Automic Workload Automation

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Troubleshooting SAML Integration in Automic

  • 1.  Troubleshooting SAML Integration in Automic

    Posted Jun 22, 2020 05:06 AM
    Hi There we are testing a use case for SAML integration with CA API gateway where the user is redirected to a SAML page hosted on the Gateway.
    I managed to get the Routing redirected to as HTTP POST to CA API gateway and then I do a post response to HTTP://<awaHost>:8080/AWILAB (I move the JAR file to AWILAB) But I still get authentication failed. I matched the SAMLResponse as it is provided in the document
    Sample Below

    <samlp2:Response xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://10.3.29.132:8080/AWILAB" ID="a22acfb2d-17ba-4f40-94e1-f117d42248fc" InResponseTo="a22acfb2d-17ba-4f40-94e1-f117d42248fc" IssueInstant="2020-06-19T13:08:28.504Z" Version="2.0">
    <saml2:Issuer>654906db6eb1</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#a22acfb2d-17ba-4f40-94e1-f117d42248fc">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>XC5YTKsUkMz6iBdNtwmK+OicKWg=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>LkUEnqjPJdRWz9pxzqZNFfP5M8JcM0sv/tw+ceqPn61wxFBla9broFy+9rY64WeEvQexd+9DzYwBgLtGsDp/wqSwAfHlIFAKuFUJE6/ixpoDeri7BtR8XmU8e321oNMoP/IwKKr3TcbGyROua9PZ0CoWZpL/ex50BoQej+waqzjemBj4L1d2ckRGovQm7NC7/32xrlCHFR6FmGxGO4Ly+0yd9c/NWTPzu5OnqN+88q83aVNjgXlSXBERs95xTdzi2gqvExMUTHYg9r+ZTPoo19jvoFfk4y//JMjSYmkKBf4DJKA5DZLskt1NdHsxKVzTyUMONTpjBu8NHPkxWsEbzA==</ds:SignatureValue>
    <ds:KeyInfo>
    <ds:X509Data>
    <ds:X509Certificate>MIIC8jCCAdqgAwIBAgIIRVC5GOxhVJkwDQYJKoZIhvcNAQEMBQAwFzEVMBMGA1UEAxMMNjU0OTA2ZGI2ZWIxMB4XDTIwMDYxMTExMDA0N1oXDTMwMDYwOTExMDA0N1owFzEVMBMGA1UEAxMMNjU0OTA2ZGI2ZWIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhtZrw9pX13LT7+LmYGgZNuoanoTF2pwPTU1/k9JFhzEfv9btkTBmMySAyZAXhbx3MZxIanCzWosudjWk/FFxNURP51G9FwbKVga4vuyzSrAhM6uZtmS2olrT9K9KbJ5Sc4U5oPtAYvHJMCsydldY5mcaUHcNIP7OWXAXfPRGhss+DuhqtPvOUhoAYFJCW1gU40/4/hM+pZIR/wF8k/q3fm1XR5rQ22VBNCVk+XzhqzUP0DTmjUA1pvxb60h9CeWoz7I+71r/JpkRK/E7ncpbt3iutJVKQQot9afwZl1oPep8ziGlMC/PYmhy6Z1YCneFD6kqYuTOWqZtWxDhnz+pVQIDAQABo0IwQDAdBgNVHQ4EFgQUm33zCJQuB0bbQL/ATA1xhmepmSowHwYDVR0jBBgwFoAUm33zCJQuB0bbQL/ATA1xhmepmSowDQYJKoZIhvcNAQEMBQADggEBADqpSKfsPtcU2cGAo73uMHg2c+hWlCVyGDwUjV1XLUfgPrvLt5zu90KZvXzUclgEmbMvvN6UskoAqKMbFlBk/qw7r+47F2bgIJPB6L+ODqPEnV4lyUCb3TGoKIjdqPkRV2XLEw2nMjEGf4sk1gL3qgjBs7DZIqakclgaYMFPgamSizId7Gd++e/UJL5kPzEm1QNlTiXXC7OBqjq5PVktdkdHn5brGEJ9Eua76qa+KK0hdkYIOIqL07D4anHD9c38+/EioLxNQjGO0QzsCxLsBpIUYIFCEz+SZwLEWqg0v2h0U8NteKFBS0Jjbax1Mdu3Rd6G50WtZEU0WCTYaHt7qKo=</ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
    </ds:Signature>
    <samlp2:Status>
