cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
svarney
Community Participant

SAML SSO via ADFS and proxy suddenly failing

Update: We have been told by Microsoft that ADFS cannot be configured to accept a different value in the affected field, and we have been told by folks at Canvas that we cannot alter or omit the offending field. We are continuing to look in to options.

Advance summary: New SAML Request attribute appears after updates, breaks our SAML SSO flow which uses a proxy. Looking for someone who knows ADFS and might be able to help.

After the recent updates listed here our SAML SSO up and broke. After a week of testing and troubleshooting I've determined that, in addition to the XML Namespace changes mentioned there was also an undisclosed addition to the SAML Request attributes: Destination.

 

In our setup, we have a proxy (TMG) that users log in with against our user portal (Sharepoint 2010). Our Log On URL in the Canvas admin settings for this authentication are pointing to that proxy. Previously when you try to log in, the user is redirected to that Log On URL along with the SAML request. User logs in, is redirected based on some internal traffic rules to our IdP (ADFS 3.0) which then receives the same, unaltered SAML request along with some additional NTLM auth information. The IdP authenticates the user, redirects with a SAML Response to Canvas and you're in.

Now, the same flow happens except the SAML request contains the Destination attribute. Unfortunately, it appears that this attribute's value is the same Log On URL that we have in the admin panel. Since that URL is for the proxy, it doesn't match what our IdP expects (it expects itself) and the logon fails.

I have tested this by intercepting the SAML request on its way to the proxy, rewriting it by updating the Destination attribute and then repacking it and sending it on. After I do this, the authentication works as expected.

I have a case open with Canvas support asking if anything can be done on their side. However in the meantime, does anyone know if this can be resolved on the ADFS side (which I know nothing about and have no access to). I was doing research and I see that in the binding we use for Canvas there is a Proxy Endpoints tab  (the next tab over in this image, I can't actually find an image online with that tab's contents); unfortunately it is greyed out for some reason I've yet to hear. Would that help? If not, any other ideas?

Thanks,

Spencer

Tags (3)
5 Replies
kona
Community Coach
Community Coach

 @svarney , due to the highly technical nature of this question I’ve shared it with the https://community.canvaslms.com/groups/canvas-developers?sr=search&searchId=f21d3a98-5328-41e5-b404-...‌ group in the Community. They are the ones who specialize in this type of stuff and can hopefully help! You might also consider joining their group so you have access to their resources and information. 

Kona

svarney
Community Participant

Hey Kona, I figured I'd start here seeing as it may be viewed as an extension to an admin configuration. Thanks!

kona
Community Coach
Community Coach

Canvas Admins isn't a bad place to start because many Admin's do have this technical knowledge. Yet, not all do (like me!), whereas all of the Canvas Developer people are into this type of back-end Canvas stuff. Normally I share questions like this with both the Admins and Developers, but since you already posted it to Admin you saved me a step! 🙂

Robbie_Grant
Community Coach
Community Coach

 @svarney ,

We are giving the Canvas Admins area a little bit of love and just want to check in with you.  This will also bring this question new attention. 

 

Were you able to find an answer to your question? I am going to go ahead and mark this question as answered because there hasn't been any more activity in a while so I assume that you have the information that you need. If you still have a question about this or if you have information that you would like to share with the community, by all means, please do come back and leave a comment.  Also, if this question has been answered by one of the previous replies, please feel free to mark that answer as correct.

 

Robbie

svarney
Community Participant

Hey   @Robbie_Grant ,

Thanks for the reminder. The answer remains what was provided in the update up top:

We have been told by Microsoft that ADFS cannot be configured to accept a different value in the affected field, and we have been told by folks at Canvas that we cannot alter or omit the offending field.

For this reason our workflow has been permanently broken until we are able to move away from our current [outdated] authentication setup, which we cannot do until the system that rely upon that setup are also updated / replaced.

Regards,

Spencer