Zanyterp, I have one more question for you if you don't mind. Can I ask why a sign-in URL can only point to a single realm, when SAML authentication is configured (see KB link below)? We have realm authentication policies setup so even though one sign-in URL points to two realms (one of the realms being a SAML auth realm), through authentication policies it only evaluates to one realm? Shouldn't this meet the criteria of the sign-in URL only pointing to a single realm and thus SAML auth should work? What we are finding is that the authentication policies work, it only redirects the user to the appropriate realm as directed by the authentication policy, however, in the realm with SAML authentication, we find that we get Invalid/Missing Sign-IN URL errors. The other authentication realm works great. Also important to note that both work independently with their only sign-in URL if configured that way. It *seems* that Juniper only wants ONE realm (apparently it won't work with two realms, even if the auth policies make them mutually exclusive of each other so that only one realm kicks in for one sign-in URL). I'm trying to figure out why this won't work.... unless it should? Hopefully this makes sense. http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB22270&actp=RSS&smlogin=true Thanks!
... View more
Hello, We have Juniper SSL VPN 7.2 R1.1 (build 20761) running in a lab environment, where we are doing SAML 2.0 authentication testing. Everything is working fine, except after authenticating to the IDP successfully, we get the message: " SAML Transfer failed. Please contact your system administrator. Detail: FAILURE: No valid assertion found in SAML response " Not sure why Juniper SSL VPN looks at assertion in the SAML response as invalid. The clock skew is set for 3500 minutes, the time is synchronized between Juniper VPN and the IDP, the <..Not Before or NotOnOrAfter..> shows the correct validity date/times. Any other ideas why the assertion would still be considered invalid? The only other thing we have set is the user name template, where we set <userAttr.enterprise_username> since enterprise_username contains the authenticated user ID. Also important to note that the statusCode is successful, so the IDP is successfully authenticating the user. <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success"> </samlp:StatusCode> Any ideas or insight is appreciated.
... View more