Jump to content

SAML2 and Azure AD configuration for Passwordstate users


Robert Birkett
 Share

Recommended Posts

We have been using Passwordstate for several years now, and in all that time we have had no issues.  We are now moving away from our original On Premises Active Directory and into Azure for all things Windows, and this includes locking down our access for most applications and services using SAML2 in Azure and implementing MFA.  We have it working with numerous products including Atlassian, GitLab etc. with no issues.  I have configured Azure with a non gallery Enterprise Application as per the documentation and a test directed me to the Passwordstate logon.  However, that is as far as I got, since Passwordstate is currently set to use AD authentication, so I can't actually ADD a user for SAML authentication, and I can't CHANGE a current user to make SAML2 authentication the default, and there is nothing in the documentation that specifies how to make the switch, WITHOUT losing access to Passwordstate completely and relying on the emergency access account and password to get back in.  Do you think you could provide some instructions on how to add SAML2 users, or switch users from AD to SAML2, or switch entirely to SAML2 without losing access to Passwordstate, and how to add or convert users  SAML2.  That option is grayed out, unavailable, so I'm at a loss to determine how anyone else has managed to get this to work in a production environment that is using AD authentication.

Link to comment
Share on other sites

Hi Robert,

 

If I understand your request properly, then we cannot import user accounts from Azure AD - we only support On-Premise Active Directory. Are you getting rid of all your On-Premise Domain Controllers? If not, then you can still sync Security Groups and User Accounts from your local domain controllers, but then authenticate to Azure AD using SAML Authentication - we have full documentation in the Security Administrator's manual, under the section Authentication Options for how to enable SAML and authentication to Azure.

Below are some screenshots of how you enable SAML Authentication for all users, and the matching field option as well i.e. use the email address in Azure AD and Passwordstate to perform the match. If you are trying to enable this on a per user basis, then you need to disable Anonymous Authentication for the site in IIS i.e. we need to know who the user is, in order to give them the custom authentication option.

If you do not plan on having any local domain controllers, then a possibility might me to migrate your existing domain accounts in Passwordstate to local accounts. If this is what you would like to explore, please contact us via our support page here https://www.clickstudios.com.au/support.aspx, and we can provide further assistance>

 

saml.png

 

saml2.png


Regards

Click Studios

Link to comment
Share on other sites

Yes, I see that in the documentation.  Fortunately I have emergency access.  Enabling SAML2 killed all access for everyone.  It asks for credentials and goes through the Login process for Azure and succeeds, but then I get an error.  Disabling Anonymous Authentication apparently kills all authentication, don't you need to enable at least Windows Authentication?  And since Passworstate url (at least in my case) is port specific ie. it has :9119 at the end of it, does that have to be included in the Azure SAML configuration and the local instance, because that seems to be missing from the documentation entirely, and there is no indication that it isn't required.  Do I need to reconfigure Passwordstate so it just uses HTTPS on 443 and remove the :9119 requirement?  What should the URL's in Azure SAML2 look like if we DO require a specific port?  

 

We will not be removing ALL domains, but this system currently sits in a production domain on prem and we are moving it to a server in Azure tied to Azure AD, and we want to leverage SSO using Azure and our current setup requires this for all active services, and conditional access also enforces MFA.  All I want to is get this working so I can set up all the users one by one as we move to Azure and have them authenticate via Azure and MFA, but I did not know I might have to change the way we get to Passwordsate to do that.  

 

Note:- I disabled Anonymous Authentication and restarted the WEB site, SAML2 authentication as an option for ANY user is stuill grayed out and cannot be selected under any circumstances.

Edited by Robert Birkett
More Information.
Link to comment
Share on other sites

And finally, when I disabled Anonymous Authentication and enabled SAML2, now the SAML2 process doesn't ask for credentials, it just fails outright.  I'm confused.  I disabled Anonymous Auth as requested.

The URL's include :9119 since they simply won't work under any circumstances if you exclude that.

SAML2 still can't be assigned on a per user basis, you can only assign it globally, and that kills all access for everyone.  What do I need to do to get this to work?  Disabling all authentication methods for the WEB site in IIS just locks everyone out with the "You don't have access rights to view this WEB page" error, at least ONE method is required even if it isn't Anonymous Authentication, be that Forms or Active Directory, and it has to be configured, enabling Active Directory gets you to the log on page but then asks for a One Time Password (what????).

Link to comment
Share on other sites

This is what I get after disabling anonymous authentication:-

Request Id: c6986faf-d8d1-43d3-b437-f32e6a7e2d00
Correlation Id: 536fbb17-23d7-4dc7-94fb-bb3637f2ae53
Timestamp: 2020-09-09T14:21:22Z
Message: AADSTS700016: Application with identifier 'https://passwordstate.redactedforobviousreasons:9119/logins/saml.aspx' was not found in the directory '15d36a20-10ec-48bd-92d9-a76e52bad3ab'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

 

This is what I get after enabling anonymous authentication:-

Request Id: e2ebe269-8056-470b-a975-c6659f222b00
Correlation Id: 62843c7a-df95-41d0-8701-218bdf719ed3
Timestamp: 2020-09-09T14:49:49Z
Message: AADSTS90014: The required field 'request' is missing from the credential. Ensure that you have all the necessary parameters for the login request.

 

I can't disable Anonymous Authentication for the passwordstate web site since No One can get in (since all authentication methods are disabled at that point).

If I enable it and then enable SAML2 I get authenticated and it still fails.  I get the standard AD sign in then it goes to SAML2 and Azure after that, and then fails.  

 

Link to comment
Share on other sites

Hi Robert,

We've sent you an email response with a few questions we need answered, and hopefully this is just a configuration issue because we have many customers using Azure AD and SAML Authentication - the error of "was not found in the directory" sounds like something is not configured correctly.

Regards

Click Studios

Link to comment
Share on other sites

For any other customers reading this post, we've managed to fix the issues - the two issues were:

  • Disabling Anonymous Authentication in IIS was not working, because Windows Authentication was also disabled - which is not the default setting
  • The customer had the Audience Restriction in Passwordstate set incorrectly - it needs to match the “Identifier (Entity ID)” field in Azure AD

Regards

Click Studios

Link to comment
Share on other sites

  • 2 months later...
On 9/9/2020 at 8:47 PM, support said:

For any other customers reading this post, we've managed to fix the issues - the two issues were:

  • Disabling Anonymous Authentication in IIS was not working, because Windows Authentication was also disabled - which is not the default setting
  • The customer had the Audience Restriction in Passwordstate set incorrectly - it needs to match the “Identifier (Entity ID)” field in Azure AD

Regards

Click Studios

What should be exactly (the Entity ID) im having the exact same problem right now.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...