You are viewing limited content. For full access, please sign in.

Question

Question

Receiving Laserfiche.LicenseManager.InvalidAssertionException for Aptify SAML

Directory Server Licensing
Updated June 22, 2020
asked on June 1, 2020

I have configured Aptify as an Identity Provider and LaserFiche Directory Service as a Service Provider.  We are using SAML.  I followed the directions outlined in the whitepapers for Salesforce, Okta, and Azure AD.  Everything seems to work up until the point where Aptify redirects back to my STS endpoint.  (/LFDSSTS/saml2/sso).  The following error is displayed:

 

"The identity provider may not be configured correctly. Contact your administrator: Exception of type 'Laserfiche.LicenseManager.InvalidAssertionException' was thrown."

 

Has anyone encountered this error before?  Anyone have an idea of what to check for?

 

0 0

Answer

SELECTED ANSWER
replied on June 22, 2020

Wanted to post the final state of things here in case someone else happens to run across this. 

 

After some back and forth troubleshooting with LaserFiche Support, thank you so much for your time and patience, we were able to determine that the issue was that the Aptify SAML plugin does not support assertion signing, only response signing.  This is causing the exception outlined in the original post 

 

Aptify said it would be a code fix from their end to add the assertion signature and LaserFiche said it would be a code fix to disable the assertion signature requirement.  The resolution is that Aptify SAML and LaserFiche are not compatible at this time. 

0 0

Replies

replied on June 2, 2020

Hi Bill,

I recommend taking a look at the SAML Response coming from your SAML provider and checking for typos and glaring errors. If nothing jumps out at you, ask your SP to open a support case and we'll run through some troubleshooting and inspect the SAML Response as well. What immediately comes to mind is the SID attribute may not be being sent properly, or there could be a mismatch between settings in the SAML provider and in LFDS, or there could be a case difference in the STS endpoint URL in LFDS and the SAML provider config.

0 0
replied on June 3, 2020

Nothing pops out at me in the SAML response, as being incorrect.  All the casing matches what is in LFDS (Audience, Recipient, and Destination).  I had my SP open a support ticket, because nothing appears to be out of the ordinary.  By SID, do you mean NameID?

0 0
replied on June 3, 2020

Sorry I was thinking of AD FS, SID shouldn't be relevant here.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...