19-12-2020 04:34 PM
Getting the following error and ends in access_denied any idea:
The signature verified correctly with the key contained in the signature, but that key is not trusted
Solved! Go to Solution.
I could be wrong, but I believe on the IDP side you want Acs to be https//servername/UAS/AuthServices/Acs
@rsutcliffe @imran_khatyan @ikn
I turned all http to https but still not working. I checked the UAS logs and found ""AssertionConsumerServiceUrl":"http://rtaueveabpmst1/UAS/AuthServices/Acs"" I dont know from where this is coming and how to change it.
Please look at the attached screenshot to see it from the logs.
For IdP side, they have MEGA meta data which mentions the SAML issuer (https//servername/UAS) and Acs (https//servername/hopex), this information should be matched with SAML request sent by MEGA.
In the SAML request, the issuer is the same no issues but the Acs is different (http://rtaueveabpmst1/UAS/AuthServices/Acs)
Have you also made configurations on the IDP portal side to allow the connection to complete?
This is a little outside of my scope of knowledge, so I do not have specific information. But I do know that there is a portal on the IDP side that needs configuration as well.
It looks like the return URL is in HTTP and I would expect it to be HTTPS. I would suggest changing all URLS to be secure as to my knowledge this would be a requirement to make SSO work.
If you continue to encounter issues after that, it might be worth engaging someone from the Professional Services department that is skilled in this area of Hopex to help resolve the configuration.
Now I am facing a weird behavior. In SAML config I put "http://servername/hopex" as a return URL but when I tried and check the SAML request I found another ACS URL "http://servernameUAS/AuthServices/Acs" which should be as same as the return URL http://servername/hopex.
As well as this URL "http://servernameUAS/AuthServices/Acs" is not mentioned anywhere I am not sure why it's there in the request
I attached the SAML config and decoded SAML request if you could look at it.
There are two things I notice. The return URL is HTTP but the other URLS are HTTPS. So, I believe you will want to update that URL to be HTTPS like the others.
I may be wrong, but I believe you want the return URL to be /Hopex instead of /UAS/AuthServices/Acs
/Hopex is the entry point of the tool, so I believe that where it wants to return.
I hope this helps 🙂
a week ago
hi @imran_khatyan @ikn ,
I am getting the same error after receiving the SAML response. Could you please have a look at the attached screenshot and tell me if the SAML configs I've done is right.
a week ago
I am not sure if this is an issue, but from your screenshot two weeks ago, I notice the return URL is an IP address. I believe it is better practice to use a server name or a friendly name.
Regarding the authentication mode for the user, for SSO you will want to use 'Custom' authentication.
a week ago
To be honest, we are starting to reach the limits of my SSO knowledge. I am happy to try a little bit more to see if we can get to the bottom of this.
Which version of Hopex are you using?
In your screenshot from 2 weeks ago I notice the return URL contains an IP address. This might not be causing any issues, but I believe it is best practice to have this be the server name / friendly name (perhaps try testing both iteratively).
Regarding Authentication mode for the user, when leveraging SSO, you will want to use 'Custom' mode.
a week ago
Hi @rsutcliffe ,
Could you please tell me what should be the authentication mode in case of using SSO?
I mean, for logins, there is authentication mode (LDAP,MEGA,windows) so in case of SSO what it should be?
3 weeks ago - last edited 3 weeks ago
Thank you @rsutcliffe , I configured the SSL as below also I activated the SAML auth option under Identity providers.
The thing is when I test it, It's supposed that MEGA send a SAML request but can't see that request also in the SAML configs, they mentioning the SAML button label "Single Sign on", I can't see that neither