Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Troubleshooting ADFS SSO Integrations

Troubleshooting ADFS SSO Integrations

Version

Cb Response 5.x

Topic

To diagnose problems between the Cb Response Server and ADFS. The following list shows messages you may see in /var/log/cb/coreservices/debug.log and possible responses to correct the problem.

Steps

First, Follow the steps provided in this guide:

Enable Verbose Debugging for SSO/SAML

IdP SP Mismatch

File "/usr/lib/python2.6/site-packages/saml2/response.py",

line 554, in condition_ok

raise Exception("Not for me!!!")

Exception: Not for me!!!

There could be a mismatch between what is sent by the IdP and what is expected by the SP. This could be a simple case where the FQDN described in the metadata file contains upper-case characters and the assertion contains only lower-case characters. Changing the case so that it is consistent throughout should help to resolve this problem.

Clock Mismatch

File "/usr/lib/python2.6/site-packages/saml2/validate.py",
line 97, in validate_before
raise Exception("Can't use it yet %d <= %d" % (nbefore, now))
Exception: Can't use it yet 1422811221 <= 1422811211

There is a mismatch in the clocks of ADFS and the Carbon Black Enterprise Server. Synchronizing the clocks should help resolve this problem.

SAML assertion signature failure

<err>  saml2.sigver - correctly_signed_response: http://<FQDNof-ADFS>/adfs/services/trust

<err>  saml2.entity - Signature Error: http://<FQDN-ofADFS>/adfs/services/trust

It is possible that there is a problem with the signature of the SAML assertion. This could be resolved by ensuring that both the IdP and SP metadata files accurately reflect the configuration of the IdP and SP. Solving this error may involve retrieving a new IdP metadata file from  https://<FQDN-of-ADFS>/FederationMetadata/2007-06/FederationMetadata.xml  and a new SP metadata file by running the following command:

  /usr/share/cb/cbssl sso --make-metadata > /tmp/cb-metadata.xml

xsrf_token Error

File "/usr/lib/python2.6/site-packages/werkzeug/local.py",

line 363, in <lambda>

     __getitem__ = lambda x, i: x._get_current_object()

KeyError: '_xsrf_token'

It is possible that the SAML assertion contains characters that the Carbon Black Enterprise Server interpreted as a cross-site request forgery. This is a known issue, which does not affect the SSO functionality. Upgrade to the latest version of Cb Response.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-22-2016
Views:
1365
Contributors