Hello,

I'm working on a lab to test some integration with ADFS ad UAG 3.10.

I've deployed an UAG 3.10 appliance that talk with an ADFS endpoint and the communication went fine at least in the first part of the flow but then I got an http error 500 on https//domain/portal/samlsso.

I've looked trough the log and for what I can see:

There is an error in validating assetion on UAG esmanger.log
951[nioEventLoopGroup-10-12]ERROR interceptor.ViewPortalProxyRequestInterceptor[doSamlSso: 215][6c9a748c-7ace-400a-b95b-6787b19b39b9]: Error on validating assertion

java.lang.ClassCastException: org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorImpl cannot be cast to org.opensaml.saml.saml2.metadata.IDPSSODescriptor

I was not able to find any other log on the UAG intercepting the SAML response on the client I get a success (<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>)
Prior to this error there is an indication that UAG is proxying request from /portal/samlsso to /portal/samlsso to host horizon_connector_address:443
On the log there is an indication that the registered proxyRuleGroups are : MatchingRule(pattern=/portal(.*)|(/|/view-client(.*)|/portal(.*)|/appblast(.*)/|/downloads(.*)))] the rule in bold should be hardcoded in some file because is not present in UAG administration GUI. So my idea to bypass the proxyng for portal/samlsso is not feasible.

For above error , I have fixed the issue by following below steps.

on ADFS side
on UAG import the Federation Metadata xml with the <SPSSODescriptor ... </SPSSODescriptor> removed.
Add <KeyDescriptor use="signing">
Change the HTTP-Redirect binding location field to use Post in the SingleSignOnService Binding
<SingleSignOnService Binding="urnnames:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.domain.com/idp/profile/SAML2/POST/SSO"/>
import the ADFS metadata to UAG IDP.
disable the claim encryption (via powershell Set-AdfsRelyingPartyTrust -TargetName "your target" -EncryptClaims $False)

View portal (https://viewurl/login/sso/saml) page is redirecting Without MFA enabled on ADFS.If I Enabled MFA Authentication on ADFS then page (https://viewurl/login/sso/saml) is not redirecting.

Below is the error on ADFS Events

Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
https://viewurl/portal

Exception details:
System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)