Freshdesk SSO

Martin, Brandon L martinb at psd401.net
Mon Aug 10 13:36:45 EDT 2015 

Nate,


Thank you for all your advice. I was able to successfully authenticate with the Freshdesk SSO!

However, I can't fully authenticate for my user attributes are encrypted and Freshdesk is not decrypting them before processing the information.


In my logs I can see I am getting the correct data from my ldap data connector. I then send the data to Freshdesk with this RelyingParty:


<bean parent="RelyingPartyByName" c:relyingPartyIds="https://psdts.freshdesk.com/login/saml">

            <property name="profileConfigurations">

                <list>

                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />

                </list>

            </property>

</bean>


I am only able to authenticate with encryptAssertions set to false.


In my logs I am sending this data:

20150810T161801Z|urn:mace:shibboleth:2.0:profiles:AuthnRequest|_099e8133-b076-4619-8c5e-7b9e12b9403f|https://psdts.freshdesk.com/login/saml|http://shibboleth.net/ns/profiles/saml

2/sso/browser|https://idp.psd401.net/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_de8df0b4d8a4b113b68ae69b5318d8d5|martinb|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|email,givenname|AAdzZWNyZXQxWjx

kJgQXriaalUPiVnhTsAPpLgNCDOsoFHgeRpknaFmi8yXR2AgZH+w01z6aRdPM2a7zUoB2HElqRVz0tDNNfmIlXBGpABYoR1hSBCB1WXn/5FdaV3Ba9/BcyrfwflMFv5Ujdx0Mt28EU+x/|_fae5fa2c6a4c578cb3fa03cfed4d5904


Then in the Freshdesk interface after I log in, it says my email is AAdzZWNyZXQxWjx

kJgQXriaalUPiVnhTsAPpLgNCDOsoFHgeRpknaFmi8yXR2AgZH+w01z6aRdPM2a7zUoB2HElqRVz0tDNNfmIlXBGpABYoR1hSBCB1WXn/5FdaV3Ba9/BcyrfwflMFv5Ujdx0Mt28EU+x/.


I've tried several solutions from the internet without the result changing. From toying with md:NameIDFormat in the metadata to trying different options in the relaying party.


Thank you



Brandon Martin

martinb at psd401.net

Peninsula School District

Data Integration Analyst

Ext: 3712


________________________________
From: users <users-bounces at shibboleth.net> on behalf of Nate Klingenstein <ndk at internet2.edu>
Sent: Saturday, August 8, 2015 11:02 PM
To: Shib Users
Subject: Re: Freshdesk SSO

Brandon,

That helps tremendously. I have been testing with the fingerprint of my encryption certificate. In the service it says the SHA-1 is the encryption and signing certificate.

It's possible to use different certificates for encryption and signature.  It wasn't a common case prior to the release of IdPv3, but I think they were probably trying to accommodate that.  As an IdP, your signing certificate is almost always the relevant one.

Does this mean in the metadata I include both xml objects to link signature and encryption as the same values as my X.509 signing certificate?

If I were to guess and reword this as "does this mean that I should enter my signing certificate's SHA-1 hash into the fields on their webpage", then I would say yes.  I'm not quite sure how to interpret your question as stated.

In other words, I tell my metadata-less friends about my encryption and singing certificates but they are both actually the cat of my signing certificate.

Well, the hash isn't just the entire base64-encoded printed raw value.  It's a specific field.  You can find that field using tools like openssl.

My browser certificate will be different than my IDP certificate. I am behind a load balancer that provides https certs, is this a problem?

No, generally it's a good thing because it gives you more flexibility in management of each certificate and won't need to roll over your IdP certificate with frequency.  It's a deployment decision, though.

Take care,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150810/3613a364/attachment-0001.html>

More information about the users mailing list