AltostratusSP Initiated SAML Authentication stops at Webtop page
I'm trying to set up a new SAML connection with an external 3rd Party. I have one similar SAML connection set up and functioning with a different 3rd Party, but I can't see the difference between th...
youssef1
Cumulonimbus
Cumulonimbusvery well I understood your deployment.
so you have 2 saml ressources, for each saml resource it must have its own IDP bind to the SP.
in your access profile you need to set SAML ressources in "Advanced ressource assign" (bot old and new one).
did you test to connect directly on the idp URL and click on the resource directly on the webtop? it works?
what I suspect is that you don't match the ACS URL in the saml request. let me explain.
On the SSO/Auth Domain tab for that policy the "SSO Configuration" dropdown is set to "None", that means you don't have a default IDP.
if you would have a default IDP and no SAML resources matched. you would have had a SAML error.
so here is how you should proceed:
- try to access SP and capture the saml request (F5: dev tools or fiddler)
- decode URL (https://urldecoder.org)
- Then decode saml (https://samltool.com/decode.php)
in the saml request you will see the ACS URL, you must confirm that this is the one you configured in the external SP.
I'm sure this is the problem ...
Keep me in touch and tell me if you need more details.
regards
GBurchAltostratus
AltostratusIs it the URL in the <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> field that I'm looking for? Which needs to match the ACS URL?