This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

All other Modules /

Discuss all other Modules here.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Active Directory SAML authentication fails with Server Error

2 Posts 1078 Views

scdladmin

Community Member, 4 Posts

11 October 2015 at 6:55am

Test web server is Debian 8 / LAMP / Silverstripe 3+
ADFS server is W2K8 R2 SP1 with ADFS 2, update rollup 3 installed

I’ve followed the documentation on github for the silverstripe/activedirectory module.
Have established the trust relationship between the servers and followed the documentation for SAML configuration. I did not disable the MemberAuthenticator, nor set SAML as the default.

At this point, the documentation states that authentication should be possible, however attempts at authenticating via SAML or the Email/Password result in a message: Server Error . There was a problem with handling your request. I would note that the default Email/Password login stopped working after the installation of the activedirectory module, prior to any configuration changes.

I have already followed threads regarding ADFS 2 and Security Update 2843638 and have uninstalled this update, since hotfix 2896713 fails to install on that server.

I’m stuck at this point and would like to know what others had to do to get this module functioning.

TIA
Rick

scdladmin

Community Member, 4 Posts

18 October 2015 at 6:19am

Update on this.

A reinstall of Silverstripe and activedirectory modules restored email/password authentication. Silverstripe now version 3.2

Configuring SAML authentication ONLY (no LDAP)..
First login via SAML credentials results in message that user is not authorized to view the page.
Login via email/password with default admin and see the user has been added but no group assignments. Place the user in a group.
Login via SAML with user again is now successful.

Next try to configure LDAP.
After adding ldap.yml, updating certificates again and reloading, neither SAML nor LDAP authentication work. Result is the same Server Error as described in original post.
After installing, I have used ldapsearch to confirm non-secure connection to AD domain controller. (ldapsearch does not perform DNS query on host)
Tried removing/disabling parameters in ldap.yml to require either SSL or TLS, but both SAML and LDAP authentication still fail.
Attempts at using browser with URL https://siteroot/LDAPDebugController result in Page Not Found.

I have re-checked all prerequisites listed in documentation, but there wasn't anything that I missed.
So, I can only deduce that LDAP needs something other than what is documented in order to function.

What did others have to add/configure/change to get the LDAP portion to work.
While removing it does restore SAML authentication, the LDAP synchronizations and group mappings are important features in our environment that I would like to have working.

TIA
Rick

Return to top