Hi, Morpheus experts.
I wanted to ask you about SAML SSO integration. I am trying to integrate SAML SSO with ADFS and got a SAML error.
Login was successful and it showed the following error message.
In morpheus log, it had the same error message.
2023-11-09_03:54:44.67999 ‘’[2023-11-09 03:54:44,691] [http-nio-127.0.0.1-8080-exec-9]
WARN c.b.p.SamlUserService - An Account processing exception has occurred: com.bertramlabs.plugins.AccountsException: No NameID found in the subject of the SAMLResponse.
(1) This is what Morpheus generate saml metadata. This xml was used for registering as a Trust Relying party in ADFS.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://morpheus.test/saml/u1Pg0ioHb"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://morpheus-5-mgt.helionit.io/externalLogin/callback/m2zthjBEi"/>
</SPSSODescriptor>
</EntityDescriptor>
(2) Below xml data was what is received from ADFS in morpheus log after sign-in.
In this response saml, there was no “NameID”. Wondering how can I make the NameID include in response?
<samlp:Response ID="_e6d14f0f-a796-4772-b835-b7c772bce97f" Version="2.0" IssueInstant="2023-11-10T03:38:37.198Z" Destination="https://morpheus.test/externalLogin/callback/u1Pg0ioHb" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_c8073cf8b357bc0e0bf0e3a171e7132864a8d1ef040d2eba375b5e1dcf11541f"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.*****/adfs/services/trust
</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_06ca0c80-22a8-4c6f-884c-b6acc0d5fcbd" IssueInstant="2023-11-10T03:38:37.198Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://adfs.test/adfs/services/trust</Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_06ca0c80-22a8-4c6f-884c-b6acc0d5fcbd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>OPNtCTGnETZ801SdXE2NjNvFMaR6kHGx7Z/+BH/grnc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Exn2MDa1qlgsN+aKW8xdZvsstePtNtPAX6yr5lBZai3uSFacBP3EeYw1ENZiZZUuIaxldaw3rxFSGXeZ9b+XW8jbd5K32Rsn5dBf7PN1vaiUD7TSx5+Fu7hYMvfOxReoCjEexlQ4cnv7xxqrZKeLQZDA0T3H1f2zRfP1X0lp14UfxQ+z9SbzFLtRzptuJbJgr2t2cR2rgZ9UfbtlXw4NVCpWY9J5tK4b7oyrywypZL9uWdXQJDv58Iw2u0YWf8d+FHtRAw8E1GudulIyzuF0XrnWqqNKrotU6YA8jA/+Qy1cEL3A1RncVQAgsTiZRHUSTsZ/oz4eIdF+PjUwcnZfQQ==</ds:SignatureValue>
<KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC4jCCAcqgAwIBAgIQGFn6YKEdpIVPUFmDVIPx6jANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJBREZTIFNpZ25pbmcgLSBkOS1mZGZzLmhlbGlvbml0LmlvMB4XDTIzMDgyNTA4NTcxNVoXDTI0MDgyNDA4NTcxNVowLTErMCkGA1UEAxMiQURGUyBTaWduaW5nIC0gZDktZmRmcy5oZWxpb25pdC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKvHiBEN1m12Id3ZUDs3gEwmnulUESCAXvd6iinUwGmzgkUhx2wPqbK+aJcbttgWSKfBsJJaYgteZuQD54aV0udZ+9g1sMs/OG4MQJi20yvOpGQDAkFvIqT23K5qGIT1/zgYBipkBY22/rWDUqglYewzpNSZHGlg0rxD5Y2TpZkCH07qX1Wmmcp6p2znG/xAjTiMWToDB7eah2BSIDOVhTFHuRtXcCoKPbCSg6VAKu3cnwBO2fNm9jxY4+9SWsQ/kkZZbIZk4Y9mnfOqUvTQW5SxI1zklyBnwtB1Q6B0/bwRXIylchZPSCF+cZqG8hPeSeG3Ya3iPEZq3duywYlbhsUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAc5veEykhaCHyQMb+CSl7Dp+t12mjyubJhxz9LczApgsq4ijEYDSD2rOcNi98mOl/KqMuMIRQCc4PcGH6SalFeB0evDgSnDU8xF+gln0EZgX0XFFt2SrV6ZE8hqOSj56vZHdofmY4/zg/2l+OmFmaaQk19L80ZK5GOb9iOby5NS9YPs0yiHeB4OtFg80dHLkrNg+dfmoy98RRBKMdEkoAzmT7T6fJrIkGQ1Bjtf+cZ5s21lDOaBqkTm9/rO55C0srMdQFd1RKBLuirtJhr0lMQ0uf5zz3B32qAMLgy6IS+dbH0msbwuiRBqEH+tFjqnhMQsRukubB7k6D2OtkSZ7hlw==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_c8073cf8b357bc0e0bf0e3a171e7132864a8d1ef040d2eba375b5e1dcf11541f" NotOnOrAfter="2023-11-10T03:43:37.198Z" Recipient="https://morpheus-5-mgt.helionit.io/externalLogin/callback/u1Pg0ioHb" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2023-11-10T03:38:37.196Z" NotOnOrAfter="2023-11-10T04:38:37.196Z">
<AudienceRestriction>
<Audience>https://morpheus.test/saml/u1Pg0ioHb</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2023-11-10T03:38:37.144Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>