/build/static/layout/Breadcrumb_cap_w.png

SAML SSO | No Valid SAML users found

Hello - we are trying to configure SAML SSO on our Kace box using a Shibboleth IDP server and running into an issue.  The K100 logs indicate, post authentication, "No Valid SAML users found"

Here is our configuration - 

Our Shibboleth IDP is configured to:

  • Release SamAccountName for login (required field)
  • Release userPrincipalName for Primary email (required field)
  • We are not signing assertions, responses, encryptingAssertions or encrypting nameIDs
  • Release SamAccountName as the NameID


The metadata for Kace was constructed as Kace does not provide a download SP metadata file:

<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"                     entityID="https://ourHost/adminui/saml/metadata/1">    

<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">        

<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"                                     Location="https://ourHost/adminui/saml/acs.php"                                     index="1" />            </md:SPSSODescriptor></md:EntityDescriptor>


Using a SAML tracer, I can see:

For the SAML Subject:

            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"

                          NameQualifier="https:/ourIDP/idp/shibboleth"

                          SPNameQualifier="https://ourhost/adminui/saml/metadata/1"

                          >Myusername</saml2:NameID>

For the SAML attributes:

            <saml2:Attribute Name="SamAccountName"

                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

                             >

                <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"

                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                                      xsi:type="xsd:string"

                                      >Myusername</saml2:AttributeValue>

            </saml2:Attribute>

and

            <saml2:Attribute Name="userPrincipalName"

                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

                             >

                <saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema"

                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                                      xsi:type="xsd:string"

                                      >Myusername@myorg.com</saml2:AttributeValue>

            </saml2:Attribute>


On the Kace side:

  • Login = SamAccountName
  • Primary email = userPrincipalName
  • Security settings we used the defaults


Note that we do import users via LDAP and assumed that post authentication, based on our settings above, the logging in user would be matched by their login (SamAccountName) to their login ID that exists within the Users section of Kace.  Finally note that our IDP does not generate any errors during authentication and nor does Kace within the UI.  

The K1000 logs show:

[2021-04-07 11:47:15 -0400] KBOX [info] SAML Login Process Starting...

[2021-04-07 11:47:15 -0400] KBOX [info] Attempting Passive SAML Login to '-Our Organiztion-' organization

[2021-04-07 11:47:17 -0400] KBOX [info] Survived SAML Login Checks

[2021-04-07 11:47:17 -0400] KBOX [info] No Valid SAML users found


Any suggestions?



0 Comments   [ + ] Show comments

Answers (1)

Posted by: Jbr32 2 years ago
10th Degree Black Belt
2

Ok I gave up trying to get this working with our Shibboleth IDP, I ended up configuring it to work with Azure AD by following these instructions: https://support.quest.com/kb/316188/how-to-use-saml-authentication-on-the-kace-sma-with-azure-as-the-idp

Quest Article: How to use SAML authentication on the Kace SMA with Azure as the IdP (316188)

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