Trouble with Azure App Proxy and SSO

[RobMiller]

Hello all! I am trying to get PWS working with Azure App Proxy and SSO. We have the proxy working, albeit a bit slow with grumbling from the herd about performance and timeouts, but enabling SSO is just not working out. It seems I am always in a SAML loop where it just keeps refreshing every second or two with a slightly different string in the URL and fails. Here are the sanitized details of the configuration.

 

PWS Server URL: https://pws.mycompany.com

Server IP: Public IP in a DMZ, we’ll just call it 123.123.123.123, so no NAT is in play

Access: Although it has a public IP in a DMZ, it’s actually restricted via ACL, and it’s not externally accessible except via VPN, or other hosts at the facility

 

For Phase 1 here I added the Enterprise App to Azure, and installed a connector close to the pws server. I adjusted the host file on the Azure Connector server so that it continues to resolve pws.mycompany.com to 123.123.123.123 regardless of public DNS. I changed public DNS for pws.mycompany.com to a CNAME pointing to pws-mycompany.msappproxy.net as per the Proxy config in Azure.

 

Proxy config:

Internal URL: https://pws.mycompany.com

External URL: https://pws.mycompany.com

Pre-authentication: Passthrough (for now until I get it working)

Backend Timeout: Long

Use HTTP-Only Cookie: No

Use Secure Cookie: Yes

Use Persistent Cookie: Yes

Translate URLS: Headers and Body set to No

 

Success!! Proxy works. It’s definitely slower than going direct. If you let it sit on a password list for maybe 30 minutes, then try to grab something, it fails. You have to click to another folder and back. Seems like the session dies or something and then you need to kick start it. It is functional, but people grumble about lost time as it takes them longer.

 

Anyways, I’m thinking maybe SSO would help with some of the timeouts and such. So let’s get that going.

 

Phase 2: SSO

I followed the clickstudios guide for SSO, but that doesn’t include proxy stuff, so I am not sure if anything should be different for that.

 

 

Azure SAML Config:

Identifier (Entity ID):   https://pws.mycompany.com

Reply URL (Assertion Consumer Service URL) 1:  https://pws.mycompany.com   (Default checked)

Reply URL (Assertion Consumer Service URL) 2: https://pws.mycompany.com/logins/saml/default.aspx

Sign on URL:   https://pws.mycompany.com

Relay State (Optional):   https://pws.mycompany.com/logins/saml/default.aspx

Logout Url (Optional):   https://pws.mycompany.com/?appproxy=logout

 

 

Attributes & Claims

Givenname:   user.givenname

Surname:   user.surname

Emailaddress:   user.mail

Name:   user.userprincipalname

Unique User Identifier:   user.mail

 

 

Then in PWS: I copied in the Base64 cert from MS, set it to SHA256, and copied in the 3 links from Azure for the app.

IDP Target URL: https://login.microsoftonline.com/37*******************

IDP Issuer URL: https://sts.windows.net/37*******************

Audience Restriction: https://pws.mycompany.com

Single Logout URL: https://login.microsoftonline.com/37*******************

 

I also set: Select which field in Passwordstate you want to compare against the SAML Response's Name Identifier – NameID: To Email Address

 

 

This config just doesn’t work. When I test from Azure, it starts looping, it’s like it keeps trying to authenticate but can’t. I have tried all kinds of combos. Spent several hours trying different things, changing out pws.mycompany.com for pws-mycompany.msappproxy.net in spots. I don’t know. No combo I have tried allows for PWS to authenticate via SSO. So I imagine I have something wrong, and I suspect it’s due to the proxy. I have previously set up SAML to Okta before with PWS, was easy. My next step I guess is to remove the proxy, and try SSO alone. The proxy works fine without SSO, so I need to see if SSO works without the proxy. But ultimately I would like them both to work together.

 

If anyone has any experience with this, and can point out any issues they see, I sure would appreciate it.

 

TIA!

[RobMiller]

Got it. When I deleted the proxy, I discovered that my SSO wouldn't work even without it. Changing the Reply URL (Assertion Consumer Service URL) in Azure to default to https://pws.mycompany.com/logins/saml/default.aspx fixed it for me. Everything else is the same as I posted above. 

[MicTou]

Hi Rob,

 

Did you even found an solution to this part?

"If you let it sit on a password list for maybe 30 minutes, then try to grab something, it fails. You have to click to another folder and back. Seems like the session dies or something and then you need to kick start it."