search cancel

SAML Authentication Requires That Users Login Twice When Accessing the Enforce Server console

book

Article ID: 175642

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Using SSO with Windows Integrated Authtication (WIA) to pass Windows credentials into SSO.  When using this service with DLP Enforce they are prompted to use windows credentials, then asked to type in credentials again. 

Best practice for SSO is to only use the required authentication types.  When using "User name and password", "Password Protected Transport" and "Windows Integrated Authentication" and/or any other accepted authentication type, then any user attempting to login to Enforce with SSO will be prompted for their credentials twice.

Cause

No error message is observed by DLP

 

If customer is using ADFS for SSO, you may see an event similar to the below in the Windows Event logs

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
  <EventID>68</EventID>
  <Version>0</Version>
  <Level>3</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000002000</Keywords>
  <TimeCreated SystemTime="2019-02-20T19:59:15.572363600Z" />
  <EventRecordID>313</EventRecordID>
  <Correlation ActivityID="{56F79A39-EFF0-4E5D-7356-0080010000D1}" />
  <Execution ProcessID="4980" ThreadID="9912" ProcessorID="2" KernelTime="3" UserTime="11" />
  <Channel>AD FS Tracing/Debug</Channel>
  <Computer>SERVER_NAME</Computer>
  <Security UserID="S-1-5-21-2516725855-2359674507-435327265-239280" />
  </System>
- <UserData>
- <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
  <EventData>The SSO token is not valid. Dropping it...</EventData>
  </Event>
  </UserData>
  </Event>

Resolution

This can be resolved by updating the SpringSecurityContext.xml file and commenting out everything but WIA.

        <property name="authnContexts">
          <list>
            <!-- User name and password -->
            <!-- value>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</value -->
            <!-- Password Protected Transport -->
            <!-- value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value -->
            <!-- Integrated Windows Authentication -->
            <value>urn:federation:authentication:windows</value>
            <!-- One time token or two factor authentication -->
            <!-- value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value -->
            <!-- Any authentication method that your IDP supports -->
            <!--value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value-->
          </list>
        </property>

The default location for the SpringSecurityContext.xml

In DLP 15.1 and above:

\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\webapps\ProtectManager\WEB-INF

In DLP 15.0 and below:

\SymantecDLP\Protect\tomcat\webapps\ProtectManager\WEB-INF