Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

This thread has been viewed 46 times

  • 1.  ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

    Posted Nov 21, 2023 11:25 AM

    Hello,

    From a very basic level, I am trying to get ClearPass SSO to work with Google G Suite. I've followed a couple guides (links below). For now, I am just trying to get admin authentication to work with ClearPass before I get more adventurous with user auth or web logins. 

    Config:

    Basic custom SAML app in Google. The certificate was downloaded and I am pointing CPPM's SSO config to the below ACS. Notice also that the user access is ON for everyone. 

    I have this accounts.google.com URL in the ClearPass SSO config (will show later). 

    More details. I checked the Signed response checkbox, following the guides.

    Notice all the settings and how they're following the guides. 

    And in case this matters (I don't think it does yet considering that I see nothing in Event Viewer or Access tracker regarding this login) here's my service config. Very barebones. 

    Now, when I navigate to ClearPass guest, I get redirected to Google's Account Chooser. AWESOME! I click on the account associated with the G Suite account and this is what it returns. 

    Weird. I navigate back to Google and the SAML tab. I click on TEST SAML LOGIN. This is the result.

    What am I missing here? 

    Links:

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00091071en_us

    https://www.flomain.de/2023/05/clearpass-sso/



  • 2.  RE: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

    EMPLOYEE
    Posted 13 days ago

    Hi, have you enabled the app for the  in google workspace? At least the first error from google indicates this. 



    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------

    Original Message


  • 3.  RE: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

    Posted 13 days ago

    Yes, it's enabled. 


    Original Message


  • 4.  RE: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

    EMPLOYEE
    Posted 13 days ago

    Can you also check if the host name and fqdn of the ClearPass server has the same entry and reflects your dns name? 
    both should be cppm.wifinerd.co



    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------

    Original Message


  • 5.  RE: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

    Posted 13 days ago

    Yes, DNS matches the FQDN and the SAML app is pointing to the FQDN correctly.


    Original Message


  • 6.  RE: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

    EMPLOYEE
    Posted 12 days ago

    Can you check with a saml tracer (browser plugin) if the information exchanged are correct? 



    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------

    Original Message


  • 7.  RE: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

    Posted 12 days ago

    Is any of this helpful information? See attached too

    This is the contents of the last one that's red:

