Issue
When you log attempt to log into the VSA server you see the following error.
"Invalid Passcode"
If you check the AuthAnvil Manager > Auth Logs you will see the error
FAILED to obtain SAML response
Cause
The user is not configured for SSO access. We leverage SSO to allow the 2FA login to be passed through to access the Password Server in VSA.
The AuthAnvil 2FA server is not configured with an HTTPS binding for the SSO SPInit service.
Resolution
- Make sure you can reach https://(Your Domain)/SSO/Services/SPInit.svc/mex from the VSA server.
- Make sure the affected user has an SSO enabled user with access to an SSO role that includes the Password Server.
- Make sure the 2FA user account has an email address that matches their Password Server user.
- Make sure Kaseya username match the SSO username.
- Make sure the affected user can log into https://(Your Domain)/SSO/ and launch the Password Server access.
You will also need to update the basicHTTPBinding, Open the web.config located in C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilSAS\
Note: Before proceeding copy the web.config to the Desktop. Do not leave a backup copy in the same folder.
<basicHttpBinding>
<binding name="BasicHttpBinding_SPInit" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
Update Line 107.
From <security mode="None">
To <security mode="Transport">
Next update the SSO SPInit service URL.
<client>
<endpoint address="http://(Your AuthAnvil Domain)/SSO/Services/SPInit.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_SPInit" contract="spInitServiceRef.SPInit" name="BasicHttpBinding_SPInit" />
</client>
Update Line 122
From <endpoint address="http://(Your AuthAnvil Domain)/SSO/Services/SPInit.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_SPInit" contract="spInitServiceRef.SPInit" name="BasicHttpBinding_SPInit" />
To <endpoint address="https://(Your AuthAnvil Domain)/SSO/Services/SPInit.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_SPInit" contract="spInitServiceRef.SPInit" name="BasicHttpBinding_SPInit" />
Questions?
If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.