    <samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp2:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="SamlAssertion-13d2297a08fec18deb0cfc8039397a23" IssueInstant="2020-06-19T13:08:28.498Z" Version="2.0">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">b4edfb69-1c70-454b-bf9b-a2c33aaaa868</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#SamlAssertion-13d2297a08fec18deb0cfc8039397a23">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>U2zQ6amPgsmHrybVjp2TCQ+MSwU=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>KEHK+IpTJkQziQ15WqEU98KeCT0F3KqpRil+HCH3WYKRg2jKfIlEguGrxrrPGz2IKcjzSU4eaD0qGFzD0VYbBRBuwkNd9q+5cboQgXhB0xViUvK1qDLPhHUqPr6qSDGja5DVuniuLTxfnq0zEH0eC72k71pq00Ca2L6wE5z1apXfrMQ0IzvP7whKmpDm3dPWgHO1Iu6/eTkYXtnq49Nr4QvPXYD8la+/LxH/OHdND/4pW/RDK7fhlXPWySF0KIkNB2ohtLM8YY9JVIyqY2+GFz7/SewWGAJJnplmi6lO18idx/M73VC2ptnD5ZsAEwGQ6ACTt5gjFofWRZZ/oAUZ3g==</ds:SignatureValue>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <X509Data>
    <X509SubjectName>CN=654906db6eb1</X509SubjectName>
    <X509Certificate>MIIC8jCCAdqgAwIBAgIIRVC5GOxhVJkwDQYJKoZIhvcNAQEMBQAwFzEVMBMGA1UEAxMMNjU0OTA2ZGI2ZWIxMB4XDTIwMDYxMTExMDA0N1oXDTMwMDYwOTExMDA0N1owFzEVMBMGA1UEAxMMNjU0OTA2ZGI2ZWIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhtZrw9pX13LT7+LmYGgZNuoanoTF2pwPTU1/k9JFhzEfv9btkTBmMySAyZAXhbx3MZxIanCzWosudjWk/FFxNURP51G9FwbKVga4vuyzSrAhM6uZtmS2olrT9K9KbJ5Sc4U5oPtAYvHJMCsydldY5mcaUHcNIP7OWXAXfPRGhss+DuhqtPvOUhoAYFJCW1gU40/4/hM+pZIR/wF8k/q3fm1XR5rQ22VBNCVk+XzhqzUP0DTmjUA1pvxb60h9CeWoz7I+71r/JpkRK/E7ncpbt3iutJVKQQot9afwZl1oPep8ziGlMC/PYmhy6Z1YCneFD6kqYuTOWqZtWxDhnz+pVQIDAQABo0IwQDAdBgNVHQ4EFgQUm33zCJQuB0bbQL/ATA1xhmepmSowHwYDVR0jBBgwFoAUm33zCJQuB0bbQL/ATA1xhmepmSowDQYJKoZIhvcNAQEMBQADggEBADqpSKfsPtcU2cGAo73uMHg2c+hWlCVyGDwUjV1XLUfgPrvLt5zu90KZvXzUclgEmbMvvN6UskoAqKMbFlBk/qw7r+47F2bgIJPB6L+ODqPEnV4lyUCb3TGoKIjdqPkRV2XLEw2nMjEGf4sk1gL3qgjBs7DZIqakclgaYMFPgamSizId7Gd++e/UJL5kPzEm1QNlTiXXC7OBqjq5PVktdkdHn5brGEJ9Eua76qa+KK0hdkYIOIqL07D4anHD9c38+/EioLxNQjGO0QzsCxLsBpIUYIFCEz+SZwLEWqg0v2h0U8NteKFBS0Jjbax1Mdu3Rd6G50WtZEU0WCTYaHt7qKo=</X509Certificate>
    </X509Data>
    </KeyInfo>
    </ds:Signature>
    <saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="aename">ronald.dsouza</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml2:SubjectConfirmationData Address="https://api.eohcorp.net:8443/saml2/websso/identityprovider" InResponseTo="a22acfb2d-17ba-4f40-94e1-f117d42248fc" NotOnOrAfter="2020-06-19T13:08:58.499Z" Recipient="http://10.3.29.132:8080/AWILAB"/>
    </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2020-06-19T13:03:28.499Z" NotOnOrAfter="2020-06-19T13:18:28.499Z">
    <saml2:AudienceRestriction>
    <saml2:Audience>http://10.3.29.132:8080/AWILAB/saml/metadata.xml</saml2:Audience>
    </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2020-06-19T13:08:28.498Z">
    <saml2:SubjectLocality Address="10.12.240.130"/>
    <saml2:AuthnContext>
    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
    </saml2:AuthnContext>
    </saml2:AuthnStatement>
    </saml2:Assertion>
    </samlp2:Response>



    ---

    Setup already done
    1. UPDATE *SP
    2. Created DEPARTMENT IDP SSO metadata file

    Only thing I have not done is SAML over SSL So althought the SAML page is SSL but the Automic page run on NON-SSL. Could this be causing the problem


    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------