Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2389
Views
0
Helpful
3
Replies

EUQ SAML auth with additional proxyAddresses / aliases?

meliux
Level 1
Level 1

‎11-21-2018 04:00 PM

For the SMA End User Spam Quarantine we currently let users log in to view/release/delete their spams via LDAP authentication against our Active Directory. This LDAP query looks for all of the user aliases via the proxyAddresses attribute and therefore lists all spam for that user regardless of which alias the item was delivered to.

 

To save on the user logging in manually when they browse to the EUQ site (or click the link in a notification email) we would like them to instead use the SSO capability provided by the SAML integration with our ADFS. I've configured it per the guides found online and it does work nicely, however the contents of the EUQ presented to the user contain items for the primary email address only (what comes from the 'mail' attribute out of AD), and doesn't include spam items that were delivered to aliases. 

 

Is there any way to get SAML SSO working so that it can pass along the rest of the proxyAddresses in the SAML assertion, or even perform an LDAP query after authentication to then get the list of extra aliases?

The ADFS SAML instructions I've found online only provide help for releasing the primary email address as the Name ID. 

 

SMA M300V running 11.4.0-800, hosted by Cisco in their cloud.

 

3 people had this problem
Labels:
0 Helpful
3 Replies 3

dmccabej
Cisco Employee
Cisco Employee

‎11-25-2018 05:23 PM

Hello,

 

We have a few old defects on this behavior (this being one : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve03244/), and as far as I know there's no way to pull the alias information via the SAML assertion. Though, we did fix our code so that the SMA will/should pull this information via the LDAP EUQ Authentication Query. You'll want to make sure that is successfully setup and working (in conjunction with your current SAML config - Just needs to be setup/enabled in the LDAP profile) and it should assist with resolving this behavior.

 

Thanks!

-Dennis M.

0 Helpful

meliux
Level 1
Level 1
In response to dmccabej

‎11-25-2018 10:32 PM

Thanks for the tip Dennis.

 

How is the LDAP "EUQ Authentication" query going to work when there is no password? In the test window it requires to bind with a supplied username and password, but obviously when SAML is being used there is no password. 

In the Test Query window I have the following:

  • Query string: (&(|(sAMAccountName={a})(mail={a})))
  • Email attribute(s): mail,proxyAddresses
  • User Login: myuser@mydomain.com

Note: I changed the query to use {a} (instead of {u}) to make it compatible with both LDAP and SAML authentication methods, and this should alternately match with either the 'sAMAccountName' (ldap username) or 'mail' value (passed via saml) depending on which method is being used.

 

The test output shows results from the two stages:

  • first stage smtp auth succeeded - I can see the full list of my smtp aliases being returned
  • second stage smtp auth failed - query: ISQ.isq_user_auth - Failure: Action: match negative. Reason: Unable to bind with Identity: myuser@mydomain.com

As a practical test I temporarily changed the Spam Quarantine End-User Authentication method to use SAML again, but it still displays the same behaviour as before - only showing items for my primary mail alias. 

 

I have a feeling that the second stage auth failure, even though binding shouldn't be required when SAML is being used, is still causing the extra aliases not to get loaded properly.

 

Thoughts? Should I have a different query?

 

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to meliux

‎11-28-2018 12:40 PM

Hello,

 

The EUQ Authentication Query would work based off of the LDAP credential information you have setup in the LDAP profile itself, which is typically a service type account you have that has read access to the AD/LDAP attributes and structure. 

 

Unless your AD/LDAP attributes are customized, more than likely the failure is stemming from the fact that you modified the query syntax. Typically the defaults provided are adequate to pull the necessary information. 

 

For the EUQ Auth Query to work and provide proper alias information when logging in, the email attribute especially must be correct.

 

More info on the queries and examples here : https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma11-5/user_guide/b_SMA_Admin_Guide_11_5_1/b_SMA_Admin_Guide_11_5_chapter_01010.html#con_1053364

 

It would be hard for me to provide you with a guaranteed working syntax since all environments are different, but you should be able to successfully use one of the default examples in the guide. 

 

SAML should still be in use as the EUQ authentication method, but you still need to have the LDAP EUQ Auth query setup successfully. 

 

Thanks!

-Dennis M.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents