topic RE: Azure authentication in Product Forum

Azure authentication

jcastellanosm — Tue, 16 May 2023 08:30:00 GMT

Hi all,

Decipher 2.2 allows AD FS authentication via SAML, Is authentication with Azure AD allowed via this setup? Is it known if Blue Prism has plans to include authentication via Azure AD or LDAP?

Regards

------------------------------
Jesus Castellanos
------------------------------

RE: Azure authentication

Ben.Lyons1 — Tue, 16 May 2023 10:14:00 GMT

Hi Jesus,

Theoretically Azure AD can be configured using this method, providing the persons configuring it have the necessary experience and expertise with the respective AD elements. We are limited with how many different AD configurations we can reasonably test due to the sheer volume of potential set ups, so we weren't able to confirm support for it with the 2.2 release. However, I've heard examples of Decipher being configured with Azure AD, unfortunately I don't have any further details.

At this time it is not in the roadmap to provide AD support via LDAP.

Thanks

------------------------------
Ben Lyons
Senior Product Specialist - Decipher
SS&C Blue Prism
UK based
------------------------------

RE: Azure authentication

jcastellanosm — Thu, 18 May 2023 11:40:00 GMT

We're trying to configure Azure AD and the following error occurs in return URL page https://decipher.local/Account/SsoLogin

Any suggestion?

Error.

An error occurred while processing your request.

Please contact an administrator!

Take Me Home Contact Support

HttpAntiForgeryException

                                The required anti-forgery form field "__RequestVerificationToken" is not present.

thrown in Account SsoLogin

------------------------------
Jesus Castellanos
------------------------------

RE: Azure authentication

Ben.Lyons1 — Thu, 18 May 2023 12:24:00 GMT

Hi Jesus,

Sorry I'm not an expert in AD authentication/configuration. Though looking at the installation instructions it could be something to do with the token-signing certificate. I would ask your respective AD/IT Engineer to double check this configuration.

If everything looks as it should, you can raise a support ticket. Though if it's an issue specific to it being Azure AD, we may not be able to help as it's not currently supported.

Thanks

------------------------------
Ben Lyons
Senior Product Specialist - Decipher
SS&C Blue Prism
UK based
------------------------------

RE: Azure authentication

jcastellanosm — Wed, 24 May 2023 10:51:00 GMT

Hi Ben,

After importing the Saml2 XML in Azure AD, the https://decipher.url/Account/SsoLogin return url page gives us this other error: "Account does not have any user permissions associated with this application.". We already created the AD Group in Decipher IDP as described in the configuration guide of Saml ADFS Authentication.

In Decipher Web Server Log can be seen the following trace:

2023-05-24 12:18:32.9103 DEBUG [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1 Session_Start
2023-05-24 12:18:32.9103 DEBUG [12] Authenticating with SAML. Examining claims receved from the IdP...
2023-05-24 12:18:32.9103 DEBUG [12] All claims received: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: 
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 Looking for claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn claim not present. Trying with NameIdentifier claim instead...
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 Username found: 
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 Username used for the Service Provider: 
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 Logging in to the server...
2023-05-24 12:18:32.9103 INFO [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1 trying to log in to the server...
2023-05-24 12:18:32.9103 DEBUG [12] Trusted login details from IdP -> UserName:; UserGroups: 
2023-05-24 12:18:32.9103 DEBUG [12] Trusted login start...
2023-05-24 12:18:33.1513 DEBUG [12] Logged in with the master user - OK
2023-05-24 12:18:33.1583 DEBUG [12] User  does not exist.
2023-05-24 12:18:33.1583 DEBUG [12] None of the groups provided by the IdP exists. Access not granted from the IdP, possibly access revoked before a successful login
2023-05-24 12:18:33.1583 INFO [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1 ManagerCommunication.Logout
2023-05-24 12:18:33.1583 INFO [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1, ManagerCommunication.Logout - TCP session exists
2023-05-24 12:18:33.1583 DEBUG [12]   Only TCP session exists.
2023-05-24 12:18:33.1713 INFO [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1, ManagerCommunication.Logout - Logged out!
2023-05-24 12:18:33.1713 ERROR [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1, Exception: SsiServerCommunication.SsiClientSessionException: Account does not have any user permissions associated with this application
   at Ssi.Communication.TCPCommunication.TrustedLogin.Login()
   at Ssi.Communication.TCPCommunication.TCPCommunication.TrustedLogin(String userName, List`1 userGroups)
   at Ssi.Communication.ManagerCommunication.ManagerCommunication.Login(String sessionId, String userName, String password, String ssiIpAddress, Int32 ssiPortNumber, Boolean trusted, List`1 userGroups)
   at Ssi.Logic.Communication.AccountLogic.LoginWithResult(String sessionId, String userName, String password, String subdomain, Boolean trusted, List`1 userGroups)
   at Ssi.Web.Controllers.AccountController.SsoLogin(LoginViewModel model, String returnUrl)

As can be seen, no UserName and UserGroups are found, and None of the groups provided by the IdP exists despite of they're already created.

Please tell us if you have any suggestion that can help us. I have created a Blue Prism support ticket (255939) with more details.

------------------------------
Jesus Castellanos
------------------------------

RE: Azure authentication

Ben.Lyons1 — Wed, 24 May 2023 12:28:00 GMT

Hi Jesus,

Thanks for raising the ticket, I'm working with the support engineer and he'll be in touch.

Thanks

------------------------------
Ben Lyons
Senior Product Specialist - Decipher
SS&C Blue Prism
UK based
------------------------------