I'm trying to configure SAML with our Veeam Enterprise Manager. We are using a non default AD solution for our user account called "KeyHub". In this tool we create our account and these account can be sync to a AD or use other authentication solutions like "Oauth / Open ID / SAML v2.0" , https://keyhub.previder.net/docs/manual ... sec-samlv2.
At this moment i have created the SAML configuration in Veeam EM and the authentication solution. It looks to work but when i login to Veeam EM i get redirected to the page for KeyHub, when i login with the credentials and token i get redirected to Veeam EM login page. And thats it.
Logging VeeamBES:
<26> Info [Web] Opening session with id [951e694b-6e3d-47d8-a0d8-33d20fc9d8b6]
<26> Info Opening session with id [951e694b-6e3d-47d8-a0d8-33d20fc9d8b6]
<26> Info Application url: https://url:9443/
<26> Info [SAML] EntityId: https://url:9443/Saml2, Return url: https://url:9443/
<26> Info Configuring service provider certificate. Thumbprint: E982C463E268E9130FF77E9EDE21EDBAE6496B47, Expires: 06/05/21 1:59:59 AM, HasPrivateKey: True
<26> Info Certificate publish type: PublishUnspecified
<26> Info Validating SAML token
<26> Info Token is valid
<26> Info Logon as new user username(FQDN). Session [s45]
<26> Info Found external account. Account: Id: [4e74d2f9-0f5c-4c0d-98e0-6ee2822c6e43], Info: [Name: [username(FQDN)], Type: [ExternalUser]]
<26> Info CFailoverPlanManagerStub created...
Logging Veeam.Webapp:
<54> Info Initiating login to KeyHub
<73> Info Successfully processed SAML response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id and authenticated username(FQDN)
<73> Info [SAML] Got identity :
<73> Info [SAML] Got NameId claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: username(FQDN)
<73> Info Connecting to [localhost:9394] under [current account]. Selfrestore mode: 'off'. Session Uid: 951e694b-6e3d-47d8-a0d8-33d20fc9d8b6
<73> Info Remote session opened. Internal service version: [1]. External login mode
<73> Info UserContext created from authentication data: Username: username(FQDN), SessionId: 951e694b-6e3d-47d8-a0d8-33d20fc9d8b6, SelfRestore: False, AuthType: SamlToken, Credentials:
I also see a lot of messages without any authentication;
<56> Error Saml2 Authentication failed.
<56> Error No Saml2 Response found in the http request. (Sustainsys.Saml2.Exceptions.NoSamlResponseFoundException)
<56> Error at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)
<56> Error at Sustainsys.Saml2.Owin.Saml2AuthenticationHandler.<AuthenticateCoreAsync>d__0.MoveNext()
How do you mean? KeyHub is the solution with the users and groups.
I can login with a normale ActiveDirectory account from where the Veeam EM is installed.
Vitaliy, i understand Do you know what Veeam EM is expecting as a response, prehapse i can do some troubelshouting if i know what is expecting. Is a lot of trail end error at the moment
Well, based on the log snippet, everything should be OK. A quick google search hints that the issue might be in load-balancers that are between your IDP and EM. If there is none, then let's wait for our support team to help.
The authentication is succesvol but the redirect back to Veeam EM goes to the url https://fqdn:9443 and not to https://fqdn:9443/index.aspx. So the redirect to the correct login page is not correct.
I somebody has a smart idea
There was a config mismatch in de web.config file.
XML from your side:
<defaultDocument enabled="true">
<files>
<clear />
<add value="Login.aspx" /> - this is not default
<add value="Index.aspx" />
</files>
</defaultDocument>
</system.webServer>
<runtime>
One of our xml files:
<defaultDocument enabled="true">
<files>
<clear />
<add value="Index.aspx" />
</files>
</defaultDocument>
</system.webServer>
<runtime>
Do you know what Veeam EM is expecting as a response, prehapse i can do some troubelshouting if i know what is expecting. Is a lot of trail end error at the moment