Recently we integrated with a couple of IDPs (NetIq and ADFS) for the first time. In both cases, we encountered an issue after completion of the initial metadata configuration. (note: the GSA does not import or export SAML metadata files) Once the basic configuration was complete, we were getting a response back from the IDP saying that it was rejected. In NetIq’s case, it responded with a SAML assertion with a rejection status. In ADFS, the IDP was unable to complete the response.
In both cases, the IDP was not configured with the public key of the search appliance.
From the “Authentication/Authorization for Enterprise SPI Guide“
Authentication using Artifact and Post Binding
- A user enters a search query into a browser.
- The search appliance checks for an existing user session. If it finds a session running, the search appliance supplies the search results and the sequence is complete. If no session exists, an <AuthnRequest> element is sent to the Identity Provider (via the Security Manager) using HTTP Redirect binding.
- The HTTP Redirect binding redirects the browser to the Identity Provider with a SAML message sent as a URL query inside the SAMLRequest string parameter.
- The Identity Provider authenticates the search user. The IdP can perform this authentication in any way: HTML form, checking an already established session cookie, NTLM, Kerberos, certificate, 2- factor, and so on.Google Search Appliance: Authentication/Authorization for Enterprise SPI Guide 7
- Depending on the SAML Binding option:
- The Identity Provider redirects the user back to the Security Manager providing a SAMLArtifact token.
- The Security Manager uses this SAMLArtifact and sends an ArtifactResolve request to the identity provider’s Artifact Resolution URL.
- The Identity Provider responds with a SAML <Response> element to the Security Manager. The <AuthnStatement> in the response contains the identity of the search user.
- The Identity Provider creates an AuthnStatement Assertion for this user, digitally signs the message and responds with an HTML form to auto-submit to the Security Manager. That is, the HTML form returned by the IdP to the user’s browser contains an HTML form that is autosubmitted (POST) to the Security Manager (which, in turn, eventually sends the identity to the search appliance).
- The Security Manager sends this identity enclosed in a SAML <Assertion> to the search appliance, which uses it for authorization.
However, it’s important to note that the AuthNRequest is signed. It’s up to the IDP to accept or reject that signature. The Windows Integrated SAML Bridge and Okta for example do not check that signature.
How do I get the certificate?
If you use firefox and access the GSA via SSL you can export the public key and keychain. Remember to export with keychain and in a format that your IDP likes.