Dear All Meanwhile I figured out the issue leading to this error message.
It was a bug/misconfig in our IDP/Cloudstack Saml key configuration. Because the keys didn't match, Cloudstack was not able to decrypt the assertion and throwed this error. Would it not make sense, to make a difference between a real "user not found" and such "mismatching keys"? I agree, that at the end, both leads to the same situation: user not found/known.. But for troubleshooting reasons, it would be very helpful, to know a bit more about why this happened.. Best Regards Christian -----Original Message----- From: Gross, Christian <[email protected]> Sent: Dienstag, 8. Dezember 2020 15:18 To: [email protected] Subject: RE: Cloudstack SAML auth [signed INVALID] Hi Rohit I captured a SAML response from our IDP and compared it with the one you pasted in this issue: https://github.com/apache/cloudstack/issues/4519 Mine looks almost same: https://pastebin.com/yV7Q8cLw Is there a possibility, to do a deeper troubleshooting in cloudstack to capture saml logs or something similar? In the management-server.log, there is only a ===START=== our ip -- GET command=samlSso&idpid= marker. Best Regards Christian -----Original Message----- From: Gross, Christian <[email protected]> Sent: Dienstag, 8. Dezember 2020 11:53 To: [email protected] Subject: RE: Cloudstack SAML auth [signed INVALID] Hi Rohit Thanks for your answer. This mapping/setting we have already configured and it is working, as long as we do not activate encryption on the IDP. I think, that we have something messed up with the keys/certs used for encryption. As far as I understand the whole saml stuff, Cloudstack needs no special configuration regarding the encryption part. My IDP should take the key from "getSpMetadata" for encryption. Cloudstack can then itself again decrypt the encrypted request. Is that correct? Regards Christian -----Original Message----- From: Rohit Yadav <[email protected]> Sent: Dienstag, 8. Dezember 2020 11:24 To: [email protected] Subject: Re: Cloudstack SAML auth Hi Christian, Please refer to the SAML docs: http://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#using-a-saml-2-0-identity-provider-for-user-authentication You need to configure what assertion/attribute your SAML response will send to CloudStack (SP) on successful authentication that CloudStack should use to map against a account/user. Usually this is `uid` when SAML IDP uses say a LDAP source. Regards. ________________________________ [email protected] www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue From: Gross, Christian Sent: Monday, December 07, 2020 19:34 To: [email protected] Subject: Cloudstack SAML auth Hi All I'm trying to secure our Cloudstack<->Redhat SSO communication, but not very successful. As soon as I activate "Encrypt Assertions", I only receive <errorcode>531</errorcode> <errortext>Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.</errortext> Currently, we're using CS 4.14 and RedHat SSO 7.3.8 Maybe, someone has an idea, what we could possibly doing wrong.. Kind regards Christian Platform Services Engineer, Netcloud AG, t: +41 58 344 12 46, m: +41 79 210 73 25 [Netcloud AG - ICT Professionals]<https://www.netcloud.ch/> Mehr Infos unter https://www.netcloud.ch<http://www.netcloud.ch>
smime.p7s
Description: S/MIME cryptographic signature
