Question

SAML module

1

Greetings, I am testing out the SAML module by using a blank application, following this documentation. I applause the excellent configuration wizard that I could use without issue to configure the SP and exchange the federation metadata between IdP (Azure AD in my case) and SP. There is a couple of incomplete security page access on MxModelReflection and SAML modules: I am assuming that these errors (warning rather) could be ignored, could they? Now, and this is the core of the question, how can I get to the login page of the IdP, as launching the app as it still brings me to MendixSSO’s login page? Note that: I left the configuration of the SAML20 module to their default values (BindingURI_Redirect false, DefaultLoginPage null, DefaultLogoutPage null, KeystorePassword = ***** and SSOLandingPage = index.html) When I run the app, the /SSO/ handler is correctly in place, as /SSO/metadata returns the correct SP metadata The IdP metadata has been interpreted by the SP as shown below. Note that ‘Is default’ is set to ‘No’ for all URLs Thanks! JP

asked 2020-04-21

Jean-Paul Buu-Sao

4 answers

Jean-Paul Buu-Sao · Answer 1 · 2020-04-21

Ronald,

The only successful request that I could get from the /SSO/ handler was /SSO/metadata. All other requests, inclusive of /SSO/login or /SSO/loin/SSO/ or /SSO/discovery, all yield the “Unable to validate the SAML message!” page:

Surely this is a symptom of something missing (again, /SSO/metadata is working). Any idea?

Thanks!

Jean-Paul Buu-Sao · Answer 2 · 2020-04-21

I was testing the app in the cloud (Free App sandbox), as I read somewhere that the SAML SSO works only from the cloud. Now in order to see some errors in the console log, I ran the app locally, and on the invocation of /SSO/ here is what I’ve got:

Unable to validate Response, see SAMLRequest overview for detailed response. Error: SAML hasn't been correctly initialize. Please restart the SAML handler.

--------

org.opensaml.common.SAMLException: SAML hasn't been correctly initialize. Please restart the SAML handler.
	at saml20.implementation.LoginHandler.handleRequest(LoginHandler.java:37)
	at saml20.implementation.SAMLRequestHandler.processRequest(SAMLRequestHandler.java:164)
	at com.mendix.externalinterface.connector.RequestHandler.doProcessRequest(RequestHandler.java:40)
	at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:76)
	at com.mendix.external.connector.MxRuntimeConnector$1.execute(MxRuntimeConnector.java:73)
	at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:32)
	at com.mendix.external.connector.MxRuntimeConnector.processRequest(MxRuntimeConnector.java:79)
	at com.mendix.basis.impl.MxRuntimeImpl.processRequest(MxRuntimeImpl.java:937)
	at com.mendix.m2ee.appcontainer.server.handler.RuntimeHandler.service(RuntimeHandler.java:42)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:867)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.Server.handle(Server.java:502)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
	at java.base/java.lang.Thread.run(Thread.java:834)

Ronald Catersels · Answer 3 · 2020-04-21

Indeed those Page access warnings can be looked at at a later time. Do note that your admin role needs to be able to configure MxModelreflection to adjust the synchronized modules of your app. And for the SAML module your admin needs to be able to get to the setup and log pages.

Now for the main questions. Mendix login is stil available. It needs to be because your admin should still be able to log iin even if SSO is not working. If you go to a slightly adjusted URL you will directly redirected to the login page of that IdP setting if you go to: https://youarapp.mendixcloud.com/SSO/login?_idp_id=yourIdPsetupName

You could also put a button on your login page that directs to this page. This way your users do not need to remember this URL and just can press the SSO button. If you have a multi tenant setup like we do we first request the account of the user so we can retrieve the right IdP setting and redirect him to the right URL or give a message back that no SSO setting can be found for his account.
Hope this helps,

Regards,

Ronald

[EDIT]

Did you set all the Path based access restrictions?

Eric Tieniber · Answer 4 · 2020-04-21

To get to the IDP login page, you usually go to /SSO/ . Does that work for you?

The documentation discusses this in more detail – see the bit specifically about the SSOLandingPage setting and configuring your index.html file to auto-redirect to the SSO process.

https://docs.mendix.com/appstore/modules/saml