SAML2 Setup Issues

I am running two servers side by side load balanced with F5.
I have a DFS share setup between the two to share the repositories along with a SQL Server setup. I was able to successfully implement the server so HTTPS can work.

I am now trying to get Single Sign On with SAML2 to work.
I used the GUI to set this up, did notice a bug where values disappear when trying to edit the information by saving and navigating away. However, here is my settings:

Set-PSUAuthenticationMethod -Type "Saml2" -Disabled -CallbackPath "" -MetadataAddress "" -EntityId "" -IdentityProviderEntityId "" -ServiceCertificate ""

I setup it up manually on the ADFS side with the certificate, to send the following claims:
name & role. I can see the token issued, but get a 500 when trying to access anything. Is there anything additional I need to setup? I had mapped the Administrator role to the claim. I am seeing this in the log:

No authentication handler is registered for the scheme 'Saml2'. 
Product: PowerShell Universal
Version: 3.0.5

Can you please to restart the PSU service to see if it resolves the issue with the registred scheme error? I’ve seen this before. I’ll open an issue to track it.

1 Like

Hey @adam ; restart produces the same message in the log.
I did provide the full logs in a support ticket. Let me know if you need more logs or anything else I can do to help track this down. :slight_smile:

I have the endpoint on ADFS Setup as, but I do not see it redirecting to ADFS and back.

Ok. I can review the full logs to see what may be happening.

1 Like

Thank you @adam ! Let me know if I need to provide updated logs or do any further testing.

I also spun up a test server with the latest v2 build and get the same message about Saml2 occasionally. I was also getting a message that it could not find the certificate I specified in the store, even in root certificate. I exported it to the the temp directory to try that and I went to specify the password and get the following message in the log:

2022-07-01 12:40:13.619 -04:00 [ERR] Failed to read configuration file. authentication.ps1
System.Management.Automation.ParameterBindingException: A parameter cannot be found that matches parameter name 'ServiceCertificatePassword'.
   at UniversalAutomation.PowerShellSerializer`1.Deserialize(String script, IDatabase database, IConfigurationService configService) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\PowerShellSerializer.cs:line 34
   at UniversalAutomation.Services.ConfigurationScript`1.ReadAsync(Boolean initialSync) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Configuration\ConfigurationScript.cs:line 180

I was able to somewhat get it working.
I had to disable encryption on the outgoing claims from the ADFS Server and not provide the -ServiceCertificate. This seems to allow Administrators access to dashboards and the admin interface. However, other roles are getting a 500 on the dashboards, even on ones that do not require authentication.

I tried with & without a claim for ‘Users’, including ensure that $true was set in the roles.ps1 for Users.
I can see in the log that ‘Users’ role was applied to my test user, but all dashboards produce 500.