Symantec Data Loss Prevention (DLP)

When setting up Okta Identity Provider for SSO SAML authentication with the DLP Enforce Console, you get an authorization error when trying to access the console.

The following error message will be in your browser when trying to access the Enforce Console from Okta:

Authorization Error
You are not authorized to access the DLP Management Console. Contact your system administrator for assistance

You will see the the following error in the DLP Enforce localhost log as well:

"local audience is not the intended audience of the assertion in at least one AudienceRestriction"

DLP Enforce version 15.x and 16.x when enabling SAML authentication.

The wrong value for the audience uri field is being used in the configuration for the DLP connector in Okta.

Okta does not currently have the ability to directly import the enforce metadata xml file from DLP.
The DLP connector from the Okta side needs to be configured manually.
Thus it is critical for the correct values to be used in the Okta configuration.
The audience uri field in Okta needs to be set to the same value as the entityID attribute from the enforce metadata xml file that was downloaded from the DLP Enforce console.
If this is not setup correctly the SSO authentication to Enforce will not work correctly.