Hi everyone, I am trying to configure SAML SSO with one of our apps and I just cannot get it working. At the moment, I get caught in a loop which looks like it is loading my app but then I geet a ‘Unable to validate the SAML message!’ error. We are using ADFS on premise as our provider. We are also using a custom domain. We think we have set up the ADFS correctly. I have tried putting our custom domain in the Custom Runtime Settings page under ApplicationRootUrl but when I do this, I just get a generic ADFS error message that really doesn’t help. When I don’t have this, I visit the domain, lets say appname.mydomain.com, I see the page change to appname.mendixcloud.com/SSO, this then flashes up the front page of my application (so I know it has logged on ok) I think get a URL of fs.mydomain.com/adfs/ls and it then lands on appname.mendixcloud.com/SSO/assertion and I get the ‘Unable to validate the SAML message!’. I’ve read a few articles about adding the ApplicationRootUrl but this doesn’t help. I haven’t changed any of the default settings in the modeller such as DefaultLogonPage or SSOLandingPage. The main problem I have now is that I can’t log on to the application at all using MxAdmin to check the SAML configuration (I think I may need to add a Claim?). If I go to app.mydoming.com/logon.html, I get prompted for credentials, but then I get stuck in the loop again. Im assuming that I may have to deply another version of the app to break the SAML config but then I may have to go back to our ADFS provider contact to recreate the settings and I’d rather not. Any help or advice would be much appreciated. I know my description is a bit messy. Do I definetly need the ApplicationRootUrl setting?
Hi Ben, first take the redirect to /SSO/ of your index.html and possibly only on your login.html (or a button on your login.html for SSO). Duplicate the login.html and rename for instance to login3.html, delete the redirect on this one so you can properly sign in again as Admin in the future. Then go in to the log of your SAML page and dig up the requests and response and start analysing...
It sounds like someone did, like below:
I would suggest to use SAML tracer a Firefox plugin to test your setup. And depending on what is on the other side (Office 365 or Azure has also some good tools to test).
Then about the setup. You do not need to touch the login page. You should use an URL like this to directly go to your app:
That URL you should give to all SSO users. If you do not have a multi tenant app you can put a button on your regular login page to redirect to that URL. This way mobile phone users etc do not have to remember that URL but can just press that button when they want to login.
So your login page will still work for non SSO users. Do not forget to reset the passwords once you configured everything otherwise your SSO users could still login without using SSO.