This article applies to:
• SAML Authentications
• Product edition: All
• Feature Category: Access/Authentication
Problem Description:
Investigating SAML Authentication Issues for VMware Aria Operations for Application.
Background:
What is SAML?
Security assertion markup language (SAML) is an authentication process
SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple web applications after logging into the identity provider. As the user only has to log in once, SAML SSO provides a faster, seamless user experience.
A Service Provider (SP) is the entity providing the service, typically in the form of an application.
An Identity Provider (IDP) is the entity providing the identities, including the ability to authenticate a user.
See Link below for Planning-for-saml for additional information.
Error Messages/Messages
Workspace ONE error screens.
Error Message 1 - Failed to look up subscriptions to resource.
Error Message 2 - No application found
Note: The preceding log excerpts/Messages are only examples. Date, time and environmental variables may vary depending on your environment.
Investigation:
To find the SAML error message and determine at which layer the authentication is failing, the Service Provider or Identity Provider level, we will use the browser extension "SAML Message Decoder".
1) Download and install a SAML Message Decoder extension for your type of web browser.
Note you may need to work with your Chrome setting to enable the extension.
2) Launch SAML Message Decoder
3) Login to the Aria Operations for Application to generate the error for review
We see here the authentication is not getting past the Service Provider layer ie WorkspaceOne.
If this is true for your case please have the customer open a ticket with their local helpdesk to investigate permissions issues at the WorkspaceOne level.
A successful connection will look similar to this.
Next Action:
If investigating of this issue you find that the authentication is failing on Aria Application level please document the SAML Response details and post a question in Slack Channel #tobs-devops
See also:
To learn more about the SAML technology please see the below links.
Planning for SAML - https://developer.okta.com/docs/concepts/saml/#planning-for-saml
Comments