Grafana SAML configuration with ADFS

Grafana Configuration
1

Hi,

We are trying to configure Grafana SAML configuration with ADFS.

After following the steps from the guide “SAML Authentication | Grafana Labs”, We are facing the below error message in grafana,

{“message”:“Failed to determine the state of the SSO redirect”}

Actually, we were able to authenticate by ADFS and afterwards we are receiving this error message from Grafana.

Please provide your suggestion where we are in wrong!

1 Like
2

Below is the error message:

After Login from Blue Sky
After Login from Blue Sky1260×362 17.2 KB

3

Hey! Did you finally solve this? Stumbled join the same issue with another SAML IdP and this post is the only reference to this error as it sounds.

1 Like
4

Note: ADFS SAML Support only from Grafana 8.2 onwards

Error Message from ADFS:

The SAML Single Logout request does not correspond to the logged-in session participant.

Requestor: https://desktop-1v7pbnh:3000/saml/metadata

Request name identifier: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier: http://desktop-1v7pbnh.Arun.local/adfs/services/trust SPNameQualifier: https://desktop-1v7pbnh:3000/saml/metadata, SPProvidedId:

Logged-in session participants:

Count: 1, [Issuer: https://desktop-1v7pbnh:3000/saml/metadata, NameID: (Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier: http://desktop-1v7pbnh.Arun.local/adfs/services/trust SPNameQualifier: https://desktop-1v7pbnh:3000/saml/metadata, SPProvidedId: )]

This request failed.

User Action

Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.

Root Cause:

The reason for logout failure is, presence of additional “Name ID” claim properties (NameQulaifier and SPNameQulaifier) was received in ADFS during sign out SAML Request which was not present in original Sign in SAML Request.

ADFS only allows to logout the session when Sign-In and Sign-out SAML request “Name ID” format are same.

Resolution: (refer attached screenshots)

So, I have added a customized rule in ADFS claim rule which will amend the additional “Name ID” properties (NameQulaifier and SPNameQulaifier) in sign in request. This solves the Name ID mismatch between sing in and sign out SAML request “Name ID” format.

Rule-1
Rule-11231×807 45.5 KB

Rule-2 (Custom Rule)
Rule-2 (Custom Rule)1229×790 67.5 KB