SAML asset help

(Alderman) #1

Hi.

I have created a saml asset and linked it to our idp via simplesaml php (which returns correct credentials when tested from the simplesaml admin screens). The asset reports that simplesamphp status is ‘Installed’ and the correct Authentication Source can be selected.

However, in the rather brief example matrix manual page ‘Integration Setup: Feide Open IdP’ once the NameID Element is selected and the SAML User ID location is set to uid then the asset can be previewed and either be linked to an existing user or create a new user (depending on whether logged into Squiz or not).

When I preview my asset it just displays a blank page. If I nest it into a standard page that page does go through to our IDP login page but then throws an error from the idp.

I don’t find from the manuals that I can grasp exactly how I am supposed to use the saml asset beyond its configuration to the IDP - how do I test it properly?

Thanks.

Jeff.

(Bart Banda) #2

When you are previewing the SAML Account Manager, are you viewing it as a public user or as your already logged in Matrix user?

If the latter, then the account manager won’t do anything as it will just show you the “logged in” bodycopy.

If you are viewing it as a public user, are there any messages in the error log that appear when that happens?

(Alderman) #3

Hi Bart.

I have now opened a Squiz support ticket about this - however, I have made some more progress since I started this topic here.

Here’s what’s happening now (we’re close but no cigar yet),

If I nest the saml asset in a standard page and preview the page as a public user, I go through to our IDP and can log in. However, Even though I have set a second standard page as the return location, post-login it returns to the saml asset’s SAML 2 assertion Consumer Service and doesn’t redirect to the specified standard page or attempt to link to a user asset which has been configured using an LDAP Bridge (which works for normal login).

Thanks.

Jeff.

(Bart Banda) #4

Hmmm, yea probably best to let Squiz support have a closer look. Could be a number of things, but hard to diagnose without having access to look at it. Let us know what they say.