I am trying to use AM as SP and a test application configured in azure as the IDP. I have followed the steps mentioned in the docs but I am getting login failure when I access the tree. Can someone help with this?
I have created the hosted SP and have the metadata of the remote IDP.
I am confused on what the reply url should be
If you are using AM as an SP I wouldn’t expect you to “access the tree”, assuming by tree you are referencing an AM authentication tree.
To get the reply url that your IDP needs, you can export your SP metadata (Knowledge - ForgeRock BackStage) and find the AssertionConsumerService data. The Location property of that element should be the “Reply URL” that your IDP is looking for.
We have 2 realms configured. Do we need to specify that in the baseURL while we create a hosted provider or is it not needed since I am creating the config in a specific realm?
I’m assuming that you have configured DNS aliases for your realms, is that correct? e.g. realm1.yourdomain.com for realm 1, and realm2.yourdomain.com for realm 2. With those aliases set up you should use the alias as the base URL when setting up your hosted entity. Doing this will ensure that all of the necessary URLs that are automatically setup by AM use the DNS alias that is mapped to your realm. If you didn’t enter this base URL when initially creating the hosted entity you can either delete it and reconfigure it using the base URL, or you can manually edit the URLs and recreate your metadata.
Right now I have established a link between the SP and IDP and I am getting the SAML response. But after being redirected to the ACS URL, its showing server error. Right now the metadata for idp has certificates but using them isn’t mandatory and I have removed the role descriptor and signature from the idp metadata.
azure has provided me with a login url, a logout url and an identifier
Should those be used anywhere in the SP config?
What sort of error message(s) are you seeing in your debug logs? You should see a message in the Federation log found in /var/debug of your configuration directory. That message will give you more information about why you are receiving the Server Error message.
In the authentication logs it shows this message
org.apache.jasper.JasperException: An exception occurred processing [saml2/jsp/saml2AuthAssertionConsumer.jsp] at line [30]
2024-08-07 19:49:36.957 at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466)
2024-08-07 19:49:36.957 at javax.servlet.http.HttpServlet.service(HttpServlet.java:779)
2024-08-07 19:49:36.957 at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
2024-08-07 19:49:36.957 at org.apache.jsp.saml2.jsp.saml2AuthAssertionConsumer_jsp._jspService(saml2AuthAssertionConsumer_jsp.java:119)
2024-08-07 19:49:36.957 at org.forgerock.am.saml2.impl.Saml2Proxy.processSamlResponse(Saml2Proxy.java:112)
2024-08-07 19:49:36.957 at org.forgerock.am.saml2.impl.Saml2Proxy.getUrl(Saml2Proxy.java:165)
2024-08-07 19:49:36.957 at org.forgerock.am.saml2.impl.Saml2Proxy.getUrlWithError(Saml2Proxy.java:258)
2024-08-07 19:49:36.956 Caused by: java.lang.IllegalStateException: Request not valid!
As for Federation logs I have this
I understand there’s some error validating the SAML response but I cant seem to understand where to troubleshoot.
I was following this article: Knowledge - ForgeRock BackStage
Btw we haven’t configured DNS aliases for our realms. Request are differentiated based on the path mentioned in url only
