SAML Authentication Requires That Users Login Twice When Accessing the Enforce Server console
search cancel

SAML Authentication Requires That Users Login Twice When Accessing the Enforce Server console


Article ID: 175642


Updated On:


Data Loss Prevention Enforce


Using SSO with Windows Integrated Authtication (WIA) to pass Windows credentials into SSO.  When using this service with DLP Enforce they are prompted to use windows credentials, then asked to type in credentials again. 

Best practice for SSO is to only use the required authentication types.  When using "User name and password", "Password Protected Transport" and "Windows Integrated Authentication" and/or any other accepted authentication type, then any user attempting to login to Enforce with SSO will be prompted for their credentials twice.


No error message is observed by DLP


If customer is using ADFS for SSO, you may see an event similar to the below in the Windows Event logs

- <Event xmlns="">
- <System>
  <Provider Name="AD FS Tracing" Guid="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" />
  <TimeCreated SystemTime="2019-02-20T19:59:15.572363600Z" />
  <Execution ProcessID="4980" ThreadID="9912" ProcessorID="2" KernelTime="3" UserTime="11" />
  <Channel>AD FS Tracing/Debug</Channel>
- <UserData>
- <Event xmlns="">
  <EventData>The SSO token is not valid. Dropping it...</EventData>


This can be resolved by updating the SpringSecurityContext.xml file and commenting out everything but WIA.

        <property name="authnContexts">
            <!-- User name and password -->
            <!-- value>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</value -->
            <!-- Password Protected Transport -->
            <!-- value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value -->
            <!-- Integrated Windows Authentication -->
            <!-- One time token or two factor authentication -->
            <!-- value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value -->
            <!-- Any authentication method that your IDP supports -->

The default location for the SpringSecurityContext.xml

In DLP 15.1 and above:

\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\webapps\ProtectManager\WEB-INF

In DLP 15.0 and below: