1 Answer
- Newest
- Most votes
- Most comments
0
Hello,
I have exactly the same problem, do you have find a way to get this works ?
Currently I'm trying to map my user against the group "all_access" but I have no other error than this. An example of my assertion:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://xxxxxx/_dashboards/_opendistro/_security/saml/acs"
ID="ID_f2e7e757-2c9c-4904-8336-ddd809a6d4b0"
InResponseTo="ONELOGIN_c48844cf-c1b3-47e1-9242-ffe508c269b8"
IssueInstant="2022-07-15T07:08:21.365Z"
Version="2.0"
>
<saml:Issuer>https://xxxxx/auth/realms/xxxxx</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<dsig:Reference URI="#ID_f2e7e757-2c9c-4904-8336-ddd809a6d4b0">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<dsig:DigestValue>xxxxx</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>xxxxx</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>xxxx</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>xxxxxxxx</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>xxxxxxx</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_5d953166-ef46-48c5-bd54-a9adfce95fe0"
IssueInstant="2022-07-15T07:08:21.365Z"
Version="2.0"
>
<saml:Issuer>https://xxxx/auth/realms/xxxx</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xxxx@xxxx.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ONELOGIN_c48844cf-c1b3-47e1-9242-ffe508c269b8"
NotOnOrAfter="2022-07-15T07:13:19.365Z"
Recipient="https://xxxxx/_dashboards/_opendistro/_security/saml/acs"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2022-07-15T07:08:19.365Z"
NotOnOrAfter="2022-07-15T07:09:19.365Z"
>
<saml:AudienceRestriction>
<saml:Audience>https://xxxx</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2022-07-15T07:08:21.365Z"
SessionIndex="3256b6e5-fdf3-492d-8089-038c06b7fa3c::43aacbea-219e-4210-a258-ccca424f990f"
SessionNotOnOrAfter="2022-07-15T17:08:21.365Z"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>all_access</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>xxxx@xxx.xxx</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="audience"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>https://xxxxx</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
answered 2 years ago
Relevant content
- Accepted Answerasked 2 years ago
- asked 4 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 4 months ago