Authorization error when trying to access the DLP Enforce Console via SSO from Okta

book

Article ID: 171837

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Symantec Data Loss Prevention (DLP)

When setting up Okta Identitiy Provider for SSO SAML authentication with the DLP Enforce Console, you get an authorization error when trying to access the console.

The following error message will be in your browser when trying to access the Enforce Console from Okta:

Authorization Error
You are not authorized to access the DLP Management Console. Contact your system administrator for assistance

 

You will see the the following error in the DLP Enforce localhost log as well:

"local audience is not the intended audience of the assertion in at least one AudienceRestriction"

 

 

Cause

The wrong value for the audience uri field is being used in the configuration for the DLP connector in Okta.

Environment

DLP Enforce version 15 and beyond when enabling SAML authentication.

Resolution

Okta does not currently have the ability to directly import the enforce metadata xml file from DLP.
The DLP connector from the Okta side needs to be configured manually.
Thus it is critical for the correct values to be used in the Okta configuration.
The audience uri field in Okta needs to be set to the same value as the entityID attribute from the enforce metadata xml file that was downloaded from the DLP Enforce console.
If this is not setup correctly the SSO authentication to Enforce will not work correctly.