Authentication via Azure Active Directory using SAML

Hi,

we’re trying to implement authentication via Azure Active Directory, using the SAML protocol.
We’re following the instructions, but we’re unsure about this part:

keystore: path to the JKS keystore
keystore-password: password to access the keystore. If omitted, encryption-cert-password will be used instead
encryption-cert-name: name of the certificate whose public key the SAML Assertion is encrypted with
encryption-cert-password: password of the certificate whose public key the SAML Assertion is encrypted

We tried generating the keystore using the following command (shiny.pem was exported from Azure):

sudo keytool -importcert -file /home/user/shiny.pem -alias shinystore -keypass password -keystore keystore.jks

… but after adding the required fields to the yaml, any attempt to sign in is followed by an error saying that validation failed.

Does anyone have any ideas about what to do?

Thanks!

Hi

Please check this FAQ entry for more information on how to create the keystore: https://www.shinyproxy.io/faq/#how-do-i-create-a-keystore-for-signing-saml-messages

Happy to help if you have any further question

Thanks Tobia,

I tried that method as well. In the yaml I then added:

  • saml.keystore (full path to the .jks file generated by the method), and
  • saml.keystore-password (password I entered when asked for it on the command line),

and I left off saml.encryption-cert-name and saml.encryption-cert-password.

Trying to log in under this configuration, I first get:

  • a redirect to the Microsoft’s site,
  • quickly followed by a return and an error message with status code 200.

Here’s something that I then find in the log:

INFO 1148779 --- [XNIO-1 task-2] e.o.containerproxy.service.UserService : Authentication failure [user: ] [error: Error validating SAML message]

Any idea how to proceed?

Hi There. I have AzureAD Saml working and didn’t have to setup the keystore

Maybe this helps. Only problem I still have is retrieving group membership…