stackoom
  简体   繁体   中英

TAI for MS Azure with Websphere Application Server v9 CWWSS8017E: Authentication Error

 原文  2019-06-12 20:44:18       azure/ websphere/ single-sign-on/ saml

Question

I'm trying to configure SAML between MS Azure AD and a WebSphere v9 CF11 server that's sitting in AWS. But it is not recognizing the TAI set up

I've followed all the steps here: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_enable_saml_sp_sso.html and here https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/twbs_configuresamlssopartners.html

I've installed the SAMLSA app in WebSphere, imported the metadata file provided by my Azure admin, and imported the certificate as well. I've set up the ACSTrustAssociationInterceptor interceptor and put in (what I thought was) the right sso_1.sp.acsUrl and other settings for the server.

The SystemOut logs show that the ACSTrustAssociationInterceptor is loading:

SECJ0121I: Trust Association Init class com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor loaded successfully

but the version is null:

SECJ0122I: Trust Association Init Interceptor signature:

After setting it all up as above, when I go to the URL it just shows:

Error 403: AuthenticationFailed

And the log has errors about a missing cookie:

SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWWSS8017E: Authentication Error: Single-Sign-on cookie is not present or could not be verified. Please login to the SAML Identity Provider, and try again.

It's like it's never "intercepted" to be passed. Just fails. No network traffic goes to the AD server

When going to the URL it should redirect me to the MS Login and then back to the app, but it's not

1 answers

solution1
 0 ACCPTED  2019-06-20 21:00:25

It sounds like you might be missing an sso_1.sp.login.error.page property definition. Without that property, the expectation is that the user will be going to the IdP to initiate the sign on; if you define the property and set its value to your IdP's login page, then the 403 you're getting (as a result of being unauthenticated) will end up redirecting you over to the IdP to initiate the sign on process from there.

More info here in the "bookmark style" description: https://www.ibm.com/support/knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/cwbs_samlssosummary.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure ios application authentication error python - authentication error in MS Azure after giving correct auth credentials Azure - WebSphere MQ V7.5 client? Server Error in '/' Application using Azure MVC application with azure authentication MS Azure Resource Provider SDK - Authentication MS Azure - Publish server address Azure Identity Server Authentication Azure Native Application Common Authentication Check Azure Authentication in Web Application
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM