topic SSO - Generic SAML Server - 504 Gateway Time-out in Portal

SSO - Generic SAML Server - 504 Gateway Time-out

donguyenthanhla — Tue, 04 Feb 2025 11:28:57 GMT

Hi team,

With regards to SSO integration using Generic SAML Server, I follow the guideline and

Mandatory User Attributes & Claims

Field Name Value

identity/claims/givenname	First Name
identity/claims/name	Last Name
identity/claims/emailaddress	Email Address
groups	Groups
urn:mace:dir:attribute-def:userId	User Id

The IDP log in works. When user is redirected to https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso, it shows 504 Gateway Time-out. My SAML assertion attributes are

<saml:AttributeStatement> <saml:Attribute Name="UserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">67768004</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">ldo@securenvoy.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">ldo@securenvoy.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">admin</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="urn:mace:dir:attribute-def:userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">67768004</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">Lan</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">Do</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">ldo@securenvoy.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>

Please could you help what could go wrong

Thank you
Lan

Re: SSO - Generic SAML Server - 504 Gateway Time-out

masher — Fri, 07 Feb 2025 18:14:43 GMT

What happens when you run the "Test Connectivity" option under Identity Providers?

I've found that running an additional browser extension such as SAML-Tracer (https://chromewebstore.google.com/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en&pli=1) to be helpful in tracking down request/response issues.

Re: SSO - Generic SAML Server - 504 Gateway Time-out

donguyenthanhla — Tue, 11 Feb 2025 02:51:39 GMT

Hi Masher

I use SAML tracer. Please find the steps

1. Init test

2. IDP log in with SAML request

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_04c64b9513de19afe615" Version="2.0" IssueInstant="2025-02-11T02:43:18.159Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://securenvoy.azuredev.mysecurenvoy.com/identity/saml2?app=6134" AssertionConsumerServiceURL="https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">f1f35e8e-3aa5-4fd7-96a9-69259dba2c8d.cloudinfra.checkpoint.com</saml:Issuer> <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /> </samlp:AuthnRequest>

3. Log in successfully. Redirect to https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso. After a while, it show 504 Gateway timeout. The Test is still running

