16-05-23 09:30 AM
Hi all,
Decipher 2.2 allows AD FS authentication via SAML, Is authentication with Azure AD allowed via this setup? Is it known if Blue Prism has plans to include authentication via Azure AD or LDAP?
Regards
Answered! Go to Answer.
16-05-23 11:14 AM
Hi Jesus,
Theoretically Azure AD can be configured using this method, providing the persons configuring it have the necessary experience and expertise with the respective AD elements. We are limited with how many different AD configurations we can reasonably test due to the sheer volume of potential set ups, so we weren't able to confirm support for it with the 2.2 release. However, I've heard examples of Decipher being configured with Azure AD, unfortunately I don't have any further details.
At this time it is not in the roadmap to provide AD support via LDAP.
Thanks
16-05-23 11:14 AM
Hi Jesus,
Theoretically Azure AD can be configured using this method, providing the persons configuring it have the necessary experience and expertise with the respective AD elements. We are limited with how many different AD configurations we can reasonably test due to the sheer volume of potential set ups, so we weren't able to confirm support for it with the 2.2 release. However, I've heard examples of Decipher being configured with Azure AD, unfortunately I don't have any further details.
At this time it is not in the roadmap to provide AD support via LDAP.
Thanks
18-05-23 12:40 PM
We're trying to configure Azure AD and the following error occurs in return URL page https://decipher.local/Account/SsoLogin
Any suggestion?
The required anti-forgery form field "__RequestVerificationToken" is not present.
thrown in Account SsoLogin
18-05-23 01:24 PM
Hi Jesus,
Sorry I'm not an expert in AD authentication/configuration. Though looking at the installation instructions it could be something to do with the token-signing certificate. I would ask your respective AD/IT Engineer to double check this configuration.
If everything looks as it should, you can raise a support ticket. Though if it's an issue specific to it being Azure AD, we may not be able to help as it's not currently supported.
Thanks
24-05-23 11:51 AM
Hi Ben,
After importing the Saml2 XML in Azure AD, the https://decipher.url/Account/SsoLogin return url page gives us this other error: "Account does not have any user permissions associated with this application.". We already created the AD Group in Decipher IDP as described in the configuration guide of Saml ADFS Authentication.
In Decipher Web Server Log can be seen the following trace:
2023-05-24 12:18:32.9103 DEBUG [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1 Session_Start
2023-05-24 12:18:32.9103 DEBUG [12] Authenticating with SAML. Examining claims receved from the IdP...
2023-05-24 12:18:32.9103 DEBUG [12] All claims received: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 Looking for claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn claim not present. Trying with NameIdentifier claim instead...
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 Username found:
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 Username used for the Service Provider:
2023-05-24 12:18:32.9103 INFO [12] Session: ahxwx0aixdys5yv3zzhjqeh1 Logging in to the server...
2023-05-24 12:18:32.9103 INFO [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1 trying to log in to the server...
2023-05-24 12:18:32.9103 DEBUG [12] Trusted login details from IdP -> UserName:; UserGroups:
2023-05-24 12:18:32.9103 DEBUG [12] Trusted login start...
2023-05-24 12:18:33.1513 DEBUG [12] Logged in with the master user - OK
2023-05-24 12:18:33.1583 DEBUG [12] User does not exist.
2023-05-24 12:18:33.1583 DEBUG [12] None of the groups provided by the IdP exists. Access not granted from the IdP, possibly access revoked before a successful login
2023-05-24 12:18:33.1583 INFO [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1 ManagerCommunication.Logout
2023-05-24 12:18:33.1583 INFO [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1, ManagerCommunication.Logout - TCP session exists
2023-05-24 12:18:33.1583 DEBUG [12] Only TCP session exists.
2023-05-24 12:18:33.1713 INFO [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1, ManagerCommunication.Logout - Logged out!
2023-05-24 12:18:33.1713 ERROR [12] SessionID: ahxwx0aixdys5yv3zzhjqeh1, Exception: SsiServerCommunication.SsiClientSessionException: Account does not have any user permissions associated with this application
at Ssi.Communication.TCPCommunication.TrustedLogin.Login()
at Ssi.Communication.TCPCommunication.TCPCommunication.TrustedLogin(String userName, List`1 userGroups)
at Ssi.Communication.ManagerCommunication.ManagerCommunication.Login(String sessionId, String userName, String password, String ssiIpAddress, Int32 ssiPortNumber, Boolean trusted, List`1 userGroups)
at Ssi.Logic.Communication.AccountLogic.LoginWithResult(String sessionId, String userName, String password, String subdomain, Boolean trusted, List`1 userGroups)
at Ssi.Web.Controllers.AccountController.SsoLogin(LoginViewModel model, String returnUrl)
As can be seen, no UserName and UserGroups are found, and None of the groups provided by the IdP exists despite of they're already created.
24-05-23 01:28 PM
Hi Jesus,
Thanks for raising the ticket, I'm working with the support engineer and he'll be in touch.
Thanks