RobMiller Posted April 7, 2022 Posted April 7, 2022 Hello all! I am trying to get PWS working with Azure App Proxy and SSO. We have the proxy working, albeit a bit slow with grumbling from the herd about performance and timeouts, but enabling SSO is just not working out. It seems I am always in a SAML loop where it just keeps refreshing every second or two with a slightly different string in the URL and fails. Here are the sanitized details of the configuration. PWS Server URL: https://pws.mycompany.com Server IP: Public IP in a DMZ, we’ll just call it 123.123.123.123, so no NAT is in play Access: Although it has a public IP in a DMZ, it’s actually restricted via ACL, and it’s not externally accessible except via VPN, or other hosts at the facility For Phase 1 here I added the Enterprise App to Azure, and installed a connector close to the pws server. I adjusted the host file on the Azure Connector server so that it continues to resolve pws.mycompany.com to 123.123.123.123 regardless of public DNS. I changed public DNS for pws.mycompany.com to a CNAME pointing to pws-mycompany.msappproxy.net as per the Proxy config in Azure. Proxy config: Internal URL: https://pws.mycompany.com External URL: https://pws.mycompany.com Pre-authentication: Passthrough (for now until I get it working) Backend Timeout: Long Use HTTP-Only Cookie: No Use Secure Cookie: Yes Use Persistent Cookie: Yes Translate URLS: Headers and Body set to No Success!! Proxy works. It’s definitely slower than going direct. If you let it sit on a password list for maybe 30 minutes, then try to grab something, it fails. You have to click to another folder and back. Seems like the session dies or something and then you need to kick start it. It is functional, but people grumble about lost time as it takes them longer. Anyways, I’m thinking maybe SSO would help with some of the timeouts and such. So let’s get that going. Phase 2: SSO I followed the clickstudios guide for SSO, but that doesn’t include proxy stuff, so I am not sure if anything should be different for that. Azure SAML Config: Identifier (Entity ID): https://pws.mycompany.com Reply URL (Assertion Consumer Service URL) 1: https://pws.mycompany.com (Default checked) Reply URL (Assertion Consumer Service URL) 2: https://pws.mycompany.com/logins/saml/default.aspx Sign on URL: https://pws.mycompany.com Relay State (Optional): https://pws.mycompany.com/logins/saml/default.aspx Logout Url (Optional): https://pws.mycompany.com/?appproxy=logout Attributes & Claims Givenname: user.givenname Surname: user.surname Emailaddress: user.mail Name: user.userprincipalname Unique User Identifier: user.mail Then in PWS: I copied in the Base64 cert from MS, set it to SHA256, and copied in the 3 links from Azure for the app. IDP Target URL: https://login.microsoftonline.com/37******************* IDP Issuer URL: https://sts.windows.net/37******************* Audience Restriction: https://pws.mycompany.com Single Logout URL: https://login.microsoftonline.com/37******************* I also set: Select which field in Passwordstate you want to compare against the SAML Response's Name Identifier – NameID: To Email Address This config just doesn’t work. When I test from Azure, it starts looping, it’s like it keeps trying to authenticate but can’t. I have tried all kinds of combos. Spent several hours trying different things, changing out pws.mycompany.com for pws-mycompany.msappproxy.net in spots. I don’t know. No combo I have tried allows for PWS to authenticate via SSO. So I imagine I have something wrong, and I suspect it’s due to the proxy. I have previously set up SAML to Okta before with PWS, was easy. My next step I guess is to remove the proxy, and try SSO alone. The proxy works fine without SSO, so I need to see if SSO works without the proxy. But ultimately I would like them both to work together. If anyone has any experience with this, and can point out any issues they see, I sure would appreciate it. TIA!
RobMiller Posted April 8, 2022 Author Posted April 8, 2022 Got it. When I deleted the proxy, I discovered that my SSO wouldn't work even without it. Changing the Reply URL (Assertion Consumer Service URL) in Azure to default to https://pws.mycompany.com/logins/saml/default.aspx fixed it for me. Everything else is the same as I posted above.
MicTou Posted June 20, 2023 Posted June 20, 2023 Hi Rob, Did you even found an solution to this part? "If you let it sit on a password list for maybe 30 minutes, then try to grab something, it fails. You have to click to another folder and back. Seems like the session dies or something and then you need to kick start it."
Sebastian Stauber Posted November 6 Posted November 6 Hi Rob, Same issue here. I initially tried with SAML but couldn't get it to work. Then I used IWA (Kerberos) which works, but the frequent timeouts are bothersome to my users. Did the SAML integration fix it for you?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now