Detail SAML response

<Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f0529997-2c88-44ab-8d1b-5dfc581aebf5" InResponseTo="_04c64b9513de19afe615" Version="2.0" IssueInstant="2025-02-11T02:47:06.8456102Z" Destination="https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso" > <saml:Issuer>https://securenvoy.azuredev.mysecurenvoy.com/identity</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <Reference URI="#_f0529997-2c88-44ab-8d1b-5dfc581aebf5"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <DigestValue>AG8HAeeJwIugjxqzAx9pOHqqQp8kUgTwub3ssiaWo2o=</DigestValue> </Reference> </SignedInfo> <SignatureValue>e+cg7CAbFqb375RMTrkn6Pu3e3VLvAwjHxHXfDlwjvT/qiwwL5aO3AS6SJf0wx71Vy7FhZoHoYsvr9J+BgSOrcmAJjWeAfkCyzQDI28Q1qj+16rnDO2BWt9SDyY0nnoGGRuhjTixZrgU3OwZ+XQTlbgSvmZSJ8RteTfSvPSr6T6VipAT7OtqWMgB8F5zBfwKV7rWkc5q3TAdGGu2Uyg/dhUI5ToVb/Bi6pc3h02jT/PEh/TxXFCEAPXhFiqYVmWjXgM9wOKmfsDm8I4WNcN3OUS3Eh5Sc4IcCtSfmYP+uLKH18yr4vhmgbBGRjbkRD7B6Qdk4ExltVusC+v4MSCVow==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIEMzCCAxugAwIBAgIUKncZWBUy7vm/+GNbBcsaT7OGaUkwDQYJKoZIhvcNAQELBQAwgagxCzAJBgNVBAYTAkdCMRIwEAYDVQQIDAlIYW1wc2hpcmUxFDASBgNVBAcMC0Jhc2luZ3N0b2tlMRMwEQYDVQQKDApTZWN1ckVudm95MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEdMBsGA1UEAwwUc2VjdXJlbnZveS5kaXJlY3RvcnkxJTAjBgkqhkiG9w0BCQEWFnN5c3RlbXNAc2VjdXJlbnZveS5jb20wHhcNMjMwNTA5MDc1NDIyWhcNMjgwNTA4MDc1NDIyWjCBqDELMAkGA1UEBhMCR0IxEjAQBgNVBAgMCUhhbXBzaGlyZTEUMBIGA1UEBwwLQmFzaW5nc3Rva2UxEzARBgNVBAoMClNlY3VyRW52b3kxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQDDBRzZWN1cmVudm95LmRpcmVjdG9yeTElMCMGCSqGSIb3DQEJARYWc3lzdGVtc0BzZWN1cmVudm95LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIyLdFrHvJEU5OgC8KqCqJ2+F5jwho+fusouu8DIBAx2L/ShhmekZqBbtHvwtLU73iHmHor3QZ7l1PzCAQnvBhUyg3nOmlxt2GwONtUlQ7+GYTWhVU1aF3fmKKuirxwK6l1kuAfvQi3BpeCh8pmKsmBIKyaaV5Rh3GdwqoUYq7lBFuPsL5XWWGhUNDjuSxl6EAPQ6a9HDG2CVKtALlNkZaLTE489eajXM+ifs2Ag/k8tqPv/LZrSbwjMsk1BJo/H9Bb3PxdDAkBK7c4KSear013sXj6QYPMi1o1nZAfA+F5JlPWnqd2VeQ76agQYzuMnh1jHI5ts6Ir2dgpB4R41K8CAwEAAaNTMFEwHQYDVR0OBBYEFLYWadrDG9Ghm8+xcYcdnujYy584MB8GA1UdIwQYMBaAFLYWadrDG9Ghm8+xcYcdnujYy584MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE1x1I0zgSDoZrd3Bc8r6RTStAsqAt4TARFHVlFcCY8MDy9kilMS5C57fWDtOeHgVeC4CsFc+cQuoensJ/NQTUFtze42bMwBjzloD+ZOt2plJspVJK/JBXZuSaKvn3cTQ8NhYeYJaGaxi/NhoAPjgZUItT9kSdiotVVpAXXR7QqgR6bX36qAW8QeASk4WZRCpMBjY5t8x34Iab8VzmJE38frjryYheglBs1zOYIMJNWIU+TDIjVjkBojAszCFikreELowGTkKq6uqtvYS24bHY0liIndZ7VKibfTqXdAjmswS/8uf9WJqvrkTmdFwj5OlZCeEIOOAwmCELrr2Bg2loI=</X509Certificate> </X509Data> </KeyInfo> </Signature> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </Status> <saml:Assertion Version="2.0" ID="_41d43c47-b69c-4434-b3ca-3021232a3d09" IssueInstant="2025-02-11T02:47:06.8460516Z" > <saml:Issuer>https://securenvoy.azuredev.mysecurenvoy.com/identity</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <Reference URI="#_41d43c47-b69c-4434-b3ca-3021232a3d09"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <DigestValue>gDV6ZL8hUGrL56yGFVs6jgfKa/47ZiRsg2pZdMzhN9E=</DigestValue> </Reference> </SignedInfo> <SignatureValue>ZtIRRMaVhUoQVM97/UjnIEHDWA71FLcQZoEnaNFaS5St0Cjx0midtTfiEIuFQtjjAUSMpw23xbBFolareRoFfZy/qn20KdynxBZXISw+OurBSiI9rYgKoenbAqpmACFcPoqc7SGlRAADL1GUV8CGzs/6PaYLzSO0UfPj8m61EUEeoymCoOgIV1KKfB+NIh3SRIn5+/a1FlxUZAuXh8OQ0RXGCvAUnwmB9A1iFKq8gvuJyxzFcXU4gPNNZzTJXQnCVAXHNjBUKBk0nwau6dlX69Hxg4j35Csmlsj33KJJi8UbZjKI+xTsCSmmKbJe1BfoVPPUISUjUFtZC6Eo+UGpGQ==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIEMzCCAxugAwIBAgIUKncZWBUy7vm/+GNbBcsaT7OGaUkwDQYJKoZIhvcNAQELBQAwgagxCzAJBgNVBAYTAkdCMRIwEAYDVQQIDAlIYW1wc2hpcmUxFDASBgNVBAcMC0Jhc2luZ3N0b2tlMRMwEQYDVQQKDApTZWN1ckVudm95MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEdMBsGA1UEAwwUc2VjdXJlbnZveS5kaXJlY3RvcnkxJTAjBgkqhkiG9w0BCQEWFnN5c3RlbXNAc2VjdXJlbnZveS5jb20wHhcNMjMwNTA5MDc1NDIyWhcNMjgwNTA4MDc1NDIyWjCBqDELMAkGA1UEBhMCR0IxEjAQBgNVBAgMCUhhbXBzaGlyZTEUMBIGA1UEBwwLQmFzaW5nc3Rva2UxEzARBgNVBAoMClNlY3VyRW52b3kxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQDDBRzZWN1cmVudm95LmRpcmVjdG9yeTElMCMGCSqGSIb3DQEJARYWc3lzdGVtc0BzZWN1cmVudm95LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIyLdFrHvJEU5OgC8KqCqJ2+F5jwho+fusouu8DIBAx2L/ShhmekZqBbtHvwtLU73iHmHor3QZ7l1PzCAQnvBhUyg3nOmlxt2GwONtUlQ7+GYTWhVU1aF3fmKKuirxwK6l1kuAfvQi3BpeCh8pmKsmBIKyaaV5Rh3GdwqoUYq7lBFuPsL5XWWGhUNDjuSxl6EAPQ6a9HDG2CVKtALlNkZaLTE489eajXM+ifs2Ag/k8tqPv/LZrSbwjMsk1BJo/H9Bb3PxdDAkBK7c4KSear013sXj6QYPMi1o1nZAfA+F5JlPWnqd2VeQ76agQYzuMnh1jHI5ts6Ir2dgpB4R41K8CAwEAAaNTMFEwHQYDVR0OBBYEFLYWadrDG9Ghm8+xcYcdnujYy584MB8GA1UdIwQYMBaAFLYWadrDG9Ghm8+xcYcdnujYy584MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE1x1I0zgSDoZrd3Bc8r6RTStAsqAt4TARFHVlFcCY8MDy9kilMS5C57fWDtOeHgVeC4CsFc+cQuoensJ/NQTUFtze42bMwBjzloD+ZOt2plJspVJK/JBXZuSaKvn3cTQ8NhYeYJaGaxi/NhoAPjgZUItT9kSdiotVVpAXXR7QqgR6bX36qAW8QeASk4WZRCpMBjY5t8x34Iab8VzmJE38frjryYheglBs1zOYIMJNWIU+TDIjVjkBojAszCFikreELowGTkKq6uqtvYS24bHY0liIndZ7VKibfTqXdAjmswS/8uf9WJqvrkTmdFwj5OlZCeEIOOAwmCELrr2Bg2loI=</X509Certificate> </X509Data> </KeyInfo> </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">ldo@securenvoy.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData Recipient="https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso" NotOnOrAfter="2025-02-13T14:47:06.8460558Z" InResponseTo="_04c64b9513de19afe615" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2025-02-08T14:47:06.8460585Z" NotOnOrAfter="2025-02-13T14:47:06.8460588Z" > <saml:AudienceRestriction> <saml:Audience>f1f35e8e-3aa5-4fd7-96a9-69259dba2c8d.cloudinfra.checkpoint.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2025-02-11T02:47:06.8460604Z" SessionIndex="_41d43c47-b69c-4434-b3ca-3021232a3d09" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">Everyone</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="urn:mace:dir:attribute-def:userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">67768004</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">Lan</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">Do</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > <saml:AttributeValue xsi:type="xsd:string">ldo@securenvoy.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </Response>

