Layer7 Access Management

Expand all | Collapse all

Federation - Multiple Destination URLs

Jump to Best Answer
  • 1.  Federation - Multiple Destination URLs

    Posted 05-24-2014 11:41 AM
    Hi,
    This is related to SP to IDP Federation.
     
    Depending on a target URL user clicks at the SP, the user needs to be redirected to 3 different login forms as part of the Federation config. We thought of achieving this by adding a variable &Title to the SSO destination URL. (SAMLRequest is added to the message) Apart from this variable, the SSO end point is common in all 3 cases.
     
    It is working fine up to the point where relevant login form is displayed as per the &Title and authentication and authorization are happening. But when it comes to generating assertion, assertion generator is failing with the following message 
     
    o [05/23/2014][11:06:57.509][Destination does not match local URL.][15362][92][][][][][][][][][validateDestination][][][][][][][][][][][][]
    o [05/23/2014][11:06:57.514][Request did not satisfy security requirements!][15362][92][][][][][][][][][validateRequest][][][][][][][][][][][][]
    o [05/23/2014][11:06:57.514][AssertionHandler preProcess() failed. Leaving AssertionGenerator.][15362][92][][][][][][][][][invoke][][][][][][][][][][][][]
     
     
     
    You can see the difference of additional title variable above.
     
    Now the question is how can we fix this. 
     
    1. I am not seeing a place in the Federation config where we can configure a SSO end point URL like above (https://partnertest.bellaliant.ca/affwebservices/public/saml2sso). This end point seems to be derived by SiteMinder using the proxy server name configured and other installation info (affwebservices/public/saml2sso)
    2. Depending upon the answer to that question, is there a way in configuration to configure multiple destinations under one SAML provider.
    3. You have seen our requirement to direct the user to multiple login forms from SP. Please advise how can we achieve it.
     
    SAML Request from SP:
    <?xml version='1.0' encoding='UTF-8'?>
    <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://idp.securetve.com/saml2/assertionConsumer/" Destination="https://partnertest.bellaliant.ca/affwebservices/public/saml2sso?title=BellAliant" ID="id-458688a5f43a4f17b84929462401a222" IssueInstant="2014-05-23T15:18:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" SPProvidedID="urn:akamai:com:ais:sp:1">urn:akamai:com:ais:sp:1</ns1:Issuer><ns0:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="urn:akamai:com:ais:sp:1" /></ns0:AuthnRequest>
     
    Thanks,
    Ram


  • 2.  RE: Federation - Multiple Destination URLs

    Posted 05-27-2014 08:08 PM
    ram007:
    Hi,
    This is related to SP to IDP Federation.
     
    Depending on a target URL user clicks at the SP, the user needs to be redirected to 3 different login forms as part of the Federation config. We thought of achieving this by adding a variable &Title to the SSO destination URL. (SAMLRequest is added to the message) Apart from this variable, the SSO end point is common in all 3 cases.
     
    It is working fine up to the point where relevant login form is displayed as per the &Title and authentication and authorization are happening. But when it comes to generating assertion, assertion generator is failing with the following message 
     
    o [05/23/2014][11:06:57.509][Destination does not match local URL.][15362][92][][][][][][][][][validateDestination][][][][][][][][][][][][]
    o [05/23/2014][11:06:57.514][Request did not satisfy security requirements!][15362][92][][][][][][][][][validateRequest][][][][][][][][][][][][]
    o [05/23/2014][11:06:57.514][AssertionHandler preProcess() failed. Leaving AssertionGenerator.][15362][92][][][][][][][][][invoke][][][][][][][][][][][][]
     
     
     
    You can see the difference of additional title variable above.
     
    Now the question is how can we fix this. 
     
    1. I am not seeing a place in the Federation config where we can configure a SSO end point URL like above (https://partnertest.bellaliant.ca/affwebservices/public/saml2sso). This end point seems to be derived by SiteMinder using the proxy server name configured and other installation info (affwebservices/public/saml2sso)
    2. Depending upon the answer to that question, is there a way in configuration to configure multiple destinations under one SAML provider.
    3. You have seen our requirement to direct the user to multiple login forms from SP. Please advise how can we achieve it.
     
    SAML Request from SP:
    <?xml version='1.0' encoding='UTF-8'?>
    <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://idp.securetve.com/saml2/assertionConsumer/" Destination="https://partnertest.bellaliant.ca/affwebservices/public/saml2sso?title=BellAliant" ID="id-458688a5f43a4f17b84929462401a222" IssueInstant="2014-05-23T15:18:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" SPProvidedID="urn:akamai:com:ais:sp:1">urn:akamai:com:ais:sp:1</ns1:Issuer><ns0:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="urn:akamai:com:ais:sp:1" /></ns0:AuthnRequest>
     
    Thanks,
    Ram


    Hi All,

    Any ideas here for Ram?

    Thanks!

    Chris



  • 3.  Re: Federation - Multiple Destination URLs
    Best Answer

    Posted 05-11-2016 11:20 AM