Using an email address as the identifier in SAML (Active Directory Federation Services)

Zoltan_Lente · June 13, 2023, 11:18am

Product: ARIS 10.0.18.0.1605268

In a corporate environment, we use the ARIS application deployed on our own infrastructure. We would like to extend its usage within the organization, but for that, we intend to utilize SAML-based Single Sign-On (SSO). The unique identifier in multiple domain environments is the email address.

/t/example-of-configuring-microsoft-active-directory-federation-services-3-0-to-connect-to-software-ag-cloud-as-the-saml-identity-provider/237397 - It was a very helpful assistance.

Based on the documentation, we were able to configure it successfully, but we would like to use an email address instead of a username. If we return an email address in the Name ID claim, it complains about the format.

How can we implement that the value of the username should be an email address?

I appreciate your assistance in advance.

Jeno_Cserjesi · June 19, 2023, 9:38pm

Magyarországon az ntt data látja el a supportot, kérem ide írjon:
Tamas.Szucs@nttdata.com

Zoltan Lente via Software AG Tech Community & Forums <notifications@techcommunity.discoursemail.com> ezt írta (időpont: 2023. jún. 19., H, 17:32):

keith.mangold · June 20, 2023, 1:23pm

Zoltan - For ours to work with Azure AD, under the Advanced settings screen, we had to set the “Authentication context comparison” option to “exact” and our “NameID format” is set to “emailAddress”.

Is that what you have?

What is the actual error message?

Zoltan_Lente · June 20, 2023, 7:49pm

Thank you for the response.

AD FS claim config:
Incoming claim type: E-mail Address
Outgoing claim type: Name ID
Outgoing name ID format: Email

ARIS advanced settings:
Authentication context comparsion: exact
NameID format: emailAddress

Error message in log:
2023-06-20T21:31:29,118|DEBUG||||0000000000|Tomcat-ajp-14|SamlResource - finishAuthentication, relayState = ZGVmYXVsdCwv, Post: /umc/rest/saml/initsso/
2023-06-20T21:31:29,118|DEBUG||||0000000000|Tomcat-ajp-14|SamlResource - processSamlResponse, realTenant = default, serviceProviderUrl = /
2023-06-20T21:31:29,118|INFO ||||0000000000|Tomcat-ajp-14|AuthenticationService - Performing authentication… [TENANT: default, TYPE: SAML2]
2023-06-20T21:31:29,119|DEBUG||||0000000000|Tomcat-ajp-14|LocalAbstractDao - Searching entity… [TENANT: default, TYPE: tenant, CRITERION: Id, VALUE: default]
2023-06-20T21:31:29,122|DEBUG||||0000000000|Tomcat-ajp-14|LocalAbstractDao - Entity search finished. [COUNT: 1]
2023-06-20T21:31:29,122|DEBUG||||0000000000|Tomcat-ajp-14|Saml2AssertionEngine - Validating assertion…
2023-06-20T21:31:29,155|WARN ||||0000000000|Tomcat-ajp-14|Saml2AssertionEngine - Failed to validate assertion: Authentication request declined by IdP: An unknown error occurred.
2023-06-20T21:31:29,155|WARN ||||0000000000|Tomcat-ajp-14|Saml2AssertionEngine - Failed to validate assertion: No assertion provided.
2023-06-20T21:31:29,156|ERROR||||0000000000|Tomcat-ajp-14|AuthenticationService - loginSAML2, Invalid userName
2023-06-20T21:31:29,156|DEBUG||||0000000000|Tomcat-ajp-14|LocalTechnicalUserDao - Searching entities… [TENANT: default, TYPE: user, CRITERION: Ids, VALUE: *]
2023-06-20T21:31:29,158|DEBUG||||0000000000|Tomcat-ajp-14|LocalTechnicalUserDao - Entity search finished. [COUNT: 5]
2023-06-20T21:31:29,158|ERROR||||0000000000|Tomcat-ajp-14|AuthenticationService - loginSAML2, UmcException : Incorrect user name or password.
2023-06-20T21:31:29,159|DEBUG||||0000000000|Tomcat-ajp-14|ExceptionInterceptor - Invocation of method ‘loginSAML2’ failed: com.ARIS.umc.ws.API.types.UmcException: Error code 10 - Incorrect user name or password.

system · December 17, 2023, 7:49pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.