Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Entra ID SSO error
-
Hello!
I'm trying to enable Entra ID SSO in our Proget environment; I've followed the steps from the documentation and completed the setup both on the ProGet side as well as the Entra ID side. When I try logging on with SSO it shows me the Entra ID logon page but throws an error after authentication.
The URL falls back to https://<our URL>/saml-acs-callback and shows the following error:
ERROR: Value cannot be null. (Parameter 'source')
Any idea on where I can troubleshoot this?
-
Hi @j-d-koning_0111,
This is most likely an issue with a claim configuration in Entra ID. The best way to start debugging this is use ProGet's SAML debug callback page (requires ProGet 2024.6 or later). That will allow us to see the SAML response that was sent back and the results of our parsing. To view this, you will need to update your SAML callback to be
http://<YOUR URL>/saml-acs-callback-debug
. Once you set that and you attempt to login using SAML in ProGet, it will redirect you to the SAML Debug page that will show you all this information. Please note that with the debug callback enabled, you will not be able to log into ProGet with it, it will only show you the SAML information.Once you configure the debug page and navigate to it, can you send me the contents of that page? That will allow us to determine what exactly is causing the issue. For security reasons, you can send it to support@inedo.com with an email subject of
[QA-1597]
. Just let us know once you have sent it and we will keep a look out.Thanks,
Rich
-
Hi, thanks for your response. I've emailed the SAML debug report.
-
Hi @j-d-koning_0111,
I received your email and took a look. It looks like everything is working on the SAML translation side. It was able to properly parse the SAML response. So that leads me to believe that it is happening while attempting to login. Do you see the SAML user show up in your Built-In users?
Also, when trying to log in, do you see that error in the diagnostics center in ProGet? I'm wondering if we can see a stack trace for that error to help narrow down what is causing the issue.
Thanks,
Rich
-
There's no users showing up in the Built-in users, also no error in the diagnostics center. Is there some way we can increase the logging level to capture events maybe?
-
Hi @j-d-koning_0111,
Thanks for that information. Which user directories do you currently have enabled in your instance? I'm wondering if the user is being found in another user directory and that might be cauising this issue. Unfortunately, I'm unable to recreate this error in testing.
In addition to the other user directories you have enabled, are you able to provide me the steps you took to setup your SAML integration?
Thanks,
Rich
-
Hi @j-d-koning_0111,
We had another ticket that came in with a similar issue. It looks like that error will happen when the SAML response does not include an email or a display name. We have a fix, PG-2727, that will be released on Friday in ProGet 2024.9.
Thanks,
Rich
-
Awesome! We'll await that fix.
-
Hi @j-d-koning_0111,
I just wanted to let you know that this fix released this past Friday.
Thanks,
Rich
-
Hi Rich, we still see the same behaviour after the update.
-
Hi @j-d-koning_0111,
I did some more testing and found another scenario where this could error, it's less common, but I'm guessing that is what is happening to you. In certain situations, an authentication cookie may be created for a new SAML user before the user was added to the system. This also would cause subsequent attempts to fail because the cookie was preventing the updated SAML logic from running. This issue has been fixed in PG-2738, which will be released on Friday.
Also, is your ProGet instance running in Docker or Windows?
Thanks,
Rich
-
Hi @j-d-koning_0111,
Just wanted to check in if PG-2738 fixed your issue. We have also been working with another customer that has had similar issues. We determined this was related to setting to Map groups to SAML groups setting. If you have this enabled and do not have any groups claims sent, it was causing the error you saw above. This last issue, PG-2745, will be released in the next maintenance release. As a work around, make sure you have your SAML provider configured to send groups claims.
Thanks,
Rich