SAML SSO Success and Need clarification for Single Log Out

[kbhuvanamohan]

Hi Martin,

We have successfully created SAML integration and able to complete the testing. We thought of sharing our experience:

• It worked well as we have to configure the nameid_format to match with our Org
• One of the issues we noticed was that the Profile configuration has to contain lowercase only, since one of our attributes was mixed case, for e.g., LastName, it failed to create the profile and failed
• We had earlier used Local IDP and had a few users created. When we try to login via SAML SSO, after successful completion it is trying to create the user again and fails. I just wanted to check with you if this is the intended behavior since we already have many users signed up via Local and wanted a mechanism to easily port to SAML
• Another issue was that, we have encountered an issue with the "Single Log Out". It is returning with SAML Error Response. Just wanted to check with you if this is something that we have to make additional configs.

Thanks again for your wonderful support.

Thanks, Bhuvan.

[kbhuvanamohan]

@DonMartin76 Hi Martin, We are unable to get the Single Log Out to work. Can you please provide any insights into the same? Though the actual portal gets log out, we are getting the error page with "SAML Error Response" message.

Can you please help with this?

[DonMartin76]

This is something your SAML team can probably help you best with. The metadata of the SAML Identity Provider will have something like this:

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.company.com:443/auth/IDPSloRedirect/metaAlias/idp1" ResponseLocation="https://login.company.com:443/auth/IDPSloRedirect/metaAlias/idp1"/>

The URL up there then goes into the SAML configuration in the default.json file for the auth servers:

...
        "idpOptions": {
          "sso_login_url": "https://login.company.com:443/auth/SSORedirect/metaAlias/idp1",
          "sso_logout_url": "https://login.company.com:443/auth/IDPSloRedirect/metaAlias/idp1",
          "certificates": [
            "$PORTAL_AUTH_SAML_WHATEVER_IDP_CERT"
          ],
          "sign_get_request": false,
          "allow_unencrypted_assertion": true
        }
...

The SAML library used is (as stated in the kickstarter) https://www.npmjs.com/package/saml2-js, so all the options mentioned there (for SP and IdP) can be used. Actually, it's our own fork of that package, https://github.com/apim-haufe-io/saml2.

[DonMartin76]

Can this be closed?

[kbhuvanamohan]

@miguelpoyatosmora @karthiknaga87 Please help to provide additional information if needed.

[DonMartin76]

Closing this for now. If you still need clarification or additional help, feel free to re-open or to create a new issue.