Scribd Logo
Carica

Benvenuto in Scribd!

  • ADFS Troubleshoot

    Caricato da

    Sumit Malhotra
    213 visualizzazioni5 pagine
    ADFS Troubleshoot

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    ADFS Troubleshoot

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    213 visualizzazioni5 pagine

    ADFS Troubleshoot

    Caricato da

    Sumit Malhotra
    ADFS Troubleshoot

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 5

    10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community

    Services Tools Authentication: Microsoft…

    Subscriptions
    Authentication: Microsoft ADFS - Troubleshooting
    Guide Manage all My Subscriptions

    VIEW REVISIONS Subscribe

    Posted Oct 5, 2018 • Updated Oct 11, 2018 • Read 69 times

    LIMITED ACCESS - THIS PAGE IS RESTRICTED TO PROFESSIONAL SERVICES. SHARING A LINK TO THIS
    PAGE WILL NOT WORK FOR ALL COMMUNITY MEMBERS.

    Tool Type Tool / Template

    Deployment Stage Con gure & Prototype

    Product Authentication

    Audience Integration Consultant

    Services Product Lead Integrations


    Area

    Description
    This troubleshooting guide lists typical issues and errors encountered while con guring Microsoft ADFS
    instances to work with Workday authentication services for SAML authentication.

    Be sure to consult the issue resolution guide for general tips on troubleshooting issues: Issue Resolution
    Guide
     

    Table of Contents
    General Troubleshooting Steps
    Setup an single ADFS instance for multiple tenants
    End user session logged off of Workday, but browser "back" button allows access
    End user is prompted with a dropdown for all service providers con gured on the ADFS server
    No Identity providers are enabled or selected for this environment for SAML Issuer
    SAML response was not showing in the Signons and Attempted Signons report
    Unable to process PEM Encoded Certi cate. Reason: Unable to decode X.509 certi cates
    Signature is missing or does not refer to the entire message
    When signing in, receive "Bad Request - Invalid URL" response from ADFS server
    405 - HTTP verb used to access this page is not allowed
    Connection Timed Out
    Authentication Failure Message
    After enabling Enable SP Initiated SAML Authentication check box, IdP SSO SAML ow is still seen
    After submitting credentials to ADFS, an error occurs: Internal Error: Property
    'tenantLoginRedirectUrl'
    Validate SAML Message produces this error: "Could not parse SAML Message, for SAML Assertion
    token (web services), make sure you include <wsse:Security tag as it is used to verify the signature."

    General Guidance
    In general, consider the following items to narrow down what the issue may be:

    1. Does the issue impact all workers?


    2. Is the issue only impacting certain environments?
    3. Are there certain populations that are not affected?
    4. Can you manually create an account on ADFS and Workday and re-test?
    5. Can you trace the SAML ow from Workday to ADFS?
    1. Is the SAML message to ADFS correct?
    2. Are there ADFS logs to review?

    https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 1/5
    10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
    3. SAML Tracing: Integrations KSS – 2 October 2015

    Speci c Troubleshooting Steps


    Issue: Setup an single ADFS instance for multiple tenants

    Potential Resolution:

    Some clients want to use the same ADFS instance for more than one tenant: two
    implementation tenants for example, or sandbox and production tenants. For this use case,
    it is possible to create more than one relying party on ADFS and set the tenant "Service
    Provider ID" elds to different values. Note that the "Service Provider ID" eld must start
    with the pre x "http://www.workday.com/", but identi ers can be added after the pre x such
    as
    http://www.workday.com/impl, http://www.workday.com/sbox, http://www.workday.com/prod,
    etc... Note that the
    "Service Provider ID" in Workday must match the "Relying Party Identi er" on the ADFS
    server. Please refer to the Setting up Relying Party section of the implementation guide.

    Issue: End user session logged off of Workday, but browser "back" button allows
    access

    Potential Resolution:

    Typically what is seen is the back button authenticates the user against ADFS and allows access back into
    the application. The "Signons and Attempted Signons" report shows the previous session (differentiated
    by the ID column on the report as being signed out, and a new session logged in. A trace will also show
    the user re-authenticating against ADFS.

    Things to try include:

    1. For and IDP-initiated sign-in, "Enable Workday Initiated Logout" with a logout request URL of
    "https://[server].[domain].com/adfs/ls/?wa=wsignoutcleanup1.0"
    2. Enable SP-initiated sign-in and enable the "Always Require IdP Authentication" option. This should
    force the user to re-login when authenticating with the ADFS instance.

    Issue: End user is prompted with a dropdown for all service providers con gured
    on the ADFS server

    Potential Resolution:

    The "loginToRp" query string set as as part of the Workday "Login Redirect URL" must match the "Relying
    party identi er" con gured on ADFS.

    Issue: No Identity providers are enabled or selected for this environment for SAML
    Issuer

    Here's what the error looks like on the Signons and Attempted Signons report:

    Potential Resolution #1:

    Check the environment restrictions set for the identity provider and ensure they are appropriate for the
    tenant that is returning the error message.
    SearchThe Workday Issuer value must match the
    Basics ADFS Federation
    Release Products Collaborate Services
    Service Identi er.

    https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 2/5
    10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
    Potential Resolution #2:

    Ensure the "Issuer" speci ed on the Tenant Setup - Security page is the same as the one speci ed in
    the <Issuer> element on the SAML request.

