When a user is not able to access the web applications on Unity
Connection using SAML SSO feature and encounters the given error:
Error
<ADFS server>
There was a problem accessing the site. Try to browse to the
site again. If the problem persists, contact the administrator of this stie and
provide the reference number to identify the problem.
Use the following task list to determine the source of the
problem and correct it:
-
Confirm that the Service Provider metadata
(SPMetadata<hostname of Unity Connection>.xml) is not missing on Identity
Provider. Try uploading the Service Provider metadata of the Unity Connection
via Import or URL option.
-
After importing the sp.xml successfully, add the following two
claim rules:
-
Send LDAP Attributes as Claims: Select LDAP attribute as
SAM-Account-Name and add Outgoing Claim type corresponding to this as uid.
-
Send Claims using a Custom Rule: Under the Custom Rule
description, write the following claim:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://<ADFS_FQDN>/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<UC_Node_FQDN>");
Save these two claim rules successfully to ensure that Identity
Provider used in SAML SSO feature is configured well. (In the above problem
description, we have considered ADFS as Identity Provider for
SAML SSO. You may choose any of the supported Identity Provider
instead.)
-
The Unity Connection server entry on Identity Provider server
must not be disabled.
-
There should be any errors upon accessing the Service Provider
metadata (SPMetadata<hostname of Unity Connection>.xml) as a corrupted SP
metadata file never allows a user to gain single sign-on access to web
applications.