‎19-12-2020 04:34 PM
Hello,
Getting the following error and ends in access_denied any idea:
The signature verified correctly with the key contained in the signature, but that key is not trusted
regards,
Solved! Go to Solution.
‎06-06-2023 02:56 PM
Please note that a lot of your questions are outside of the scope of my knowledge. I am doing the best I can to backfill some information that I have learned in my time here. I do believe that it would be best to engage with someone at Professional Services as they will be the subject matter experts on properly configuring these types of setups within Hopex. With that being said, I have done my best below to address your open questions.
I know I was not able to answer all of your questions, but I hope what I was able to answer helps you continue to make progress. From what you have mentioned, it does seem you have made progress from where we started; but I do believe we have reached the limits of my knowledge in this topic. I suggest that if you need further help to engage with someone in Professional Services.
Thank you, and kind regards.
Ryan
‎06-06-2023 06:51 AM
I have checked the UAS logs and seen that the IdP sent a response to /UAS/AuthServices/Acs but rejected due to CORS path. Any idea about that?
‎05-06-2023 09:11 AM - edited ‎05-06-2023 12:47 PM
One more thing, what about the SSL certificate? The IdP have given me a certificate and I imported it under personal & trusted certificates. Should I use it in the SAML config? If yes, can I use its friendly name?
Lastly, do we need to configure ADFS server?
‎05-06-2023 06:36 AM - edited ‎05-06-2023 07:03 AM
As I understand, the SSO URL is the IdP URL I need to send the users to when they login, I got this URL from IdP and put in the SAML config
Also I am getting a "sub" attribute in the SAML response, it holds the user login, my question is how this is gonna mapped to HOPEX login? I created the authentication params and saml2 group as you suggested but what is the benefit of each?
I defined Email & Name params as you showed, does the saml response have to contain the same attributes (Name & Email) cause now it contains attribures (group, sub, mail).
Moreover, for the saml2 group, do I need to add all users to it so that they can access via SSO or what the point of having this group..
Thank you
‎02-06-2023 03:26 PM
Is the Sign on URL configured?
Additionally, did you configure the user claims on IDP side and associated authentication group on Hopex side?
I hope this helps.
Kind regards,
Ryan
‎02-06-2023 09:17 AM
Now it worked and the request sent properly but now have an issue with the SAML response, it gives me access denied error.
In the response I am getting an attribute called "sub" with value "the user login", this attribute as per MEGA should be there holding the login to do the mapping.
Any Idea?
‎01-06-2023 04:11 PM
I could be wrong, but I believe on the IDP side you want Acs to be https//servername/UAS/AuthServices/Acs
Kind Regards,
Ryan
‎01-06-2023 07:50 AM
@rsutcliffe @imran_khatyan @ikn
I turned all http to https but still not working. I checked the UAS logs and found ""AssertionConsumerServiceUrl":"http://rtaueveabpmst1/UAS/AuthServices/Acs"" I dont know from where this is coming and how to change it.
Please look at the attached screenshot to see it from the logs.
For IdP side, they have MEGA meta data which mentions the SAML issuer (https//servername/UAS) and Acs (https//servername/hopex), this information should be matched with SAML request sent by MEGA.
In the SAML request, the issuer is the same no issues but the Acs is different (http://rtaueveabpmst1/UAS/AuthServices/Acs)
‎31-05-2023 03:26 PM
Have you also made configurations on the IDP portal side to allow the connection to complete?
This is a little outside of my scope of knowledge, so I do not have specific information. But I do know that there is a portal on the IDP side that needs configuration as well.
It looks like the return URL is in HTTP and I would expect it to be HTTPS. I would suggest changing all URLS to be secure as to my knowledge this would be a requirement to make SSO work.
If you continue to encounter issues after that, it might be worth engaging someone from the Professional Services department that is skilled in this area of Hopex to help resolve the configuration.
Kind regards,
Ryan
US Support
‎31-05-2023 08:00 AM
Now I am facing a weird behavior. In SAML config I put "http://servername/hopex" as a return URL but when I tried and check the SAML request I found another ACS URL "http://servernameUAS/AuthServices/Acs" which should be as same as the return URL http://servername/hopex.
As well as this URL "http://servernameUAS/AuthServices/Acs" is not mentioned anywhere I am not sure why it's there in the request
I attached the SAML config and decoded SAML request if you could look at it.
Thank you