    GET https://accounts.google.com/o/saml2/idp?from_login=1&zt=ChQ4dFJtWUUwWUhWb3BVN3BsUUVVWRIfSTdFOWpxSHpraWdVQUM5OEZDVDNmUC0wM1dFYzd4Zw%E2%88%99AOlG-isAAAAAZiKKXMN11mA1XbNiDQwk315nmxQEC8Zx&as=6-4m2_KTyfXA5GnRTaaQDxnpwVfnNbwHVh0A6zchNPY&pli=1&authuser=3 HTTP/1.1 Upgrade-Insecure-Requests: 1 DNT: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=7d5250bf-f5b9-4f95-b9df-aeee7dcf2565,sync_account_id=116556480131613263487,signin_mode=all_accounts,signout_mode=show_confirmation X-Client-Data: CIi2yQEIprbJAQipncoBCPLbygEIlaHLAQiFoM0BCLOFzgEI8IfOARizqcoBGPbJzQEYmPXNARjS/s0BGNiGzgEY642lFw== Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "123.0.6312.123" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "15.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="123.0.6312.123", "Not:A-Brand";v="8.0.0.0", "Chromium";v="123.0.6312.123" Referer: https://accounts.google.com/AccountChooser/signinchooser?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Fsaml2%2Fidp%3Ffrom_login%3D1%26zt%3DChQ4dFJtWUUwWUhWb3BVN3BsUUVVWRIfSTdFOWpxSHpraWdVQUM5OEZDVDNmUC0wM1dFYzd4Zw%25E2%2588%2599AOlG-isAAAAAZiKKXMN11mA1XbNiDQwk315nmxQEC8Zx%26as%3D6-4m2_KTyfXA5GnRTaaQDxnpwVfnNbwHVh0A6zchNPY&ltmpl=popup&btmpl=authsub&scc=1&oauth=1&theme=mn&ddm=0&flowName=GlifWebSignIn&flowEntry=AccountChooser Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: SMSV=ADHTe-A2xbLttaM90RJI7qCP4AeTlwD70XxYjw67V89yxQXomdxPz82XST9YzsmCOMsfHfzMXadPbCm7fSe_FQXfZR928jXfS3KdaihcTglFonZP8lhN9Wj_WQ-SA8-r76vbV2qWYFQhwSHoThlZFldgswwjOgqR5pAJG2NqsmgiNgC8t6XHi8z10BM_nIc7p54sdcxxcCp2; LSOLH=_SVI_ENfToNDlyoQDGA8iP01BRURIZl9xRVB6SDZ6N3VUdUF2Yk45bFUzeVF1bXRxbklkOEprVWd2Z1c1NU0tYlVFOENvWVJ4NVh0MmlWbw_:28483547:fbfd; OTZ=7479135_76_80_104160_76_446820; SEARCH_SAMESITE=CgQI3poB; ACCOUNT_CHOOSER=AFx_qI6Jl0PaFmsc0H0SOG6UnfvATxobB9UpKLK5_xoMcQGpjeeFTO1EOzNBAqzKVHgKkUk-jaVf0_MFXqVWuQKPI4gX_EhrP-ueuvLrz8MyPT1z4fbp2PBgQrlPwn8IhLwEiv1U7VY6LQSb17MZH44Tu-iXfPZI68BN4qKhcST_orj-TgGDPbDm4G0Mv4ZIQbC10i8tZbxL9Z8GMdN9UJP1SXDeCdZrrMoedxVsJ58gx98jVgeKhyEqip1ztdoYJVbuWu4FcBdWwFAuQcDGkDnzU0LolEY93XTx6Fu6yMytvf9fwLKR4gCVlHFAz_TdqX-my8H5YjPZgNsSTOKAf2EfjRzNAccjXHLbjCu5LulRVhVFqd40IWirfhkaPbcg0GBNkkMJCx3B7l6LaFQrJcrzcHwCQ3rbAA; user_id=116556480131613263487; SID=g.a000iggbzvbiQygCuqYOKEKZUXq7Qh20DkHPLqd70nz-_ce29nrn4x3vcrKTYxOO1yHYbeJzLQACgYKAQ8SAQASFQHGX2MixdMEBAETS6pf2Z9Yx4XJTBoVAUF8yKqg2Me28eNlzxQus5Y4rMlG0076; __Secure-1PSID=g.a000iggbzvbiQygCuqYOKEKZUXq7Qh20DkHPLqd70nz-_ce29nrnGHa1ncRado4kzfLDN4EWWgACgYKAcYSAQASFQHGX2MiCQxA-l4b13pQSQqqwAJHEhoVAUF8yKrMnZBBtrHJULMRSN_fpW9S0076; __Secure-3PSID=g.a000iggbzvbiQygCuqYOKEKZUXq7Qh20DkHPLqd70nz-_ce29nrn6jBiqsPCuQ86RMpdYxQETgACgYKAakSAQASFQHGX2MioJkzHGuwogzN27vnc7Mc3xoVAUF8yKrsLzNp69GQ-asPeWHOaxWH0076; LSID=o.admin.google.com|o.calendar.google.com|o.chat.google.com|o.chromewebstore.google.com|o.console.cloud.google.com|o.drive.fife.usercontent.google.com|o.drive.google.com|o.gds.google.com|o.groups.google.com|o.mail.google.com|o.meet.google.com|o.myaccount.google.com|o.photos.fife.usercontent.google.com|o.photos.google.com|o.play.google.com|o.remotedesktop.google.com|o.store.google.com|o.timeline.google.com|s.youtube:g.a000iggbzuG71MCZ6DZuU6SKJCZF_KXxfwALPX1J3su8p4_TujkRmlJ8FbDBVz8yI2a6e2VptgACgYKAUYSAQASFQHGX2MiMQHzMzRoF75XoUgOscou1hoVAUF8yKoOyJhU20T1Qi0YWg2ftU5v0076; __Host-1PLSID=o.admin.google.com|o.calendar.google.com|o.chat.google.com|o.chromewebstore.google.com|o.console.cloud.google.com|o.drive.fife.usercontent.google.com|o.drive.google.com|o.gds.google.com|o.groups.google.com|o.mail.google.com|o.meet.google.com|o.myaccount.google.com|o.photos.fife.usercontent.google.com|o.photos.google.com|o.play.google.com|o.remotedesktop.google.com|o.store.google.com|o.timeline.google.com|s.youtube:g.a000iggbzuG71MCZ6DZuU6SKJCZF_KXxfwALPX1J3su8p4_TujkRd2ebuxeLwaPryYkOM3eNNAACgYKAecSAQASFQHGX2MioeWnbm4bkdjPE08E01S1txoVAUF8yKpcaFQz2_2PK2DKFXwYtuzD0076; __Host-3PLSID=o.admin.google.com|o.calendar.google.com|o.chat.google.com|o.chromewebstore.google.com|o.console.cloud.google.com|o.drive.fife.usercontent.google.com|o.drive.google.com|o.gds.google.com|o.groups.google.com|o.mail.google.com|o.meet.google.com|o.myaccount.google.com|o.photos.fife.usercontent.google.com|o.photos.google.com|o.play.google.com|o.remotedesktop.google.com|o.store.google.com|o.timeline.google.com|s.youtube:g.a000iggbzuG71MCZ6DZuU6SKJCZF_KXxfwALPX1J3su8p4_TujkReWEZxEmHeegK67UiXsbLOgACgYKAQYSAQASFQHGX2MithVsQ4uKSZPrUCirtfJt5RoVAUF8yKrejTDsN4izKew5YCIWrAcI0076; HSID=A1fGqgZV8FrXL9-aD; SSID=AeKvcannXg-Q-0o1v; APISID=Zbj9yGSSMj5DpQ2F/AMri-L3GviyAm14hv; SAPISID=6n6KQKe3bSE042uE/AdRlOfbO-PuVwDBJC; __Secure-1PAPISID=6n6KQKe3bSE042uE/AdRlOfbO-PuVwDBJC; __Secure-3PAPISID=6n6KQKe3bSE042uE/AdRlOfbO-PuVwDBJC; NID=513=NY5ZluNzq6NXzHI949yC0lP0Ac_grXaxIjD3-PzEdVHfjk4RHTN8eI3fmamJvpDy3nntvyJygqAd0lSisYwdEsrT0-gTKpMMa4t2lIzAr5mhsefA06xawxaJw8foi3Ei0vg3y0H3yL4ExPtWQMlH0Ni9j00srHvSt6JR2yxUEw6yA1bTW2Tg_DQaGQhKd228fu0-NCH84bTuluPCGLKN5FSSG9FLbOgbC1l032FmwP3J-RyfxjoUqvfmnP60R0AuOXU9lnBlHp1LiElnB9YF85D2JlEw1BCIGEV17oZ9sLWBuM6IKm8LBIm_kL-P4ylBy0DTD9paGFfdW-ZFsR8zBjiMgSlUyr-SG0rt4sOyVEwxT2nsnDZbv8tiu9Fv5GuuxXFUk7i9l-MylxD4u9kd-xbehD0WCadASsm_c_8vIlNIRQmqmUV0xTzQTlVgkIFBsIRrYMHHZaM9QJjtTFgw2ZqTUjN-5kmsZlCTHoGgYJoSBr6P86d7R13sxrrWqxnTmM00chcjhwkxGbN1uG-TG8puXvkIGKBq3m4daI0YT01xx53CbBGjvw; AEC=AQTF6Hw9Zh9fO-IXJ3mAAiFKLgN8AXAeikCsGVS-MGO7fn5SYzDkeKFp4fo; __Secure-1PSIDTS=sidts-CjIB7F1E_CRMKb3QsrBc_OnovOI_YS9CR-H0Kn92MuMtWNAFREbLvXnjPu_pTQ06cGvPGxAA; __Secure-3PSIDTS=sidts-CjIB7F1E_CRMKb3QsrBc_OnovOI_YS9CR-H0Kn92MuMtWNAFREbLvXnjPu_pTQ06cGvPGxAA; __Host-GAPS=1:X0EsxcOxb9rDRcmELds84RSQe4F9lhUGUMfBe_Yq0CFG_oVY7x-9rVUjx7ggXT7sAP74ROgnPGDunsyx3-NFYaKa0YOZ8sbLscYRgMJSu-pB-g:Mma65pp1GuGAqNmG; SIDCC=AKEyXzXgswRIFSvtRsbbKSWNX-Bw_CLWHJDgPPjVjEYpLJTdOZSXqTkMY9cJD_JSfxjsC80AjvE; __Secure-1PSIDCC=AKEyXzVNV1lDRAW_gh7WZ-3pbYHFE61OBegW0ix5LgOEZUFUjommvK6R7eOvwMAnyCM-zyYfCWw; __Secure-3PSIDCC=AKEyXzUiQBJ9YlZxuDI32pWDwtZzWLJIpFKEPyPyrixP69Pwax_U14yzfNnoekiiK7-zgIJtyhb-
    HTTP/1.1 403 content-type: text/html; charset=utf-8 cache-control: no-cache, no-store, max-age=0, must-revalidate pragma: no-cache expires: Mon, 01 Jan 1990 00:00:00 GMT date: Thu, 18 Apr 2024 15:14:40 GMT content-language: en-US content-security-policy: require-trusted-types-for 'script';report-uri /o/cspreport content-security-policy: script-src 'report-sample' 'nonce-1ceoCRMHYWfYPYfE3HSwGg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /o/cspreport content-encoding: gzip server: ESF x-xss-protection: 0 x-frame-options: SAMEORIGIN x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

    Original Message


  • 8.  RE: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

    Posted yesterday

    Hello,

    I deployed SSO with Google Workspace using SAML and Social Login (API) in ClearPass Guest. Both worked properly and it is still in use at my customer production. I've documented all the configuration steps including Google side.

    Did you configure allowlist on the NAD side? You can find allowlists for cloud integrations: https://github.com/aruba/clearpass-cloud-service-whitelists/blob/master/cloud-login/cloud-login_google.md



    ------------------------------
    Regards,
    -Tuna AKYOL
    ------------------------------

    Original Message


  • 9.  RE: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid

    Posted yesterday

    That shouldn't be an issue since I'm wired with no ACL's. My CPPM VM is directly connected. My firewall right now pretty much has an allow all to the outside from the inside. I could see how allow listing those would be needed for captive portal since those are on pretty restricted roles. 


    Original Message