Using SSO with Windows Integrated Authtication (WIA) to pass Windows credentials into SSO. When using this service with DLP Enforce they are prompted to use windows credentials, then asked to type in credentials again.
Best practice for SSO is to only use the required authentication types. When using "User name and password", "Password Protected Transport" and "Windows Integrated Authentication" and/or any other accepted authentication type, then any user attempting to login to Enforce with SSO will be prompted for their credentials twice.
No error message is observed by DLP
If customer is using ADFS for SSO, you may see an event similar to the below in the Windows Event logs
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="AD FS Tracing" Guid="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" />
<EventID>68</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000002000</Keywords>
<TimeCreated SystemTime="2019-02-20T19:59:15.572363600Z" />
<EventRecordID>313</EventRecordID>
<Correlation ActivityID="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" />
<Execution ProcessID="4980" ThreadID="9912" ProcessorID="2" KernelTime="3" UserTime="11" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>SERVER_NAME</Computer>
<Security UserID="X-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXXXXX" />
</System>
- <UserData>
- <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>The SSO token is not valid. Dropping it...</EventData>
</Event>
</UserData>
</Event>
This can be resolved by updating the SpringSecurityContext.xml file and commenting out everything but WIA.
<property name="authnContexts">
<list>
<!-- User name and password -->
<!-- value>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</value -->
<!-- Password Protected Transport -->
<!-- value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value -->
<!-- Integrated Windows Authentication -->
<value>urn:federation:authentication:windows</value>
<!-- One time token or two factor authentication -->
<!-- value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value -->
<!-- Any authentication method that your IDP supports -->
<!--value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value-->
</list>
</property>
The default location for the SpringSecurityContext.xml
In DLP 15.1 and above:
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\webapps\ProtectManager\WEB-INF
In DLP 15.0 and below:
\SymantecDLP\Protect\tomcat\webapps\ProtectManager\WEB-INF