This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SAML2 Single SingOn

Go to solution
imran_khatyan
MEGA Partner
MEGA Partner

‎19-12-2020 04:34 PM

Hello, 

Getting the following error and ends in access_denied any idea: 

The signature verified correctly with the key contained in the signature, but that key is not trusted

regards, 

0 Likes
23 Replies

Go to solution
rsutcliffe
MEGA
MEGA
In response to ibra22

yesterday

@ibra22 

I could be wrong, but I believe on the IDP side you want Acs to be https//servername/UAS/AuthServices/Acs

rsutcliffe_0-1685628602909.png

 

Kind Regards,

Ryan

 

0 Likes

Go to solution
ibra22
MEGA Partner
MEGA Partner
In response to rsutcliffe

yesterday

@rsutcliffe  @imran_khatyan  @ikn 

I turned all http to https but still not working. I checked the UAS logs and found ""AssertionConsumerServiceUrl":"http://rtaueveabpmst1/UAS/AuthServices/Acs"" I dont know from where this is coming and how to change it.

Please look at the attached screenshot to see it from the logs.

For IdP side, they have MEGA meta data which mentions the SAML issuer (https//servername/UAS) and Acs (https//servername/hopex), this information should be matched with SAML request sent by MEGA.

In the SAML request, the issuer is the same no issues but the Acs is different (http://rtaueveabpmst1/UAS/AuthServices/Acs)

Preview file
129 KB
0 Likes

Go to solution
rsutcliffe
MEGA
MEGA
In response to ibra22

Wednesday

@ibra22 

Have you also made configurations on the IDP portal side to allow the connection to complete? 

This is a little outside of my scope of knowledge, so I do not have specific information. But I do know that there is a portal on the IDP side that needs configuration as well.

It looks like the return URL is in HTTP and I would expect it to be HTTPS. I would suggest changing all URLS to be secure as to my knowledge this would be a requirement to make SSO work. 

If you continue to encounter issues after that, it might be worth engaging someone from the Professional Services department that is skilled in this area of Hopex to help resolve the configuration. 

 

Kind regards,

Ryan

US Support

0 Likes

Go to solution
ibra22
MEGA Partner
MEGA Partner
In response to rsutcliffe

Wednesday

@rsutcliffe 

Now I am facing a weird behavior. In SAML config I put "http://servername/hopex" as a return URL but when I tried and check the SAML request I found another ACS URL "http://servernameUAS/AuthServices/Acs" which should be as same as the return URL http://servername/hopex.

As well as this URL "http://servernameUAS/AuthServices/Acs" is not mentioned anywhere I am not sure why it's there in the request

I attached the SAML config and decoded SAML request if you could look at it.

Thank you 

Preview file
105 KB
Preview file
1 KB
0 Likes

Go to solution
rsutcliffe
MEGA
MEGA
In response to ibra22

Friday

@ibra22 

There are two things I notice. The return URL is HTTP but the other URLS are HTTPS. So, I believe you will want to update that URL to be HTTPS like the others. 

I may be wrong, but I believe you want the return URL to be /Hopex instead of /UAS/AuthServices/Acs

/Hopex is the entry point of the tool, so I believe that where it wants to return. 

I hope this helps 🙂

Kind regards,

Ryan

US Support 

0 Likes

Go to solution
ibra22
MEGA Partner
MEGA Partner

a week ago

hi @imran_khatyan   @ikn ,

I am getting the same error after receiving the SAML response. Could you please have a look at the attached screenshot and tell me if the SAML configs I've done is right.

Preview file
105 KB
0 Likes

Go to solution
rsutcliffe
MEGA
MEGA

a week ago

Hello @ibra22,

I am not sure if this is an issue, but from your screenshot two weeks ago, I notice the return URL is an IP address. I believe it is better practice to use a server name or a friendly name. 

Regarding the authentication mode for the user, for SSO you will want to use 'Custom' authentication.

Kind regards,

Ryan 

US Support

 

0 Likes

Go to solution
rsutcliffe
MEGA
MEGA

a week ago

Hello @ibra22 

To be honest, we are starting to reach the limits of my SSO knowledge. I am happy to try a little bit more to see if we can get to the bottom of this. 

Which version of Hopex are you using?

In your screenshot from 2 weeks ago I notice the return URL contains an IP address. This might not be causing any issues, but I believe it is best practice to have this be the server name / friendly name (perhaps try testing both iteratively). 

Regarding Authentication mode for the user, when leveraging SSO, you will want to use 'Custom' mode.

Kind regards,

Ryan

US Support

0 Likes

Go to solution
ibra22
MEGA Partner
MEGA Partner
In response to ibra22

a week ago

Hi @rsutcliffe ,

Could you please tell me what should be the authentication mode in case of using SSO?

I mean, for logins, there is authentication mode (LDAP,MEGA,windows) so in case of SSO what it should be?

0 Likes

Go to solution
ibra22
MEGA Partner
MEGA Partner
In response to rsutcliffe

3 weeks ago - last edited 3 weeks ago

Thank you @rsutcliffe , I configured the SSL as below also I activated the SAML auth option under Identity providers.

The thing is when I test it, It's supposed that MEGA send a SAML request but can't see that request also in the SAML configs, they mentioning the SAML button label "Single Sign on", I can't see that neither

Screenshot (73).png

 

0 Likes
MEGA International © 1994 - 2023. All rights reserved