Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

How do I troubleshoot Active Directory Federation Services (ADFS) SAML?

Table of Contents

Issue

Symptoms

Reason

Solution

 

Issue

After upgrading the Controller to v4.5.x, you may encounter an issue where the SAML authentication request fails for accounts that use Active Directory Federation Services (ADFS) SAML. As a result, you may experience problems logging in via SAML to your Controller.

 

Haven’t upgraded yet? The Solution section below can help ensure that your users avoid this problem after upgrading.

 

Symptoms

If you recently upgraded a SaaS Controller and use ADFS SAML, you will see a generic 400 error in your Controller UI when trying to log in.

 

If you have an on-prem Controller, you will see the following error in the Controller server.log:

[#|2018-11-29T15:42:57.360-0800|SEVERE|glassfish 4.1|com.singularity.ee.controller.servlet.SAM
LAuthenticationServlet|_ThreadID=75;_ThreadName=http-listener-1(13);_TimeMillis=1543534977360;
_LevelValue=1000;|Error while processing SAML Authentication Response
com.onelogin.saml2.exception.ValidationError: No name id found in Document.
at com.onelogin.saml2.authn.SamlResponse.getNameIdData(SamlResponse.java:466)
at com.onelogin.saml2.authn.SamlResponse.getNameId(SamlResponse.java:480)
at com.onelogin.saml2.Auth.processResponse(Auth.java:527)
at com.onelogin.saml2.Auth.processResponse(Auth.java:557)
at com.appdynamics.platform.services.auth.impl.resource.SamlAuthenticationResourceImpl.consumeSAMLAuthenticationResponseInternal(SamlAuthenticationResourceImpl.java:206)
at com.appdynamics.platform.services.auth.impl.resource.SamlAuthenticationResourceImpl.consumeSAMLAuthenticationResponse(SamlAuthenticationResourceImpl.java:162)
at com.appdynamics.controller.mds.auth.MdsSamlAuthResourceImpl.consumeSAMLAuthenticationResponse(MdsSamlAuthResourceImpl.java:59)
at com.singularity.ee.controller.servlet.SAMLAuthenticationServlet.doPost(SAMLAuthenticationServlet.java:262)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:344)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at com.singularity.ee.controller.servlet.RequestOriginMarkingFilter.lambda$doFilter$0(RequestOriginMarkingFilter.java:37)
at com.appdynamics.platform.RequestOrigin.runAs(RequestOrigin.java:65)

 

Reason

As part of our improvements around SAML 2.0 authentication in the v4.5 release, our SAML implementation now requires a NameID assertion for Microsoft ADFS. If your configuration has not been updated to include this prior to upgrading to v4.5, you may encounter the error above.

 

Solution

To resolve this, add the NameID as the Outgoing Claim Type in your claim rule. You can map NameID with any unique ID (SAM-Account-Name, email, or UPN etc.). Follow the steps below prior to upgrading your Controller.

 

1. From your ADFS Console, select the “Relying Party Trusts” folder.

Screen Shot 2019-02-07 at 11.23.15 PM (1).png

 

2. Select your trust for AppDynamics and right click on it.

Screen Shot 2019-02-07 at 11.24.29 PM (1).png 

 

3. Choose “Edit Claim Issuance Policy…”

Screen Shot 2019-02-07 at 11.27.45 PM.png

 

4. On the Issuance Transform Rules screen, select your AppDynamics rule and click the “Edit Rule…” button.

Screen Shot 2019-02-07 at 11.31.08 PM.png

 

5. In the Edit Rule dialog, either add a new unique identifier (e.g., SAM-Account-Name) or edit the existing unique identifier (e.g., SAM-Account-Name) and map it to the Outgoing Claim Type “Name ID.”

  • Add a new unique attribute
    Screen Shot 2019-02-07 at 11.40.55 PM.png
  • Edit an existing attribute
    Screen Shot 2019-02-07 at 11.42.55 PM.png

6. Save your work.

 

7. Test to ensure that the authentication succeeds.

 

Last Updated: 2/27/19

Version history
Revision #:
10 of 10
Last update:
‎02-27-2019 03:42 PM
Updated by:
 
Labels (1)
Tags (2)


Found this article helpful? Click the Thumbs Up button.
Have an additional comment? Post it below.