    Issue: SAML response was not showing in the Signons and Attempted Signons
    report

    Potential Resolution:

    Incorrect end point set on ADFS. Assertions should point to https://wd5-impl.workday.com/tenant/login-


    saml.htmld instead of https://wd5-impl.workday.com/tenant/login.htmld

    Issue: Unable to process PEM Encoded Certi cate. Reason: Unable to decode
    X.509 certi cates

    Potential Resolution:

    This is due to a bad public key. Be sure that the key was cut & pasted correctly.

    Issue: Signature is missing or does not refer to the entire message.

    Potential Resolution:

    Run the powershell commands from the implementation guide.


    guide .

    Issue: When signing in, receive "Bad Request - Invalid URL" response from ADFS
    server

    Potential Resolution:

    One option is to un-install certain KBs and then re-install in the correct order:

    1) Remove KB2989956
    2) Remove KB2896713
    3) Remove KB2843638
    Then
    1) Install KB2843638
    2) Install KB2896713

    If the above is unsuccessful, another option if ADFS 2.0 generates a URL with an invalid query string, such
    as https://server.domain.com:443/adfs/ls/&authInProgress=XXXX is to try setting the URL to force a valid
    query string, such as: https://server.domain.com/adfs/ls/?parm=test. This URL should force ADFS to
    append a ? to the query string and thus generate a valid URL, something like:
    https://server.domain.com/adfs/ls/?parm=test&authInProgress=XXXX. Note how the query string now
    starts with a "?" and is a valid URL.

    Issue:  405 - HTTP verb used to access this page is not allowed

    Potential Resolution:

    Ensure the "IdP SSO Service" URL has a trailing slash (/):

    Should be: https://[ADFS Server].[ADFS Domain].com/adfs/ls/ not https://[ADFS Server].[ADFS


    Domain].com/adfs/ls

    https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 3/5
    10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
    Issue: Connection Timed Out

    Potential Resolution:

    Ensure the "IdP SSO Service" URL is set to HTTPS and not HTTP.
    For example: https://[ADFS server].[ADFS Domain].com/adfs/ls

    Issue: Authentication Failure Message: The destination URL


    https://myworkday.com/tenant/login-saml.htmld End in SAML Assertion does not
    match with https://www.myworkday.com/tenant/login-saml. ex

    Potential Resolution:

    We came across this issue only once while modifying the "SAML Assertion Consumer Endpoint" on one of
    the ADFS servers from login-saml. ex to login-saml.htmld and removing the "www." subdomain. After
    retrying a few times over 5-10 minutes, the issue resolved itself. It seems the change took some time to
    propagate across the ADFS domain servers.

    *** UPDATE 7/13/2016: Do not use "my.workday.com" as the base url, the "www"
    subdomain must be used, so a URL of "https://www.myworkday.com/tenant/login-
    saml.htmld" should be used.

    Issue: After enabling Enable SP Initiated SAML Authentication check box, IdP SSO


    SAML ow is still seen in traces.

    On ADFS, users are able to login when selecting the back button on the browser or navigating back to the
    Workday tenant's home page.

    Potential Resolution:

    Ensure the "Login Redirect URL" has been changed to "login-saml2.htmld". If Workday is still redirecting to
    the ADFS IdP page ("idpinitiatedSignon.aspx"), then the logins will continue to be IdP. The login redirect
    URL must be updated to login-saml2.htmld so the SAML request is sent to the IdP.

    Issue: After submitting credentials to ADFS, an error occurs: Internal Error:


    Property 'tenantLoginRedirectUrl' not found on type
    com.workday.ui.gateway.login.LoginInfo

    Signons report shows "Signature cannot be veri ed" error.

    https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 4/5
    10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
    Potential Resolution:

    Multiple "Token-signing" certi cates were in use on the ADFS server. Matching the certi cate sent in the
    SAML response to the x509 Certi cate speci ed for the SAML Identity Provider in the Workday tenant
    identi ed & resolved the issue. The ADFS Token-signing certi cate is sent in the SAML response in
    the /samlp:Response/ds:Signature/KeyInfo/ds:X509Data/ds:X509Certi cate element. The X509Certi cate
    value must match the x509 Certi cate speci ed in Workday for the SAML Identity Provider.

    Issue: Validate SAML Message produces this error: "Could not parse SAML
    Message, for SAML Assertion token (web services), make sure you include
    <wsse:Security tag as it is used to verify the signature."

    Potential Resolution:

    Ensure the destination URL on the IdP is con gured correctly.

    Ensure the downstream system is not sending an encrypted assertion. Per this brainstorm, encrypted
    assertions are not currently supported.

    FOLLOW WORKDAY

    Where great minds meet for shared success.


    Workday is 100% green powered Contact Us Community Policy Privacy Legal © 2018 Workday, Inc.

    https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 5/5

    Potrebbero piacerti anche