I have given our .pfx and metadata to our administrator who has imported that info. However we are now having issues getting the server to accept logins. In the logs I get the following error:
[auth_mellon:error] [pid 7990] [client nnn.nnn.nnn.nnn:60506] Error processing authn response. Lasso error: [-432] Status code is not success, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Requester", StatusCode2="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy", StatusMessage="(null)", referer: https://adfs.domain.edu/
The issue seems to be “InvalidNameIDPolicy”.
At our site the sAMAccountname is used. Our administrator has tried setting the LDAP Attribute to sAMAccountname with the outgoing claim type of Name ID, however when signing in we get the same error message as above in the logs and " Unauthorized. This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn’t understand how to supply the credentials required." for the browser.
Any assistance with this would be appreciated. Wondering if anyone else has this set up at their site and what changes, if any, were needed to get this to work.
What’s the identity provider (IDP) you’re connecting to? After a little bit of googling it seems to indicate that your IDP doesn’t like what you’re giving it. Searching the mod_auth_mellon github shows nothing from that error.
Indeed this service now article has a good explanation of your issue. In sum, your IDP doesn’t like what you’re sending it. So, I guess I’d look for what your sending it and what it’s expecting - maybe the team that runs your IDP may have some insight? They may be able to pull logs from it indicating what the issue is.
we had similar issues and following seems to have resolved the issue
make sure you’ve <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> in mellon_metadata.xml and same policy is configured for OOD app in ADFS.
@jeff.ohrstrom@bp85 thank you both for the suggestions. We are getting closer to finding a solution.
In the logs we have the following: Mapped ‘first.last@domain.edu’ => ‘first.last@domain.edu’ [0.012 ms
Tweaking the ADFS rules we have also been able to pass credentials in this format:
‘domain\first.last’ => ‘domain\first.last’
Is there a way in the user mapping script to strip away the @domain.edu portion that the username maps to or the preceding domain\ ? If we can get OOD to drop that and then it will map to the correct username and I think we should be good to go.
I think the next thing we can do is up the logging level for this module.
You can add this to a conf file in /opt/rh/httpd24/root/etc/httpd/conf.d/debug.conf. You should be able to update and modify this file as you please without impacting the OOD conf.