Thanks for your reply,
I opened an incident on Pulse support, but replied me that the problem is on G SUITE and can't help me
These are my steps:
1. [Pulse] Set setting SAML
-> Configuration -> SAML -> Settings
Timeout value for metadata fetch request: 300
Validity of uploaded/downloaded metadata file: 0
Cluster FQDN for SAML: test.mydomain.com
-> Save change -> Save -> Update Entity Ids -> Update Entity Ids
2. [GSUITE] Create APPs SAML
-> Admin Console -> Apps -> SAML Apps -> Add a service/App to your domain
-> SETUP MY OWN CUSTOM APP
download metadata and certificate -> Next
Application Name: PULSE_SSLVPN -> Next
ACS URL: https://test.mydomain.com/gsuite
Entri ID: https://test.mydomain.com/dana-na/auth/saml-endpoint.cgi (on Pulse in Sign-in -> Sign-in SAML -> Metadata Provider -> Entity Id
Name ID: Basic Information - Primary Email
Name ID Format: Email
-> Next
-> Add new mapping
email - Basic Information - Primary Email
-> Finish
-> Edit services -> ON for everyone -> SAVE
3. [Pulse] Create Auth. Server
-> (selected) SAML Server -> New Server
Server Name: SAML_Server
SAML Version: 2.0
Connect Secure Entry ID: https://test.mydomain.com/dana-na/auth/saml-endpoint.cgi?p=sp1
Configuration Mode: Manual
Identity Provider Entity Id: https://accounts.google.com/o/saml2?idpid=XX123xxx4
Identity Provider Single Sign On Service URL: https://accounts.google.com/o/saml2/idp?idpid=XX123xxx4
SSO Method: Post
Upload Certiuficate (from GSUITE pem downloaded before)
Select Requested Authn Context Classes to be sent in the AuthRequest: ????? Secure Remote Password
Metadata Validity: 9999
- Save changes
4. User Roles > New -> Test_SAML
General ->
Session Options
UI Options
Pulse Secure client
Web
Secure Application Manager
Windows version
VPN Tunneling
5. [Pulse] User Realms
User Realms > User Authentication Realms -> New
Name: GSuite_Users
Authentication: SAML_Server
-> Save Change
6. [Pulse] Role Mapping -> New
Rule based on: username
Name: GSUITE_RoleMapping
Rule:If username...: *
Available Roles: Test_SAML
Stop processing rules when this rule matches
-> Save changes
7. [Pulse] Sign-in Policies
-> Signing In > Sign-in Policies -> New Url
User type: Users
Sign-in URL: */gsuite/
Authentication realm -> User picks from a list of authentication realms Ues -> GSuite_Users -> Save Change
8. I try to connect by the url:
And after login I receive this error:
403. That’s an error.
Error: app_not_configured_for_user
Service is not configured for this user.
Request Details
idpid=C0189zsi8
SAMLRequest=
RelayState=https://test.mydomain.com/gsuite
That’s all we know.
thanks to all for the support
Hi Marco,
As ray mentioned, the entity IDs are not same:
Entri ID: https://test.mydomain.com/dana-na/auth/saml-endpoint.cgi (on Pulse in Sign-in -> Sign-in SAML -> Metadata Provider -> Entity Id
Connect Secure Entry ID: https://test.mydomain.com/dana-na/auth/saml-endpoint.cgi?p=sp1
Request you to please try with the same entity IDs in both the auth server and the gsuite Admin console are the same
Hi,
thanks for the reply,
but the two records are pre compiled and I can't modify them!
I change in GSUITE the Entity ID * in https://test.mydomain.com/dana-na/auth/saml-endpoint.cgi?p=sp1
and tried to connecting, but after login, the system forwarding in loop without load page (The page url is changed every second but does not load content)
Hi,
If I am guessing right, the client is entering an infinite loop after login completes. If this is the case, then I guess the problem is with Max. Session Length value in the Role > General > Session Options > Max. Session Length section. Request you to please make the Max. Session Length value greater than 10 minutes (if it is not) and try again
Hi,
thank you so much for your reply, yes is my problem, but I don't understand where I set this change.
On Pulse I see only this:
User Realms -> Test_SAML -> General -> Session Option ->
Idle Timeout: 600 minutes (min: 5)
Max. Session Length: 720 minutes (min: 6)
Reminder Time: 5 minutes (min: 3)
But the poroblem didn't solve.
Hi,
Yes, that is where it is set (User Realms > Test_SAML > General > Session Options). Logs from the server side will give us an idea of what the problem is. It would be great if you could just send the snip of logs spewed during login process
Hi,
in the log (Log/Monitoring > User Access > Log) I see this record every second
Info SML31067 2019-05-14 12:15:17 - xxx-xxx-xxxxx02 - [127.0.0.1] System()[] - SAML AuthnRequest generation succeeded for SigninUrl:'https://test.mydomain.com/gsuite', SSO Service URL: 'https://accounts.google.com/o/saml2/idp?idpid=X1234xxx5'
and in Log/Monitoring > Events > Logs
Minor AUT24604 2019-05-14 12:21:13 - xxx-xxx-xxxxx02 - [00.0.00.0] System()[] - SSL negotiation failed while client at source IP '00.0.00.0' was trying to connect to 'IP Internal Cluster PSA'. Reason: 'sslv3 alert certificate unknown'
The following is the log spew for a successful login through GSuite (please read from bottom to top):
VPN Tunneling: User with IP 10.168.8.12 connected with ESP transport mode.
Key Exchange number 1 occurred for user with NCIP 10.168.8.12
VPN Tunneling: Session started for user with IPv4 address 10.168.8.12, hostname psecure-virtual-machine
VPN Tunneling: Optimized ACL count = 2.
VPN Tunneling: ACL count = 2.
Connected to TUN-VPN port 443
Login succeeded for Engineer, Pulse Secure Desktop QA Team/G Suite Realm (session:a1d3fba7) from 192.168.8.17 with DSClient; PulseLinux.
Primary authentication successful for Engineer, Pulse Secure Desktop QA Team/G Suite SAML Authentication Server from 192.168.8.17
SAML Consumer received and processed 'Post' ResultUCCESS
SAML AuthnRequest generation succeeded for SigninUrl:'https://myfqdn.com/gsuite_saml', SSO Service URL: 'https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxx'
The SAML AuthnRequest generation message is the first one (last line above). This should be followed by something like SAML Consumer received and processed 'Post' ResultUCCESS. Do you see such a sequence of messages?