cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SAML2 Single SingOn

imran_khatyan
MEGA Partner
MEGA Partner

Hello, 

Getting the following error and ends in access_denied any idea: 

The signature verified correctly with the key contained in the signature, but that key is not trusted

regards, 

29 Replies

@ibra22 

There are two things I notice. The return URL is HTTP but the other URLS are HTTPS. So, I believe you will want to update that URL to be HTTPS like the others. 

I may be wrong, but I believe you want the return URL to be /Hopex instead of /UAS/AuthServices/Acs

/Hopex is the entry point of the tool, so I believe that where it wants to return. 

I hope this helps 🙂

Kind regards,

Ryan

US Support 

ibra22
Super Contributor

hi @imran_khatyan   @ikn ,

I am getting the same error after receiving the SAML response. Could you please have a look at the attached screenshot and tell me if the SAML configs I've done is right.

rsutcliffe
MEGA
MEGA

Hello @ibra22,

I am not sure if this is an issue, but from your screenshot two weeks ago, I notice the return URL is an IP address. I believe it is better practice to use a server name or a friendly name. 

Regarding the authentication mode for the user, for SSO you will want to use 'Custom' authentication.

Kind regards,

Ryan 

US Support

 

rsutcliffe
MEGA
MEGA

Hello @ibra22 

To be honest, we are starting to reach the limits of my SSO knowledge. I am happy to try a little bit more to see if we can get to the bottom of this. 

Which version of Hopex are you using?

In your screenshot from 2 weeks ago I notice the return URL contains an IP address. This might not be causing any issues, but I believe it is best practice to have this be the server name / friendly name (perhaps try testing both iteratively). 

Regarding Authentication mode for the user, when leveraging SSO, you will want to use 'Custom' mode.

Kind regards,

Ryan

US Support

ibra22
Super Contributor

Hi @rsutcliffe ,

Could you please tell me what should be the authentication mode in case of using SSO?

I mean, for logins, there is authentication mode (LDAP,MEGA,windows) so in case of SSO what it should be?

ibra22
Super Contributor

Thank you @rsutcliffe , I configured the SSL as below also I activated the SAML auth option under Identity providers.

The thing is when I test it, It's supposed that MEGA send a SAML request but can't see that request also in the SAML configs, they mentioning the SAML button label "Single Sign on", I can't see that neither

Screenshot (73).png

 

Hello @ibra22 

 

I am glad that the second links were more helpful. It is difficult for me to say further what the issue is without a more complete diagnostic of the config. Additionally, I personally have only minor experience working with SSO. With that being said one thing that I know is very important to configuring the SSO correctly is to properly define the location of the metadata file. The metadata file is typically stored somewhere locally on the server, and this location must be referenced in Hopex config.

How to define metadata location:

V4

Administration.exe > R click Hopex > Options > Modify > Options > Installation > Authentication > Identity Provider > SAML2 > Location of Metadata file

Note: There is other important information to populate on this page.

rsutcliffe_0-1683831061738.png

 

V5

Login to HAS Console > Modules > Authentication > Identity Providers > Create > Metadata location

rsutcliffe_1-1683831247026.png

rsutcliffe_2-1683831298109.png

Note that there are three tabs of various information to populate. 

 

I hope that this helps 🙂

Kind regards,

Ryan 

US Support

ibra22
Super Contributor

Thank you @rsutcliffe  your reply really helped me generate the metadata and I shared it with the IdP.

But to test it:

- from the administration, I activated the SAML2 authentication and configured SAML2 as well

- When I tried to login I could see the SAML request initiated by MEGA to the IdP

What could be the issue?

You're welcome. My apologies the original link was not as helpful as I hoped. 

In the documentation, there are references to the EntityID / ACS endpoint
V4 > https://doc.mega.com/hopex-v4-en/#page/Deploy/HOPEX_Unified_Authentication_Service.OKTA_Configuratio...

V5 > https://doc.mega.com/hopex-v5-en/#page/Deploy/HOPEX_Unified_Authentication_Service_V5.Configuration_...

 

I hope that this is helpful 🙂

 

Kind regards,

ibra22
Super Contributor

Thank you rsutcliffe for your reply,

I've gone through the links you shared and nothing mentioned on how to generate the metadata file, however, I got to use an online tool to generate it but it ask for Entity Id and ACS endpoint. Any idea how to get those information out of MEGA?