This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
donguyenthanhla
Explorer
2 weeks ago

SSO - Generic SAML Server - 504 Gateway Time-out

Hi team,

With regards to SSO integration using Generic SAML Server, I follow the guideline and 

Mandatory User Attributes & Claims

Field Name Value

identity/claims/givennameFirst Name
identity/claims/nameLast Name
identity/claims/emailaddressEmail Address
groupsGroups
urn:mace:dir:attribute-def:userIdUser Id

 

The IDP log in works. When user is redirected to https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso, it shows 504 Gateway Time-out. My SAML assertion attributes are 

 

<saml:AttributeStatement>
	<saml:Attribute Name="UserID"
					NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
					>
		<saml:AttributeValue xsi:type="xsd:string">67768004</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="username"
					NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
					>
		<saml:AttributeValue xsi:type="xsd:string">ldo@securenvoy.com</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="email"
					NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
					>
		<saml:AttributeValue xsi:type="xsd:string">ldo@securenvoy.com</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="groups"
					NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
					>
		<saml:AttributeValue xsi:type="xsd:string">admin</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="urn:mace:dir:attribute-def:userId"
					NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
					>
		<saml:AttributeValue xsi:type="xsd:string">67768004</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="identity/claims/givenname"
					NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
					>
		<saml:AttributeValue xsi:type="xsd:string">Lan</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="identity/claims/name"
					NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
					>
		<saml:AttributeValue xsi:type="xsd:string">Do</saml:AttributeValue>
	</saml:Attribute>
	<saml:Attribute Name="identity/claims/emailaddress"
					NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
					>
		<saml:AttributeValue xsi:type="xsd:string">ldo@securenvoy.com</saml:AttributeValue>
	</saml:Attribute>
</saml:AttributeStatement>

 

 

Please could you help what could go wrong 

Thank you
Lan

 

0 Kudos
4 Replies
masher
Employee
Employee
2 weeks ago

What happens when you run the "Test Connectivity" option under Identity Providers?

I've found that running an additional browser extension such as SAML-Tracer (https://chromewebstore.google.com/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en&pli=1) to be helpful in tracking down request/response issues.

donguyenthanhla
Explorer
a week ago
In response to masher

Hi Masher

 

I use SAML tracer. Please find the steps 

1. Init test

 

1.jpg

2. IDP log in with SAML request

2.jpg

 

 

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    ID="_04c64b9513de19afe615"
                    Version="2.0"
                    IssueInstant="2025-02-11T02:43:18.159Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Destination="https://securenvoy.azuredev.mysecurenvoy.com/identity/saml2?app=6134"
                    AssertionConsumerServiceURL="https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">f1f35e8e-3aa5-4fd7-96a9-69259dba2c8d.cloudinfra.checkpoint.com</saml:Issuer>
    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                        AllowCreate="true"
                        />
</samlp:AuthnRequest>

 

 

3. Log in successfully. Redirect to https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso. After a while, it show 504 Gateway timeout. The Test is still running

 

3.jpg

 

Detail SAML response

 

<Response xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
          xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
          ID="_f0529997-2c88-44ab-8d1b-5dfc581aebf5"
          InResponseTo="_04c64b9513de19afe615"
          Version="2.0"
          IssueInstant="2025-02-11T02:47:06.8456102Z"
          Destination="https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso"
          >
    <saml:Issuer>https://securenvoy.azuredev.mysecurenvoy.com/identity</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <Reference URI="#_f0529997-2c88-44ab-8d1b-5dfc581aebf5">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>AG8HAeeJwIugjxqzAx9pOHqqQp8kUgTwub3ssiaWo2o=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>e+cg7CAbFqb375RMTrkn6Pu3e3VLvAwjHxHXfDlwjvT/qiwwL5aO3AS6SJf0wx71Vy7FhZoHoYsvr9J+BgSOrcmAJjWeAfkCyzQDI28Q1qj+16rnDO2BWt9SDyY0nnoGGRuhjTixZrgU3OwZ+XQTlbgSvmZSJ8RteTfSvPSr6T6VipAT7OtqWMgB8F5zBfwKV7rWkc5q3TAdGGu2Uyg/dhUI5ToVb/Bi6pc3h02jT/PEh/TxXFCEAPXhFiqYVmWjXgM9wOKmfsDm8I4WNcN3OUS3Eh5Sc4IcCtSfmYP+uLKH18yr4vhmgbBGRjbkRD7B6Qdk4ExltVusC+v4MSCVow==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>MIIEMzCCAxugAwIBAgIUKncZWBUy7vm/+GNbBcsaT7OGaUkwDQYJKoZIhvcNAQELBQAwgagxCzAJBgNVBAYTAkdCMRIwEAYDVQQIDAlIYW1wc2hpcmUxFDASBgNVBAcMC0Jhc2luZ3N0b2tlMRMwEQYDVQQKDApTZWN1ckVudm95MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEdMBsGA1UEAwwUc2VjdXJlbnZveS5kaXJlY3RvcnkxJTAjBgkqhkiG9w0BCQEWFnN5c3RlbXNAc2VjdXJlbnZveS5jb20wHhcNMjMwNTA5MDc1NDIyWhcNMjgwNTA4MDc1NDIyWjCBqDELMAkGA1UEBhMCR0IxEjAQBgNVBAgMCUhhbXBzaGlyZTEUMBIGA1UEBwwLQmFzaW5nc3Rva2UxEzARBgNVBAoMClNlY3VyRW52b3kxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQDDBRzZWN1cmVudm95LmRpcmVjdG9yeTElMCMGCSqGSIb3DQEJARYWc3lzdGVtc0BzZWN1cmVudm95LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIyLdFrHvJEU5OgC8KqCqJ2+F5jwho+fusouu8DIBAx2L/ShhmekZqBbtHvwtLU73iHmHor3QZ7l1PzCAQnvBhUyg3nOmlxt2GwONtUlQ7+GYTWhVU1aF3fmKKuirxwK6l1kuAfvQi3BpeCh8pmKsmBIKyaaV5Rh3GdwqoUYq7lBFuPsL5XWWGhUNDjuSxl6EAPQ6a9HDG2CVKtALlNkZaLTE489eajXM+ifs2Ag/k8tqPv/LZrSbwjMsk1BJo/H9Bb3PxdDAkBK7c4KSear013sXj6QYPMi1o1nZAfA+F5JlPWnqd2VeQ76agQYzuMnh1jHI5ts6Ir2dgpB4R41K8CAwEAAaNTMFEwHQYDVR0OBBYEFLYWadrDG9Ghm8+xcYcdnujYy584MB8GA1UdIwQYMBaAFLYWadrDG9Ghm8+xcYcdnujYy584MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE1x1I0zgSDoZrd3Bc8r6RTStAsqAt4TARFHVlFcCY8MDy9kilMS5C57fWDtOeHgVeC4CsFc+cQuoensJ/NQTUFtze42bMwBjzloD+ZOt2plJspVJK/JBXZuSaKvn3cTQ8NhYeYJaGaxi/NhoAPjgZUItT9kSdiotVVpAXXR7QqgR6bX36qAW8QeASk4WZRCpMBjY5t8x34Iab8VzmJE38frjryYheglBs1zOYIMJNWIU+TDIjVjkBojAszCFikreELowGTkKq6uqtvYS24bHY0liIndZ7VKibfTqXdAjmswS/8uf9WJqvrkTmdFwj5OlZCeEIOOAwmCELrr2Bg2loI=</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <Status>
        <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </Status>
    <saml:Assertion Version="2.0"
                    ID="_41d43c47-b69c-4434-b3ca-3021232a3d09"
                    IssueInstant="2025-02-11T02:47:06.8460516Z"
                    >
        <saml:Issuer>https://securenvoy.azuredev.mysecurenvoy.com/identity</saml:Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <Reference URI="#_41d43c47-b69c-4434-b3ca-3021232a3d09">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>gDV6ZL8hUGrL56yGFVs6jgfKa/47ZiRsg2pZdMzhN9E=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>ZtIRRMaVhUoQVM97/UjnIEHDWA71FLcQZoEnaNFaS5St0Cjx0midtTfiEIuFQtjjAUSMpw23xbBFolareRoFfZy/qn20KdynxBZXISw+OurBSiI9rYgKoenbAqpmACFcPoqc7SGlRAADL1GUV8CGzs/6PaYLzSO0UfPj8m61EUEeoymCoOgIV1KKfB+NIh3SRIn5+/a1FlxUZAuXh8OQ0RXGCvAUnwmB9A1iFKq8gvuJyxzFcXU4gPNNZzTJXQnCVAXHNjBUKBk0nwau6dlX69Hxg4j35Csmlsj33KJJi8UbZjKI+xTsCSmmKbJe1BfoVPPUISUjUFtZC6Eo+UGpGQ==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIEMzCCAxugAwIBAgIUKncZWBUy7vm/+GNbBcsaT7OGaUkwDQYJKoZIhvcNAQELBQAwgagxCzAJBgNVBAYTAkdCMRIwEAYDVQQIDAlIYW1wc2hpcmUxFDASBgNVBAcMC0Jhc2luZ3N0b2tlMRMwEQYDVQQKDApTZWN1ckVudm95MRQwEgYDVQQLDAtFbmdpbmVlcmluZzEdMBsGA1UEAwwUc2VjdXJlbnZveS5kaXJlY3RvcnkxJTAjBgkqhkiG9w0BCQEWFnN5c3RlbXNAc2VjdXJlbnZveS5jb20wHhcNMjMwNTA5MDc1NDIyWhcNMjgwNTA4MDc1NDIyWjCBqDELMAkGA1UEBhMCR0IxEjAQBgNVBAgMCUhhbXBzaGlyZTEUMBIGA1UEBwwLQmFzaW5nc3Rva2UxEzARBgNVBAoMClNlY3VyRW52b3kxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQDDBRzZWN1cmVudm95LmRpcmVjdG9yeTElMCMGCSqGSIb3DQEJARYWc3lzdGVtc0BzZWN1cmVudm95LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIyLdFrHvJEU5OgC8KqCqJ2+F5jwho+fusouu8DIBAx2L/ShhmekZqBbtHvwtLU73iHmHor3QZ7l1PzCAQnvBhUyg3nOmlxt2GwONtUlQ7+GYTWhVU1aF3fmKKuirxwK6l1kuAfvQi3BpeCh8pmKsmBIKyaaV5Rh3GdwqoUYq7lBFuPsL5XWWGhUNDjuSxl6EAPQ6a9HDG2CVKtALlNkZaLTE489eajXM+ifs2Ag/k8tqPv/LZrSbwjMsk1BJo/H9Bb3PxdDAkBK7c4KSear013sXj6QYPMi1o1nZAfA+F5JlPWnqd2VeQ76agQYzuMnh1jHI5ts6Ir2dgpB4R41K8CAwEAAaNTMFEwHQYDVR0OBBYEFLYWadrDG9Ghm8+xcYcdnujYy584MB8GA1UdIwQYMBaAFLYWadrDG9Ghm8+xcYcdnujYy584MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE1x1I0zgSDoZrd3Bc8r6RTStAsqAt4TARFHVlFcCY8MDy9kilMS5C57fWDtOeHgVeC4CsFc+cQuoensJ/NQTUFtze42bMwBjzloD+ZOt2plJspVJK/JBXZuSaKvn3cTQ8NhYeYJaGaxi/NhoAPjgZUItT9kSdiotVVpAXXR7QqgR6bX36qAW8QeASk4WZRCpMBjY5t8x34Iab8VzmJE38frjryYheglBs1zOYIMJNWIU+TDIjVjkBojAszCFikreELowGTkKq6uqtvYS24bHY0liIndZ7VKibfTqXdAjmswS/8uf9WJqvrkTmdFwj5OlZCeEIOOAwmCELrr2Bg2loI=</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">ldo@securenvoy.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData Recipient="https://cloudinfra-gw.portal.checkpoint.com/api/saml/sso"
                                              NotOnOrAfter="2025-02-13T14:47:06.8460558Z"
                                              InResponseTo="_04c64b9513de19afe615"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2025-02-08T14:47:06.8460585Z"
                         NotOnOrAfter="2025-02-13T14:47:06.8460588Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>f1f35e8e-3aa5-4fd7-96a9-69259dba2c8d.cloudinfra.checkpoint.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2025-02-11T02:47:06.8460604Z"
                             SessionIndex="_41d43c47-b69c-4434-b3ca-3021232a3d09"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="groups"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xsi:type="xsd:string">Everyone</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:dir:attribute-def:userId"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xsi:type="xsd:string">67768004</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="identity/claims/givenname"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xsi:type="xsd:string">Lan</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="identity/claims/name"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xsi:type="xsd:string">Do</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="identity/claims/emailaddress"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xsi:type="xsd:string">ldo@securenvoy.com</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</Response>

 

 

Thank you for looking into this issue

Lan

 

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to donguyenthanhla

The fact is you're getting some sort of SAML response.
TAC will need to be involved to troubleshoot further.

0 Kudos
masher
Employee
Employee
a week ago
In response to donguyenthanhla

One issue I see in this response is that the urd:mace:dir:atttribute-def:userId  value is not set to Email. Your response shows another value rather than passing the email address back to Infinity Portal. While the Infinity Port IdP settings ask for that to be set to User Id, I've found in previous testing that the identity provider needs to set this to be the email address. 

If setting this to Email from within the IDP doesn't work, I also agree with @PhoneBoy  and recommend opening a TAC case to further troubleshoot. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events