locked
SAML authentication issue with ADFS(2factor authentication for our vCloud director(VMware) with the help of DUO security) RRS feed

  • General discussion

  • Hi Team,

    We are trying to introduce 2factor authentication for our vCloud director(VMware) with the help of DUO security.

    Im getting the SAML authentication failed error at the final stage and dont know where i need to check? Could you please advise. Im suspecting something here in ADFS relying party trust.As per the below URL,i followed the given steps(From Steps 8 to steps 11)   

    "fojta.wordpress.com/2016/11/22/configure-active-directory-federation-for-vcloud-director-organization/"


    Steps

    1) DUO admin console(GOT JSON file from here)
    2) DAG(linux machine)--->Active Directory is acting as a authentication source(In DAG URL(at the metadata section),at the bottom,we got the XML file of DAG)
    3) vCloud director----> We got the SAML metadata(i.e VCD XML file).
    3) AD server--->In relying party trust(ADFS)

    Process

    1) DUO JSON file downloaded and then uploaded the JSON file in DAG gateway(Application section)
    2) In DAG,we downloaded the XML file in application's metadata section and uploaded the XML file under Vcloud director Federation "SAML" section.
    3) In vCloud director,we downloaded the XML file from SAML field and uploaded the same file in relying party trust(ADFS)i.e AD server.



    When i try to login the vCloud director,

    1) First authentication is AD credentials--->Its successful
    2) Second authentication is DUO push---->Its successful.
    3) After landing in to vcloud page,i got an error as https://globalvcd.usinternal.com/cloud/failure.jsp

    Error is   SAML authentication failed for this organization.


    2019-08-21 05:02:17,763 | DEBUG    | pool-jetty-70             | CustomWebSSOProfileConsumerImpl | Validation of authentication statement in assertion _4756984f02c6a40c1e64fa24782790752934f60930 was successful | requestId=26f60f01-5ff1-4d08-b678-86209157fafe,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1566378137528,remoteAddress=10.128.7.39:57755,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp image/apng */*;q 0.8 application/signed-exchange;v b3
    2019-08-21 05:02:17,763 | DEBUG    | pool-jetty-70             | CustomWebSSOProfileConsumerImpl | Including attribute sAMAccountName from assertion _4756984f02c6a40c1e64fa24782790752934f60930 | requestId=26f60f01-5ff1-4d08-b678-86209157fafe,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1566378137528,remoteAddress=10.128.7.39:57755,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp image/apng */*;q 0.8 application/signed-exchange;v b3
    2019-08-21 05:02:17,763 | DEBUG    | pool-jetty-70             | CustomWebSSOProfileConsumerImpl | Including attribute mail from assertion _4756984f02c6a40c1e64fa24782790752934f60930 | requestId=26f60f01-5ff1-4d08-b678-86209157fafe,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1566378137528,remoteAddress=10.128.7.39:57755,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp image/apng */*;q 0.8 application/signed-exchange;v b3
    2019-08-21 05:02:17,763 | DEBUG    | pool-jetty-70             | CustomWebSSOProfileConsumerImpl | Including attribute duo_username from assertion _4756984f02c6a40c1e64fa24782790752934f60930 | requestId=26f60f01-5ff1-4d08-b678-86209157fafe,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1566378137528,remoteAddress=10.128.7.39:57755,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp image/apng */*;q 0.8 application/signed-exchange;v b3
    2019-08-21 05:02:17,763 | INFO     | pool-jetty-70             | SAMLDefaultLogger              | AuthNResponse;SUCCESS;10.128.7.39;https://globalvcd.usinternal.com/cloud/saml/metadata/alias/vcd;https://globalduolab.usinternal.com/dag/saml2/idp/metadata.php;rrajarathinam@xxx.com;; | requestId=26f60f01-5ff1-4d08-b678-86209157fafe,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1566378137528,remoteAddress=10.128.7.39:57755,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp image/apng */*;q 0.8 application/signed-exchange;v b3
    2019-08-21 05:02:17,764 | DEBUG    | pool-jetty-70             | CustomSamlProcessingFilter     | Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.providers.ExpiringUsernameAuthenticationToken@b277c90f: Principal: rrajarathinam@xxx.com; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities | requestId=26f60f01-5ff1-4d08-b678-86209157fafe,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1566378137528,remoteAddress=10.128.7.39:57755,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp image/apng */*;q 0.8 application/signed-exchange;v b3
    2019-08-21 05:02:17,771 | ERROR    | pool-jetty-70             | JDBCExceptionReporter          | ERROR: syntax error at or near ")"
      Position: 136 | requestId=26f60f01-5ff1-4d08-b678-86209157fafe,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1566378137528,remoteAddress=10.128.7.39:57755,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp image/apng */*;q 0.8 application/signed-exchange;v b3
    2019-08-21 05:02:17,777 | WARN     | pool-jetty-70             | SamlAuthenticationSuccessHandler | Error logging in user name=rrajarathinam@xxx.com, email=rrajarathinam@xxx.com, groups= | requestId=26f60f01-5ff1-4d08-b678-86209157fafe,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1566378137528,remoteAddress=10.128.7.39:57755,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp image/apng */*;q 0.8 application/signed-exchange;v b3
    2019-08-21 05:02:17,777 | DEBUG    | pool-jetty-70             | SamlAuthenticationSuccessHandler | Login failure details for user name=rrajarathinam@xxx.com | requestId=26f60f01-5ff1-4d08-b678-86209157fafe,request=POST https://globalvcd.usinternal.com/cloud/saml/SSO/alias/vcd,requestTime=1566378137528,remoteAddress=10.128.7.39:57755,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=text/html application/xhtml+xml application/xml;q 0.9 image/webp image/apng */*;q 0.8 application/signed-exchange;v b3
    org.hibernate.exception.SQLGrammarException: could not execute query
            at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:90)
            at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:66)
            at org.hibernate.loader.Loader.doList(Loader.java:2231)
            at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2125)
            at org.hibernate.loader.Loader.list(Loader.java:2120)
            at org.hibernate.loader.criteria.CriteriaLoader.list(CriteriaLoader.java:118)
            at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1596)
            at org.hibernate.impl.CriteriaImpl.list(CriteriaImpl.java:306)
            at org.hibernate.impl.CriteriaImpl.uniqueResult(CriteriaImpl.java:328)
            at sun.reflect.GeneratedMethodAccessor175.invoke(Unknown Source)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    Thanks,

    Manivel RR

    Wednesday, August 21, 2019 11:46 AM

All replies

  • Hi, Manivel RR.

    Did you get a solution for this?

    Monday, December 9, 2019 5:18 PM