AnsweredAssumed Answered

SAML SSO via ADFS and proxy suddenly failing

Question asked by Spencer Varney on Feb 12, 2018
Latest reply on Apr 26, 2018 by Spencer Varney

Update: We have been told by Microsoft that ADFS cannot be configured to accept a different value in the affected field, and we have been told by folks at Canvas that we cannot alter or omit the offending field. We are continuing to look in to options.

 

Advance summary: New SAML Request attribute appears after updates, breaks our SAML SSO flow which uses a proxy. Looking for someone who knows ADFS and might be able to help.

 

After the recent updates listed here our SAML SSO up and broke. After a week of testing and troubleshooting I've determined that, in addition to the XML Namespace changes mentioned there was also an undisclosed addition to the SAML Request attributes: Destination.

 

In our setup, we have a proxy (TMG) that users log in with against our user portal (Sharepoint 2010). Our Log On URL in the Canvas admin settings for this authentication are pointing to that proxy. Previously when you try to log in, the user is redirected to that Log On URL along with the SAML request. User logs in, is redirected based on some internal traffic rules to our IdP (ADFS 3.0) which then receives the same, unaltered SAML request along with some additional NTLM auth information. The IdP authenticates the user, redirects with a SAML Response to Canvas and you're in.

 

Now, the same flow happens except the SAML request contains the Destination attribute. Unfortunately, it appears that this attribute's value is the same Log On URL that we have in the admin panel. Since that URL is for the proxy, it doesn't match what our IdP expects (it expects itself) and the logon fails.

 

I have tested this by intercepting the SAML request on its way to the proxy, rewriting it by updating the Destination attribute and then repacking it and sending it on. After I do this, the authentication works as expected.

 

I have a case open with Canvas support asking if anything can be done on their side. However in the meantime, does anyone know if this can be resolved on the ADFS side (which I know nothing about and have no access to). I was doing research and I see that in the binding we use for Canvas there is a Proxy Endpoints tab  (the next tab over in this image, I can't actually find an image online with that tab's contents); unfortunately it is greyed out for some reason I've yet to hear. Would that help? If not, any other ideas?

 

Thanks,

 

Spencer

Outcomes