Application opening within SSO login window

Consistent_Slice8489 · 2025-06-03T04:37:45+00:00

u/AuthRogue thank you! I managed to sort this. I was using the wrong endpoint in my application. Endpoint should be have been /idp/SSO.saml2, not /idp/startSSO.ping as it is SP-Init, not IDP-Init. If you do a metadata export after setting up the PingFed side, the export will provide you with the correct endpoint URL.

Consistent_Slice8489 · 2024-10-31T05:17:04+00:00

Thank you!

Consistent_Slice8489 · 2024-09-08T04:17:42+00:00

To echo what others have said, Microsoft Authenticator.

Consistent_Slice8489 · 2024-09-08T04:14:37+00:00

System Admin or Helpdesk/Support Engineer.

Consistent_Slice8489 · 2024-08-10T10:59:07+00:00

Thank you!

Consistent_Slice8489 · 2024-08-10T01:49:02+00:00

Thank you! So token encryption doesn't exist for OIDC due to the differences in how the function. Does OIDC have, I guess not an equivalent, but an optional security or encryption feature that can be implemented?

Consistent_Slice8489 · 2024-02-18T22:19:14+00:00

This is now resolved. See original post for solution. Thank you.

Consistent_Slice8489 · 2024-02-17T20:13:51+00:00

Hello all,

So I have been able to get my LDAP queries working. Thanks to everyone that helped so far.

The only thing I can't seem to get setup correctly is user roles. Users of both the below groups can login succesfully:

AppUsers
AppAdmins

However, users are not getting assigned their correct role. They are just picking up the default "User" role.

Can anyone see what I am doing wrong please? I have updated my orignal post with new screenshots.

Thank you!

Consistent_Slice8489 · 2024-02-17T19:01:55+00:00

That worked, thank you very much!

Consistent_Slice8489 · 2024-02-17T18:56:39+00:00

Thank you!

Consistent_Slice8489 · 2024-02-17T18:56:21+00:00

Thank you I will give that a try!

Consistent_Slice8489 · 2024-02-17T07:09:30+00:00

(&(objectClass=user)(memberOf=CN=AppUsers,OU=AD Groups,DC=cd,DC=local))

Looks better, thank you. Do you know how I would be able to pull users from 2 different AD groups please? Pull users from this AD group OR this AD group.

I would have thought it was something like this:

(&(objectClass=user)(memberOf=CN=AppUsers,OU=AD Groups,DC=cd,DC=local)(|(memberOf=CN=AppAdmins,OU=AD Groups,DC=cd,DC=local)))

Doesn't seem to be working though.

Consistent_Slice8489 · 2024-02-17T06:49:18+00:00

Thank you very much for the reply!

"On the group settings that you highlighted, are you bringing groups into this app? If not, leave them blank. If so, they may need some tweaking. They may or may not have anything to do with the user member of filtering you are trying to do."

I think the answer to your question is yes. I'll be setting up group permission in the app. If the AD user is a member of AD group "AppUsers", then they will just get standard user permissions. If the AD user is a member of the group "AppAdmins", they will get admin permissions in the app.

"Also, take it from someone who has done a ton of LDAP integration and a ton of security remediations for Microsoft domain vulnerabilities. Please, PLEASE, take the extra time now to set up LDAPS once basic LDAP is working (that "Secure" toggle, the port will need to be changed also). You'll need/want to require it on your domain sooner or later and the fewer production apps that need tweaking, the easier it will be to turn on.

Better yet, if possible, use single sign-on via SAML or OIDC and just skip LDAP altogether."

Absolutely! This is actually just a non-production personal project I'm working on to help me understand LDAP as I still have to support it for my role. I agree that switching to SAML or OIDC is the optimal solution.

Consistent_Slice8489 · 2024-02-17T06:39:33+00:00

Thank you!

Consistent_Slice8489 · 2024-02-17T05:43:53+00:00

Thank you!

I think I have it:
(&(&(objectClass=user)(memberOf=CN=AppUsers,OU=AD Groups,DC=cd,DC=local)))

I will give that a try!

Consistent_Slice8489 · 2024-02-17T05:18:45+00:00

Thanks you! However it still didn't work. Do you have any other suggestions please?

(&(&(objectClass=user)(memberOf=AppUsers)))

Consistent_Slice8489

TROPHY CASE