SecureAuth SSO Integration

jbjahn
New Contributor III

Anyone have any luck with SecureAuth SSO integration with their Jamf Pro Software Server? I am not our SecureAuth engineer but I have been advised that they followed the Ping Identity (https://www.jamf.com/jamf-nation/articles/439/configuring-single-sign-on-with-ping-identity) guide for configuring SecureAuth as closely as they could and then I took care of the JSS side. When enabled, I am getting SSO error when hitting our instance. Here is the log information-

Caused by: org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87) ... 46 more
Caused by: org.opensaml.common.SAMLException: Assertion invalidated by subject confirmation - can't be confirmed by the bearer method at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifySubject(WebSSOProfileConsumerImpl.java:400) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:296) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214) ... 47 more

Would be willing to start from scratch if anyone has had luck setting up SecureAuth with JSS. TIA!

1 ACCEPTED SOLUTION

jbjahn
New Contributor III

Well my SecureAuth engineer was able to fix this out. The response I got was-

It was the “SubjectConfirmationData Not Before” setting. I set it to False… and now it works.

That's all I got, hoping this helps someone else.

View solution in original post

3 REPLIES 3

jbjahn
New Contributor III

Well my SecureAuth engineer was able to fix this out. The response I got was-

It was the “SubjectConfirmationData Not Before” setting. I set it to False… and now it works.

That's all I got, hoping this helps someone else.

tdclark
Contributor

Do you have any additional documentation that you found on this? I'm in the same boat with SecureAuth and I am intrigued by your post! Thanks!

motogp123
New Contributor

Sharing screenshots of our working POST Auth config in SecureAuth version 9.2 using group based auth in saml assertion. Make sure to have these groups created on Jamf side. Also, tested to support user matching via UPN attribute. If matching against user accounts, make sure to have the full UPN value created on Jamf side.
f87f95ad568f43f4a3bab9845684d32a

95dc3f8852ac4db094c8c70bada71d06

e7ed3009bce54d06a7605cfa2c3a8e89