Thank you for looking into this issue

Lan

Re: SSO - Generic SAML Server - 504 Gateway Time-out

PhoneBoy — Tue, 11 Feb 2025 15:31:55 GMT

The fact is you're getting some sort of SAML response.
TAC will need to be involved to troubleshoot further.

Re: SSO - Generic SAML Server - 504 Gateway Time-out

masher — Tue, 11 Feb 2025 15:58:24 GMT

One issue I see in this response is that the urd:mace:dir:atttribute-def:userId value is not set to Email. Your response shows another value rather than passing the email address back to Infinity Portal. While the Infinity Port IdP settings ask for that to be set to User Id, I've found in previous testing that the identity provider needs to set this to be the email address.

If setting this to Email from within the IDP doesn't work, I also agree with @PhoneBoy and recommend opening a TAC case to further troubleshoot.

Re: SSO - Generic SAML Server - 504 Gateway Time-out

donguyenthanhla — Wed, 26 Feb 2025 08:56:59 GMT

Hi Masher

I try as you mentioned but still 504 Gateway Time-out is returned. Please find screenshot attached.

Please could you share how I can open a TAC case?

Thanks
Lan

Re: SSO - Generic SAML Server - 504 Gateway Time-out

PhoneBoy — Wed, 26 Feb 2025 17:33:11 GMT

If you have a support contract with Check Point: https://help.checkpoint.com
Otherwise, you will need to work with your reseller.