APM Webtop SAML Links

Hello,

there are lot of things unknown and lot to assume. first you should really see what the error message means.

I'd consider a good point to start get an HTTP monitoring tool (e.g. Fiddler) and see what are differences in the SAML Response when initiate logon from SP and from IDP. Maybe you just need to specify a relay state or a few parameters to the ACS URL.

But without providing more information or having insight into the SP application I doubt anybody will give any better hint.

Gabriel

First, let me clarify that the error from the SP is coming from the consumer assertion URL. I ran a fiddler capture on a successful vs unsuccessful SSO. The successful SSO shows a post with value assigned to the Relaystate and all the Active Directory attributes the IDP is supposed to be providing. The unsuccessful SSO doesn't have value set for Relaystate and doesn't appear to be posting any of the attributes.

Ok, I read about what the relaystate is/does. I set this field under my SP connector. Now I get a different error "The (&(objectClass=user)(SAMAccountName=)) search filter is invalid" From the SP. I still don't see a POST in fiddler with all the AD attributes the SP is looking for.

Now it's looking better. Seems you are missing the SAML attributes. You have to set the same Access Policy to the VS with the Webtop (or fill the ACCESS:session data with required attributes).

Thanks for the help Gabriel. I noticed the access policy on VirtualServer1, which was setup by a contractor, had an extra variable assign and LDAP query on it so I added these to the Webtop VS access policy. Looks like the SAML link is working correctly now.